The Urology Center of Colorado has agreed to settle a class action lawsuit that was filed in response to a 137,820-record data breach that occurred in September 2021. On November 5, 2021, the urology practice sent notification letters to its patients advising them that some of their protected health information was potentially compromised two months previously, between September 7 and September 8, 2022. Unauthorized individuals accessed its network and potentially removed files containing patient information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, diagnoses, physician names, insurance provider names, guarantor names, and treatment cost information. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months.
A lawsuit was filed in response to the data breach on behalf of plaintiffs Kristen Snyder and Diona Lopez and other individuals similarly affected by the data breach. The plaintiffs alleged the Urology Center of Colorado was negligent for failing to implement necessary safeguards to ensure the confidentiality of patient information, including the failure to encrypt patient data, apply patches promptly to mitigate known vulnerabilities, review and update users’ account privileges, update firewalls, provide appropriate training to individuals on the procedures for handling inbound emails, and ensure appropriate security practices were followed. The lawsuit also alleged a breach of implied contract, breach of fiduciary duty, and a violation of Colorado’s data security laws. As a result of the negligence, the plaintiffs claim they face a substantial, increased, and immediate risk of fraud and identity theft.
The Urology Center of Colorado denied any wrongdoing and accepts no liability for the data breach but took the decision to settle the lawsuit to prevent ongoing legal costs and the uncertainty of trial. Under the terms of the settlement, the Urology Center of Colorado has agreed to provide compensation for documented out-of-pocket losses and lost time. Individuals who submit a claim will be eligible to receive up to $500 for documented losses, including up to 5 hours of lost time. Claims of up to $2,500 may be submitted for extraordinary losses, and individuals who were California residents at the time of the data breach are entitled to claim an additional $50 in compensation.
Individuals that signed up for the credit monitoring and identity theft protection services offered by the Urology Center of Colorado will be entitled to claim a further two years of membership, with individuals who did not originally sign up for the services entitled to receive a 24-month membership to those services.
Class action data breach settlements often include a commitment to implement additional security measures, although this settlement contains no such commitments. The Urology Center of Colorado did state in its breach notification letters in November that additional measures were being considered to improve security.
Individuals who wish to object to or exclude themselves from the settlement have until October 10, 2022, to do so. Claims must be submitted by November 7, 2022. The final fairness hearing is scheduled for October 26, 2022.
The post The Urology Center of Colorado Agrees to Settle Class Action Data Breach Lawsuit appeared first on HIPAA Journal.