Legal News

Consolidated Class Action Lawsuit Filed Against Shields Health Care Group Sued Over 1.9 Million-Record Data Breach

Posted by HIPAA Journal

Multiple lawsuits have been filed against Massachusetts-based Shields Health Care Group, which suffered one of the largest healthcare data breaches of the year, affecting almost 2 million individuals. The lawsuits have recently been consolidated into a single lawsuit – Biscan v. Shields Health Care Group Inc – that was filed in a Massachusetts federal court this week.

Shields Health Care Group provides MRI, PET/CT, radiation oncology, and surgical services to healthcare practices, around 60 of which were affected by the breach. Hackers gained access to its network and stole the protected health information of patients over a two-week period in March 2022. The stolen data included names, contact information Social Security numbers, insurance information, billing information, and clinical information such as diagnoses and treatment information. Affected individuals were offered a 2-year membership to a credit monitoring service.

The plaintiffs allege Shields Health Care Group failed to implement appropriate safeguards to prevent unauthorized access to highly sensitive patient data and then failed to issue timely notifications to patients to inform them that their data was in the hands of cybercriminals and that the notification letters did not provide adequate information to allow the affected individuals to take appropriate action to assess and mitigate risk.

The lawsuit alleges Shields Health Care Group was fully aware of the risk of hacking and ransomware attacks on healthcare organizations given the multiple security alerts issued by the FBI, CISA, and the HHS, yet failed to implement adequate measures to reduce risk, which was in violation of its obligations under the HIPAA Security Rule.

Shields Health Care Group said a security alert was triggered on March 18, 2022, which was investigated but no breach was detected, then suspicious activity was identified within its network on March 28, 2022. The investigation confirmed patient data had been compromised notifications were issued to affected individuals on June 7, 2022, outside the reporting time frame of the HIPAA Breach Notification Rule.

The lawsuit claims that the notifications were untimely, and deficient in information, failing to even provide basic information about the breach, such as whether patient data on the servers were accessed. The lawsuit also alleges the credit monitoring services offered were inadequate given that affected individuals face many years of ongoing identity theft.

While many lawsuits are filed based on future risk of harm, the plaintiffs claim to have suffered financial losses as a result of the breach and have had to spend a significant amount of time monitoring their financial accounts. One plaintiff said suspicious activity was identified in his email account and he had thousands of dollars of fraudulent charges to his Bank of America account, and another plaintiff claims to have been targeted by scammers over the phone since the data breach.

The consolidated lawsuit alleges negligence, breach of contract, invasion of privacy by intrusion, and breach of fiduciary duty, and seeks class action status, damages, and injunctive relief.

The post Consolidated Class Action Lawsuit Filed Against Shields Health Care Group Sued Over 1.9 Million-Record Data Breach appeared first on HIPAA Journal.

Washington Attorney General Sues Plastic Surgery Provider for HIPAA Violations and Falsely Inflating Online Ratings

Posted by HIPAA Journal

Washington Attorney General Bob Ferguson is suing a plastic surgery provider for falsely inflating online ratings, bribing, and threatening patients, and alleges the actions of the practice violated the Health Insurance Portability and Accountability Act (HIPAA) Rules.

The lawsuit was filed in the U.S. District Court for the Western District of Washington against the Seattle plastic surgery clinic Allure Esthetic and its owner Dr. Javad Sajan after receiving multiple complaints from patients and former employees. The complaints alleged the practice was bribing and threatening patients to prevent them from posting negative reviews on platforms such as Yelp and Google, and that patients were made to sign non-disclosure agreements (NDAs) before receiving treatment prohibiting them from publishing online reviews that could in any way harm the practice. The practice considered any review under 4 stars to be a negative review. Attorney General Ferguson said these practices falsely inflated its online reviews.

According to the lawsuit, more than 10,000 patients were made to sign the NDAs stating legal action would be taken in response to negative reviews. Patients who posted negative reviews were allegedly intimidated into removing the reviews and were told they would be sued for monetary damages if the reviews were not deleted. In some cases, patients were offered bribes for removing negative reviews, including cash and free services. Patients that accepted the payments or free services were required to sign a second NDA that stipulated they would be liable for $250,000 in damages if they posted any further negative reviews. Patients were required to pay a $100 consultation fee before being told they would be required to sign an NDA.

