iCare Acquisitions has proposed a $3 million settlement to resolve claims from individuals affected by a 2021 data breach that affected almost 3.3 million 20/20 Eye Care Network and 20/20 Hearing Care Network health plan members.
A security breach was detected in January 2021, when suspicious activity was identified in its AWS cloud storage environment. The forensic investigation confirmed that AWS S3 storage buckets were accessed by the attackers, the contents of those buckets were downloaded, then the data in the buckets were deleted. The environment contained the protected health information of health plan members, including names, Social Security numbers, dates of birth, member ID numbers, and health insurance information.
The nature of the attack meant it was not possible to determine which individuals had been affected and the extent to which data were stolen, so notification letters were sent to the 3,253,822 individuals potentially affected by the breach. Notifications were sent to affected individuals in May 2021 and complimentary credit monitoring and identity theft protection services were offered. The breach was attributed to insider wrongdoing, which left plan members’ data exposed over the Internet.
A lawsuit – Desue, et al. v. 20/20 Eye Care Network Inc., et al. – was filed in the U.S District Court for the Southern District of Florida against 2020/ Eye Care Network and iCare Acquisitions that alleged the data breach occurred as a result of the defendants’ failure to implement reasonable and appropriate cybersecurity measures. The lawsuit alleged a failure to comply with its obligations under HIPAA and a failure to adhere to industry standard cybersecurity best practices. The lawsuit also took issue with the length of time it took to issue notifications to affected individuals, which were sent more than 3 months after the data breach was discovered.
The plaintiff claims that shortly after being notified about the data breach her credit card was used to make fraudulent purchases over the Internet, she experienced a significant increase in voice phishing calls, and her mail was diverted to a different address.
iCare Acquisitions and the 20/20 Eye Care Network admitted no wrongdoing and accept no liability for the data breach. The settlement was proposed to avoid ongoing legal costs and the uncertainty of trial. Under the terms of the settlement, a fund of $3,000,000 will be created to cover claims from individuals affected by the data breach.
Claims will be paid after legal fees have been deducted from the settlement amount and may be paid pro rata depending on the number of claims received. Class members are entitled to submit claims of up to $2,500 to recover out-of-pocket losses, including up to 10 hours of lost time at $25 per hour. Individuals who suffered documented losses to identity theft and fraud that have not already been reimbursed will be entitled to claim for those losses up to a maximum of $5,000, up to an aggregate maximum of $600,000. 36 months of credit monitoring services will also be provided, or alternatively a cash payment can be claimed in lieu of those services.
The deadline for objecting to or exclusion from the settlement is April 3, 2023. Claims must be submitted by May 1, 2023. The final approval hearing has been scheduled for June 22, 2023.
The post $3 Million Settlement Proposed to Resolve 20/20 Eye Care Network Data Breach Lawsuit appeared first on HIPAA Journal.