The Spring, TX-based revenue cycle management company Med-Data has agreed to a $7 million settlement to resolve all claims stemming from a data breach between 2018 and 2019 that involved the protected health information of approximately 136,000 individuals.
Between December 2018 and September 2019, an employee of Med-Data uploaded patient data to the public-facing software development hosting platform GitHub. The files were added to personal folders on GitHub Arctic Code Vault and contained the protected health information of patients of several of its clients. The exposed data included names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, claims information, dates of service, subscriber IDs, medical procedure codes, provider names, and health insurance policy numbers. Med-Data removed the files when it was alerted to the data exposure and offered the affected individuals complimentary credit monitoring and identity protection services.
A lawsuit was filed in response to the data breach that claimed Med-Data failed to adequately protect the sensitive data it obtained from its clients and did not issue timely notifications when the breach was discovered. Med-Data chose to settle the lawsuit and the settlement has received preliminary court approval. There are two tiers to the settlement. The first tier allows affected individuals to claim up to $5,000 to cover documented, unreimbursed losses incurred due to the data breach, including out-of-pocket expenses such as bank fees, credit costs, and communication expenses, up to five hours of lost time at $25 per hour, and losses due to identity theft, identity theft, and medical identity theft.
Alternatively, class members can opt for the second tier, which will provide a cash payment of up to $500 to cover time spent in response to the data breach, including monitoring credit reports, signing up for credit monitoring services, changing passwords, and other actions. Claims will be paid pro rata, depending on the number of claims received.
Regardless of the tier chosen, class members can also claim a 3-year membership to a health data and fraud monitoring service (Medical Shield Premium), which includes a $1 million identity theft insurance policy (Pango). Class members have until April 26, 2024, to object to or exclude themselves from the settlement, and the final approval hearing has been scheduled for September 11, 2024.
The post Med-Data Settles Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.