The lawsuit also alleges employees were ordered to post fake positive reviews online that included altered before and after photographs that made it appear the treatments were more successful than they actually were. A VPN was used for posting fake reviews to conceal the IP addresses of the office computers. The practice is also alleged to also applied for rebates on behalf of its patients without obtaining their consent, then kept the rebates. Hundreds of fake email accounts were created to register for rebate programs intended for real patients, which resulted in thousands of dollars of fraudulent rebates being paid to the practice each month.

The lawsuit alleges that between 2017 and 2019, the NDAs required patients to contact the practice prior to publishing any online review under 4 stars, with the NDAs stating patients would be liable to “pay monetary damages to the practice for any losses” if negative reviews were not removed. The NDAs also stated that patients must waive their HIPAA privacy rights, stating consumers must “allow a response [to the review] from the practice with any personal health information” if they post a negative review. The HIPAA Privacy Rule prohibits covered entities from conditioning treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization to disclose protected health information. That wording was changed in 2019, but the NDAs continued to be required until March 2022.

In addition to the alleged HIPAA violations, the practice and owner are alleged to have violated the Washington State Consumer Protection Act (CPA) and the Consumer Review Fairness Act (CRFA). The lawsuit asks the court to invalidate the NDAs,  require the practice to write to all patients to inform them that the NDAs are invalid, and block the practice from using NDAs in the future. Monetary damages of up to $7,500 are sought per violation and the court has been asked to order the practice to pay restitution to patients for the $100 consultation fees and return any rebates that are owed to customers.

“Patients rely on reviews to determine if a healthcare provider is right for them and using legal threats and bribes to manipulate those reviews is deceptive and harms Washingtonians. We are taking action to stop these unethical and illegal practices,” said AG Ferguson. “Threatening and bribing customers to prevent them from sharing the truth about their experience isn’t just wrong — it’s illegal.”

The post Washington Attorney General Sues Plastic Surgery Provider for HIPAA Violations and Falsely Inflating Online Ratings appeared first on HIPAA Journal.

CommonSpirit Health Facing Class Action Lawsuit over Ransomware Attack and Data Breach

Posted by HIPAA Journal

The Chicago, IL-based health system, CommonSpirit Health, is facing a class action lawsuit over its October 2022 ransomware attack. Malicious actors gained access to its IT systems on September 16, 2022, and deployed ransomware on October 2, 2022. The attack forced the shutdown of its electronic medical record system and caused considerable disruption over several weeks, with the catholic health system having to cancel many appointments. The forensic investigation determined the protected health information of patients of Virginia Mason Franciscan Health was potentially compromised in the attack. Virginia Mason Franciscan Health operates St. Anne Hospital, St. Elizabeth Hospital, St. Anthony Hospital, St. Clare Hospital, St. Francis Hospital, St. Joseph Hospital, and St. Michael Medical Center. CommonSpirit Health said the information compromised in the attack was limited to names, addresses, phone numbers, dates of birth, and unique ID numbers, and reported the data breach to the HHS’ Office for Civil Rights as affecting 623,774 individuals.

In late December, a lawsuit was filed in the District Court for the Northern District of Illinois on behalf of Virginia Mason Franciscan Health patient, Leeroy Perkins, and other similarly affected patients. The lawsuit alleges CommonSpirit Health was negligent for failing to implement and follow basic cybersecurity procedures and industry cybersecurity best practices which allowed unauthorized individuals to gain access to patients’ sensitive data, placing affected patients at risk of identity theft and fraud.

Perkins claims to have had to spend valuable time monitoring his accounts and changing passwords, and now faces an increased risk of identity theft and fraud as a result of the data breach. He also claims costs will be incurred paying for credit monitoring and identity theft protection for years to come, and his credit score is likely to be lowered. The lawsuit seeks class action status, damages exceeding $5 million, and injunctive relief, including CommonSpirit Health implementing more robust cybersecurity measures to protect patient data.

It is now common for lawsuits to be filed against healthcare providers that have suffered ransomware and other cyberattacks, especially when the data breaches affect many thousands of patients; however, in order for the lawsuits to succeed, the plaintiffs must demonstrate they have been harmed as a result of a data breach. Lawsuits often fail when they are based solely on an elevated risk of identity theft and fraud.

