Magellan Health has agreed to settle a class action data breach lawsuit and will create a $1.43 million fund to cover claims from patients affected by the breach.
The lawsuit – Dearing v. Magellan Health Inc. et al. – was filed in the Arizona Superior Court against Magellan Health Inc. and Magellan RX Management, LLC on behalf of patients whose protected health information was exposed in a May 2019 phishing attack. Unauthorized individuals gained access to emails and email attachments that contained patients’ protected health information, including names, Social Security numbers, and health information. Approximately 273,000 individuals were affected and had their protected health information exposed.
The plaintiffs alleged the defendants failed to implement appropriate cybersecurity measures to prevent unauthorized access to sensitive patient data and had those safeguards been implemented, the data breach would have been prevented. The plaintiffs alleged the security failures were in violation of the Health Insurance Portability and Accountability Act, although the lawsuit was filed over the violation of state laws.
The plaintiffs also took issue with how Magellan Health handled the data breach and the delay in issuing notifications. The phishing attack occurred in May 2019, was not detected until July 2019, and notification letters were not sent to affected individuals until November 2019, 6 months after the attack. Had notifications been issued sooner, the plaintiffs argued that they could have taken steps to protect against identity theft and fraud.
The decision was taken to settle the lawsuit to prevent further legal costs and to avoid the uncertainty of trial. The defendants made no admission of wrongdoing and do not accept any liability for the data breach. Under the terms of the settlement, $1.43 million will be made available to cover claims from the class members.
All class members are entitled to submit claims of up to $225 to cover ordinary out-of-pocket expenses, such as the costs of credit reports, telephone calls, and Internet usage, and up to two hours of lost time at $15 per hour. Class members that have incurred costs related to credit monitoring and fraud resolution may also be able to claim back those costs. Claims may be submitted for extraordinary losses up to $2,500, such as monetary losses due to fraud and identity theft, as well as a further 3 hours of lost time at $15 per hour. Those claims must be supported by appropriate documentation.
Class members have until November 15, 2022, to exclude themselves or object to the settlement. The final approval hearing for the settlement is December 2, 2022, and all claims must be submitted by December 15, 2022.
The post Magellan Health Settles Class Action Data Breach Lawsuit for $1.43 Million appeared first on HIPAA Journal.