MedData Pays $7 Million to Resolve Class Action Data Breach Lawsuit
Revenue cycle management company MedData based in Spring, TX consented to pay $7 million to resolve a class action lawsuit associated with the breach of the personal data and health data of 136,000 people on a public-facing site.
MedData assists healthcare providers and health plans through the processing of Medicaid qualification, workers’ compensation, third-party liability, and patient medical billing, which includes healthcare providers and health plans like Aspirus Health Plan, Memorial Hermann, the University of Chicago Medical Center, and OSF HealthCare. The member and patient data of all HIPAA-covered entities were compromised by MedData.
From December 2018 to September 2019, a MedData staff accidentally saved the information to personal files on GitHub Arctic Code Vault, which is a part of the GitHub website that is open to the public. The information stayed there without protection and was exposed for over a year. A security researcher advised MedData about the exposed data on December 10, 2020. On December 17, 2020, the files were deleted from GitHub.
MedData has experienced 5 class action lawsuits related to the data breach. Four of the lawsuits were dismissed. This revised lawsuit is the last action against MedData associated with the data breach. Based on the conditions of the settlement, class members can select any of the two payment tiers. The first choice permits class members to get a refund for recorded, unreimbursed out-of-pocket expenditures reasonably trackable to the data breach to as much as $5,000 per class member. The second choice allows class members to get as much as $500 for “de-minimis” or minimal affirmative action as per data breach notification. Irrespective of the option selected, class members may likewise claim 36 months of medical data and fraud monitoring services for free. Those services are covered by a $1 million identity theft insurance plan.
The settlement additionally calls for MedData to apply and keep an improved cybersecurity system, which should include robust monitoring and auditing for data security problems, yearly cybersecurity screening, training on data privacy for workers, data encryption, improved access controls, yearly penetration testing, a data removal policy, and a supervised internal whistleblowing system. The board should likewise take into account proper cybersecurity spending yearly, and routinely update internal security guidelines and protocols.
Ernest Health Sued Because of a Ransomware Attack and Data Breachin 2024
The Texas health system Ernest Health is facing a lawsuit filed by patients whose protected health information was exposed in an attack. This is probably a lawsuit connected to the theft of no less than 97,078 patients’ data. Ernest Health runs hospitals in Arizona, Colorado, California, Indiana, Idaho, Montana, New Mexico, South Carolina, Texas Ohio, Wyoming Utah, and Wisconsin. On February 1, 2024, Ernest Health discovered suspicious activity in its systems. The investigation revealed there was unauthorized access to its system between January 16, 2024, and February 4, 2024. The LockBit ransomware group said it is behind the attack and made threats to release the stolen information on its leak website. Ernest Health mentioned the breached data contained names, contact details, dates of birth, health plan IDs, medical records, Driver’s License Numbers and Social Security numbers.
A lawsuit was submitted by Lauri Cook and Joe Lara on their behalf and persons in the same circumstances who had their personal information and PHI affected in the Ernest Health cyberattack. The lawsuit states that Ernest Health was unable to protect the files of present and past patients as a result of lack of cybersecurity safeguards and insufficient cybersecurity training for its staff, which suggests it had no effective means to discover, prevent, or stop the cyberattack. The plaintiffs state that it took 73 days from the preliminary compromise for Ernest Health to mail individual notices, which denied them the option to minimize their injuries promptly.
Though Ernest Health explained it has carried out more safety measures in response to the breach, the plaintiffs assert the health system has an inadequate and late response to the attack. Having free credit monitoring and identity theft protection services is not enough. The lawsuit purports breach of implied contract, negligence, negligence per se, unjust enrichment, invasion of privacy, and breach of fiduciary duty and wants a jury trial, declaratory and other equitable relief, statutory damages, injunctive relief, and exemplary, compensatory, and punitive damages. The plaintiffs and class representatives are Samuel J. Strauss and Raina Borrelli of Turke & Strauss, and Joe Kendall of the Kendall Law Group.