In 2021, a lawsuit filed against Brandywine Urology Consultants was dismissed by a Delaware Superior Court judge when the plaintiffs failed to provide sufficient evidence that they had been harmed by the breach. “A plaintiff alleging that it will suffer future injuries from a defendant’s allegedly improper conduct must show that such injuries are certainly impending,” and must demonstrate “a likelihood that the injury will be redressed by a favorable decision,” said the Honorable Mary M. Johnston in the ruling dismissing the lawsuit. The plaintiffs claimed to have incurred expenses as a result of the breach, but the judge ruled that costs incurred in response to a speculative threat are not sufficient to confer standing.

The post CommonSpirit Health Facing Class Action Lawsuit over Ransomware Attack and Data Breach appeared first on HIPAA Journal.

Avalon Healthcare Settles HIPAA Case with Oregon and Utah State AGs and Pays $200,000 Penalty

Posted by HIPAA Journal

Avalon Healthcare has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws with the Oregon and Utah Attorneys General that were uncovered during an investigation of a 2019 breach of the personal and protected health information of 14,500 of its employees and patients.

Avalon Healthcare is part of the Avalon Health Care Group and provides skilled nursing, therapy, senior living, assisted living, and other medical services throughout Oregon, Utah, California, Nevada, Washington, and Hawaii. In July 2019, an employee responded to a phishing email and disclosed credentials that allowed an email account to be accessed by unauthorized individuals. The account contained sensitive information such as names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, and some financial information. It took 10 months from the date of the breach for the incident to be reported to the HHS and state attorneys general, and for affected individuals to be notified.

Oregon Attorney General Ellen Rosenblum and Utah Attorney General Sean Reyes launched an investigation into the data breach that focused on the email security practices at Avalon Healthcare and compliance with the HIPAA Security and Breach Notification Rules and state data breach notification statutes. The HIPAA Breach Notification Rule requires notifications to be issued about breaches of protected health information without undue delay and no more than 60 days from the date of the breach. In Oregon, data breach notifications must be issued in the most expeditious manner, and no later than 45 days after the date of discovery of the breach. The investigation uncovered potential violations of the Oregon Unlawful Trade Practices Act and HIPAA with respect to breach notifications and data security. Avalon Healthcare agreed to settle the case to avoid further controversy and expense.

Under the terms of the settlement, Avalon Healthcare has agreed to comply with the requirements of state laws and HIPAA and will develop, implement, and maintain an information security program that includes reasonable data security practices to ensure all personal information and protected health information is adequately protected. An individual will be designated as having overall control of the information security program and a HIPAA compliance officer will be appointed. The information security program will include logging and monitoring of the network, multi-factor authentication, email filtering, and at least twice-yearly security awareness training for the workforce. Security awareness training must cover phishing and social engineering, and include phishing simulation exercises. Avalon Healthcare has also agreed to develop, implement, maintain, and test a data incident response plan and to implement and maintain a risk assessment and risk management program. Avalon Healthcare will also revise its email data retention policies to ensure that data is only kept in email accounts for as long as there is a legal basis to retain the information and all emails containing PHI will be encrypted.

In addition to the commitment to compliance with HIPAA and state laws, Avalon Healthcare will pay a $200,000 financial penalty, which will be split equally between the Oregon and Utah state attorneys general and will be used to pay for legal fees, investigation costs, and the future enforcement of compliance with HIPAA and state laws.

“Companies, like Avalon, that retain consumers’ protected health information, have a duty to keep this data safe from unauthorized access,” said Attorney General Rosenblum. “Avalon dealt with the personal health-related information of some of our most vulnerable residents. Close to 2,000 Oregonians assumed—incorrectly—their information was safe with Avalon. Data breaches continue to be a problem in Oregon, and we are committed to working with companies to make sure they have the highest data privacy safeguards in place.”

The post Avalon Healthcare Settles HIPAA Case with Oregon and Utah State AGs and Pays $200,000 Penalty appeared first on HIPAA Journal.

Fertility Centers of Illinois Proposes $450,000 Settlement to Resolve Data Breach Lawsuit

Posted by HIPAA Journal

Fertility Centers of Illinois has proposed a $450,000 settlement to resolve a lawsuit filed on behalf of patients and employees who were affected by its February 2021 data breach.

On February 1, 2021, hackers gained access to the network where sensitive employee and patient information was stored, including names, employee ID numbers, Social Security numbers, passport numbers, financial account and payment information, diagnoses, treatment information, medical record numbers, billings and claims information, occupational health information, Medicare/Medicaid information, and usernames and passwords with PINs or account login information.

