Fertility Centers of Illinois has proposed a $450,000 settlement to resolve a lawsuit filed on behalf of patients and employees who were affected by its February 2021 data breach.
On February 1, 2021, hackers gained access to the network where sensitive employee and patient information was stored, including names, employee ID numbers, Social Security numbers, passport numbers, financial account and payment information, diagnoses, treatment information, medical record numbers, billings and claims information, occupational health information, Medicare/Medicaid information, and usernames and passwords with PINs or account login information.
The investigation of the breach took six months, but it then took a further four months for affected individuals to be notified. Notification letters were finally sent in December 2021 and the data breach was reported to the HHS’ Office for Civil Rights on December 27, 2021, as affecting 79,943 patients. It should be noted that the HIPAA Breach Notification Rule requires the HHS and affected individuals to be notified about breaches of protected health information within 60 days of the discovery of a data breach.
The lawsuit – Monegato, et al. v. Fertility Centers of Illinois PLLC – was filed in the Circuit Court of Cook County, IL, and takes issue with the length of time it took to issue notifications, alleging Fertility Centers of Illinois unnecessarily delayed notifications, attempted to conceal the severity of the breach, and misrepresented the nature of the breach and the threat posed to affected individuals. The lawsuit also alleges Fertility Centers of Illinois failed to adequately protect patient data, with the alleged lack of safeguards and breach notification delay in violation of Illinois law.
The alleged security failures include storing protected health information (PHI) and personally identifiable information (PII) in multiple locations, each with different security safeguards; a failure to adequately train employees on security protocols; and inadequate security measures for protecting PHI/PII. The lawsuit also alleges an ineffective breach response that took 6 months to determine hackers accessed PHI/PII. Also, the breach notification letters stated, in bold and underlined text, that electronic medical records had not been accessed when the next paragraph made it clear that the information contained in medical records had in fact been accessed.
The lawsuit claims victims of the data breach now face a lifetime risk of identity theft and fraud, they will continue to suffer damages, including monetary losses, lost time, anxiety, and emotional distress, and have lost the opportunity to control how their PHI/PII is used, suffered a diminution in value of their PII and PHI, and will have to deal with the continuing publication of their PII and PHI. Despite these risks, only 12-24 months of identity theft protection services were provided.
Fertility Centers of Illinois has not admitted any wrongdoing and chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, individuals affected are entitled to submit a claim for up to $450 for ordinary losses such as out-of-pocket expenses incurred as a result of the data breach, and reimbursement for up to four hours of lost time at $20 per hour. Claims up to the value of $5,000 are permitted for documented extraordinary losses incurred between February 1, 2021, and June 5, 2023, that are not covered under ordinary losses. The settlement is capped at $450,000 and claims will be paid pro rata if that amount is reached. In addition, all affected individuals are entitled to claim an additional 24 months of credit monitoring services (via Pango) from the effective date of the settlement.
The post Fertility Centers of Illinois Proposes $450,000 Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.