$1 Million Settlement Agreed to Resolve American HomePatient Data Breach Lawsuit

A $1 million settlement proposed by American HomePatient to resolve a class action lawsuit filed on behalf of victims of a 2017 data breach has received preliminary approval.

The data breach that was the subject of the lawsuit occurred on January 6, 2017. The offices of American HomePatient in Delaware were burgled, and thieves stole several computers. The hard drives were not encrypted and contained sensitive information such as names, addresses, dates of birth, Social Security numbers, AHOM account information, financial information, diagnosis codes, and treatment information of 13,000 current and former patients and customers of American HomePatient and Lincare Holdings Inc.

Following the breach, a class action lawsuit was filed on behalf of victims of the breach who claimed American HomePatient was negligent for failing to encrypt sensitive data and, that by failing to do so, the thieves had easy access to their sensitive information. The lawsuit also alleged invasion of privacy, breach of implied contract, negligence per se, unjust enrichment, breach of fiduciary duty, and a violation of the state Unfair and Deceptive Trade Practices Act.

Under the terms of the settlement, American HomePatient will provide monetary and non-monetary relief for class members in seven areas: Complimentary credit monitoring services for 12 months, reimbursement for identity theft protection services up to $150, payment of $350 for false tax returns filed with the IRS after January 6, 2017, payment of $150 for unauthorized IRS tax transcripts requested from the IRS after January 6, 2017, an identity theft payment of $350, and reimbursement for expenses incurred as a result of the breach up to $500 for out-of-pocket expenses and up to 3 hours at $15/hour.

Plaintiffs can submit a claim for enrollment in the Equifax Credit Watch Silver program but must submit documentation supporting claims under all other categories. Class members have until June 6, 2020 to submit their claims. The final hearing has been scheduled for June 26, 2020.

In addition to the monetary settlement, American HomePatient has agreed to implement and maintain security measures for two years which include conducting an external HIPAA risk assessment at least every two years and an annual risk analysis. American HomePatient will also maintain a head of IT to coordinate the security program for 2 years and will provide ongoing employee education on information security and protecting personally identifiable information.

The post $1 Million Settlement Agreed to Resolve American HomePatient Data Breach Lawsuit appeared first on HIPAA Journal.