The investigation of the breach took six months, but it then took a further four months for affected individuals to be notified. Notification letters were finally sent in December 2021 and the data breach was reported to the HHS’ Office for Civil Rights on December 27, 2021, as affecting 79,943 patients. It should be noted that the HIPAA Breach Notification Rule requires the HHS and affected individuals to be notified about breaches of protected health information within 60 days of the discovery of a data breach.

The lawsuit – Monegato, et al. v. Fertility Centers of Illinois PLLC – was filed in the Circuit Court of Cook County, IL, and takes issue with the length of time it took to issue notifications, alleging Fertility Centers of Illinois unnecessarily delayed notifications, attempted to conceal the severity of the breach, and misrepresented the nature of the breach and the threat posed to affected individuals. The lawsuit also alleges Fertility Centers of Illinois failed to adequately protect patient data, with the alleged lack of safeguards and breach notification delay in violation of Illinois law.

The alleged security failures include storing protected health information (PHI) and personally identifiable information (PII) in multiple locations, each with different security safeguards; a failure to adequately train employees on security protocols; and inadequate security measures for protecting PHI/PII. The lawsuit also alleges an ineffective breach response that took 6 months to determine hackers accessed PHI/PII. Also, the breach notification letters stated, in bold and underlined text, that electronic medical records had not been accessed when the next paragraph made it clear that the information contained in medical records had in fact been accessed.

The lawsuit claims victims of the data breach now face a lifetime risk of identity theft and fraud, they will continue to suffer damages, including monetary losses, lost time, anxiety, and emotional distress, and have lost the opportunity to control how their PHI/PII is used, suffered a diminution in value of their PII and PHI, and will have to deal with the continuing publication of their PII and PHI. Despite these risks, only 12-24 months of identity theft protection services were provided.

Fertility Centers of Illinois has not admitted any wrongdoing and chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, individuals affected are entitled to submit a claim for up to $450 for ordinary losses such as out-of-pocket expenses incurred as a result of the data breach, and reimbursement for up to four hours of lost time at $20 per hour. Claims up to the value of $5,000 are permitted for documented extraordinary losses incurred between February 1, 2021, and June 5, 2023, that are not covered under ordinary losses. The settlement is capped at $450,000 and claims will be paid pro rata if that amount is reached. In addition, all affected individuals are entitled to claim an additional 24 months of credit monitoring services (via Pango) from the effective date of the settlement.

The post Fertility Centers of Illinois Proposes $450,000 Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Scripps Health Proposes $3.5M Settlement to Resolve Class Action Ransomware Lawsuit

Posted by HIPAA Journal

A settlement has been proposed by Scripps Health to resolve a consolidated class action lawsuit – In Re: Scripps Health Data Incident Litigation – to resolve all claims related to its 2021 ransomware attack.

In April 2021, Scripps Health suffered a ransomware attack that was reported to the Department of Health and Human Services as affecting 147,267 patients. The attack caused major disruption at Scripps Health hospitals. Scripps Health had to redirect ambulances and cancel scheduled appointments, and the staff was forced to record patient information on paper while the San Diego-based health system restored its IT systems – a process that around a month.

The investigation revealed the hackers stole files from its network on April 29, 2021, which contained protected health information such as names, Social Security numbers, driver’s license numbers, and healthcare information, including information stored in medical records. The ransomware attack has proven to be incredibly costly for Scripps Health. Its financial statements show the attack cost at least $113 million in lost revenue.

Multiple lawsuits were filed against Scripps Health in the San Diego County Superior Court in the wake of the data breach on behalf of individuals affected by the ransomware attack. The lawsuits allege Scripps Health failed to implement and maintain adequate security measures to protect patient information and had inadequate policies and procedures for detecting and remediating cyberattacks, despite being aware of the high risk of an attack.

The plaintiffs allege they have suffered lost time, annoyance, interference, and inconvenience as a result of the data breach, including being prevented from accessing the MyScripps patient portal, which is used by patients to access their healthcare information, request prescription refills, manage appointments, and communicate with doctors. The lawsuits sought damages, reimbursement of out-of-pocket expenses, and injunctive relief, requiring Scripps Health to implement adequate security measures to better protect patient data in the future.

Scripps Health has not admitted any wrongdoing and does not accept liability for the ransomware attack and data breach. The decision was taken to settle the lawsuit to prevent further legal costs, avoid the uncertainty of trial, and resolve all claims related to the data breach. Under the terms of the settlement, class members are entitled to submit a claim for a cash payment of up to $100 which is subject to a pro rata increase based on the number of claims received. In addition, class members are entitled to submit claims for documented ordinary and extraordinary losses. The settlement amount is expected to exceed $3.5 million.

