Connexin Software, which does business as Office Practicum, has proposed a $4 million settlement to resolve a consolidated class action lawsuit stemming from a 2022 data breach that affected almost 3 million individuals. Office Practicum provides pediatric-specific health information technology solutions to healthcare providers, including electronic health records, practice management software, billing services, and business analytics tools.
On August 26, 2022, Connexin Software said it detected a data anomaly within its internal network and the subsequent forensic investigation confirmed that an unauthorized third party had obtained an offline set of patient data that was used for data conversion and troubleshooting. The compromised data included the protected health information of 2,675,934 patients, the majority of whom were children. The compromised data included names, guarantor names, parent/guardian names, addresses, email addresses, dates of birth, Social Security numbers, health insurance information, medical and treatment information, and billing and claims data.
Several class action lawsuits were filed against Connexin Software shortly after the company announced the breach, nine of which were consolidated into a single class action lawsuit as they all made similar claims, including an alleged failure to implement reasonable and appropriate security measures to protect patient data. Children’s data is particularly valuable to cybercriminals as it can be misused for years. The affected individuals suffered an invasion of privacy and immediate and long-term risks of identity theft, fraud, medical identity theft, misappropriation of health insurance benefits, and other misuses. The plaintiffs argued that the threat actor behind the attack could also sell the data of children to human trafficking groups.
The settlement is in the best interests of all parties concerned. The plaintiffs will be able to claim for reimbursement of out-of-pocket expenses and Connexin Software will avoid further legal costs. Connexin Software explained to the judge when filing the preliminary settlement that if the lawsuit had progressed much further, the company would have no option other than to file for bankruptcy protection.
All parties have agreed to the proposed settlement, which has received preliminary approval from a Pennsylvania federal court judge. The plaintiffs and class members have been given three options: Expanded identity theft protection services for three years and coverage by a $1,000,000 identity theft insurance policy; reimbursement for unreimbursed out-of-pocket expenses up to a maximum of $7,500 per class member; or a flat-fee cash payment, the amount of which will be determined based on the claims received. Connexin Software has also agreed to invest $1.5 million in its information security program to better protect patient data in the future. Attorneys for the plaintiffs and class members are seeking around $1.3 million in fees.
“The parties were well-aware of each other’s strengths and weaknesses by virtue of the court’s ruling on Connexin’s partial motion to dismiss, their exchange of thousands of pages of documents, nearly a dozen depositions, and mediation-related discovery and analysis directed at Connexin’s finances,” states the settlement document. “Rather than prolonging the litigation, plaintiffs have reached a settlement that will immediately provide them and class members with significant benefits for their injuries arising from the data security incident.” The settlement now awaits a final hearing, the date for which has not yet been set.
The post Connexin Software Proposes Class Action Lawsuit Settlement to Avoid Bankruptcy appeared first on HIPAA Journal.