Claims for reimbursement of ordinary out-of-pocket are permitted up to a maximum of $1,000 per class member. Ordinary losses include unreimbursed bank fees, card re-issuance fees, overdraft fees, over-limit fees, telephone charges, costs of credit reports, and similar losses that can be reasonably traced to the ransomware attack.

Extraordinary losses are those related to identity theft that are fairly traceable to the ransomware attack and were suffered between April 29, 2021, and March 23, 2023. To qualify for reimbursement for extraordinary losses, class members must have made reasonable efforts to avoid suffering losses and to have exhausted available avenues for recovering losses related to identity theft.

Class members wishing to exclude themselves from or object to the settlement have until March 8, 2023, to do so. The deadline for submitting claims is March 23, 2023. The final approval hearing is scheduled for April 7, 2023.

The post Scripps Health Proposes $3.5M Settlement to Resolve Class Action Ransomware Lawsuit appeared first on HIPAA Journal.

Judge Denies Injunction Banning Meta from Collecting Patient Data via Meta Pixel Code

Posted by HIPAA Journal

Plaintiffs in a consolidated class action lawsuit against Meta recently sought an injunction against Meta to stop the company from collecting and transmitting data collected from the websites of healthcare providers through Meta Pixel tracking code.

The plaintiffs claim the use of Meta Pixel code on appointment scheduling pages and patient portals allows sensitive information, including patient communications, to be collected and monetized by Meta, which violates federal and state privacy laws. William Orrick, U.S. District Judge for the Northern District of California, has recently issued a ruling denying the injunction.

Background

In the summer, an investigation was conducted by The Markup into the use of tracking technologies such as Meta Pixel on the websites of healthcare providers and found that 33% of the top 100 hospitals in the United States had the code on their websites, some of which had added the code to their patient portals. Meta Pixel can collect any data in HTTP headers, button click data, and form field names. That code was found to be transmitting patient information to Meta when Meta had not entered into a business associate agreement with the hospitals.

In the past few months, Novant Health, Community Health Network, Advocate Aurora Health, and WakeMed Health and Hospitals have all reported impermissible disclosures of patients’ PHI to OCR due to the use of Meta Pixel and other tracking code on their websites. Multiple lawsuits have also been filed against Meta and healthcare providers over the use of Meta Pixel code and the impermissible disclosure of the data of Facebook users, which the lawsuits claim is being used for advertising purposes without consent.

The Department of Health and Human Services’ Office for Civil Rights has recently confirmed that the use of tracking technologies on websites is not permissible under the HIPAA Privacy Rule if those technologies collect and transmit protected health information unless the vendor of the tracking technology qualifies as a business associate and a business associate agreement is in place or if HIPAA-compliant patient authorizations are obtained.

Ruling

Meta has argued that it has a policy in place that limits the data businesses can share through Meta Pixel, and mechanisms are in place that filter out sensitive data to ensure the information is not passed on to advertisers through its ads ranking and optimization systems. Meta also claims that any injunction that requires the company to stop collecting healthcare information would be unfairly burdensome and technologically infeasible.

“The allegations against Meta are troubling: plaintiffs raise potentially strong claims on the merits and their alleged injury would be irreparable if proven,” said Judge Orrick in his ruling. “To secure a mandatory injunction, however, plaintiffs need to show “that the law and facts clearly favor [their] position, not simply that [they are] likely to succeed.”

Orrick explained that Meta has provided evidence that the company is doing all it can to minimize the problems raised by the plaintiffs, and that based on the available facts it is unclear where the truth lies. Orrick said there is a need for discovery to clarify the scope of the problems and the potential solutions that can be implemented to address them. Judge Orrick said, “it is too early to find that the public interest supports a mandatory injunction.”

The post Judge Denies Injunction Banning Meta from Collecting Patient Data via Meta Pixel Code appeared first on HIPAA Journal.

Lawsuit Seeking Property Insurance Cover for Ransomware Attack Fails

Posted by HIPAA Journal

Cyber insurance policies can help to cover the cost of losses from ransomware attacks, but these policies are becoming more difficult to obtain. Insurers are tightening their requirements for obtaining policies and many insurers are placing limits on underwriting amounts. Premiums are also skyrocketing, putting policies out of the reach of many healthcare organizations, if insurance can even be obtained. There has been further bad news this week for healthcare organizations that have been unable to obtain cyber insurance, as the Ohio Supreme Court has recently ruled that ransomware attacks do not constitute physical damage, which means claims cannot be made against property insurance policies.

The decision ends a 3-year court battle between the medical billing software developer, EMOI, and its insurer, Owners Insurance Company. EMOI suffered a ransomware attack in September 2019 and paid the ransom demand of $35,000 to regain access to its files. EMOI also invested in upgrades to its security infrastructure to prevent further attacks. The ransomware gang provided the keys to decrypt data and most files could be recovered; however, it was not possible to decrypt its automated phone call system, which had to be replaced.

EMOI submitted a claim to its against its property insurance policy to try to recover the losses, but the claim was rejected. EMOI then took legal action against Owners as the insurance policy covered direct physical loss to digital media. Owners maintained that the ransomware attack did not have a physical dimension, so was therefore not covered by the insurance policy, and that the policy excluded ransomware losses.

In November 2021, an Ohio Appellate Court ruled in favor of EMOI and allowed a claim against the insurer for treating EMOI in bad faith, by failing to fully consider the various types of damage that can occur to media such as software; however, all seven of the Ohio Supreme Court justices sided with Owners, and issued a summary judgment dismissing the EMOI lawsuit.

EMOI had argued that computer software falls under the category of “media” that can be damaged, even though software is non-physical, so the losses should therefore be covered by the insurance policy even though there was no damage to hardware. The Supreme Court justices were not persuaded by that argument, ruling that “The most natural reading of the phrase “direct physical loss of or damage to” is that EMOI is insured for direct physical loss of its media and insured for direct physical damage to its media.

While the term “computer software” is included within the definition of “media”, the justices ruled that computer software was only included insofar as the software is contained on covered media, and that covered media means the media has a physical existence. Since there was no direct physical loss or physical damage to the covered media containing the computer software, the losses were not covered under the policy. Further, computer software cannot experience direct physical loss or physical damage because it does not have a physical existence.

The post Lawsuit Seeking Property Insurance Cover for Ransomware Attack Fails appeared first on HIPAA Journal.

Class Action Data Breach Lawsuit Settled by Morley Companies

Posted by HIPAA Journal

Morley Companies has agreed to settle a class action lawsuit filed on behalf of individuals affected by a major data breach that occurred on or around August 1, 2022. A fund of $4.3 million has been created to cover claims from individuals affected by the data breach.

On or around August 1, 2021, Morley Companies, a Saignaw, MI-based provider of business services, suffered a cyberattack in which hackers gained access to parts of its network. Morley Companies said the attack prevented access to its information systems when files were encrypted, with the investigation confirming that the attackers exfiltrated files containing protected health information.

Approximately 628,000 breach notification letters were mailed, and the breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 521,046 individuals. The breached information included names, addresses, Social Security numbers, birthdates, client identification numbers, medical diagnostic and treatment information, and health insurance information. Morley Companies accepts no liability for the incident and has admitted no wrongdoing but chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the settlement, class members can submit a claim to receive reimbursement of up to $2,500 for documented out-of-pocket expenses that are reasonably traceable to the cyberattack and data breach. These can include unreimbursed losses relating to fraud or identity theft, professional fees including attorneys’ and accountants’ fees, and fees for credit repair services, costs associated with freezing or unfreezing credit with any credit reporting agency, credit monitoring costs incurred on or after August 1, 2021, and miscellaneous expenses such as notary, data charges, fax, postage, copying, mileage, cell phone charges, and long-distance telephone charges (conditions apply).

Class members can also claim up to four hours of lost time at a rate of $20 per hour, and residents of California at the time of the breach can claim a payment of $75. In addition, individuals who did not previously claim the credit and identity monitoring services provided by Morley Companies through IDX will be provided with a new offer and activation code valid for 90 days to claim 3-bureau credit monitoring for a three-year period from the effective date of the settlement. Class members will also be provided with a one-year membership to the Dashlane password management service.

Class members have until February 7, 2023, to object to or exclude themselves from the settlement. Claims must be submitted by March 20, 2023. The final approval hearing for the settlement has been scheduled for April 19, 2023.

The post Class Action Data Breach Lawsuit Settled by Morley Companies appeared first on HIPAA Journal.