The Nashville, TN-based health system, Advent Health Partners, has proposed a $500,000 settlement to resolve claims related to a September 2021 data breach involving the protected health information of 61,072 patients.
Advent Health Partners detected a breach of its email environment in early September 2021. The investigation confirmed hackers had access to, and potentially stole, the protected health information of patients such as names, Social Security numbers, driver’s license information, dates of birth, health insurance, medical treatment information, and financial account information. Affected individuals were notified about the breach in March 2022, and were offered credit monitoring services for 12 months.
A lawsuit – McHenry v. Advent Health Partners, Inc. – was filed in the U.S. District Court for the Middle District of Tennessee against Advent Health Partners over the breach. The lawsuit alleged the health system failed to implement reasonable and appropriate cybersecurity measures, despite being aware of the high risk of phishing attacks on healthcare providers. The lawsuit also took issue with the length of time taken to notify affected individuals. The breach was detected in early September 2021, yet Advent Health Partners did not announce the breach on its website until February 2022, and notifications were sent in March 2022, 6 months after the breach was detected. The lawsuit also alleges the notifications were ‘woefully deficient’ and lacked even basic details about the data breach, and that the 12 months of credit monitoring services were insufficient.
The lawsuit alleges the failure to protect patient data and the delay in issuing notifications violated Tennessee law. The lawsuit also claims the health system failed to comply with the federal standards of HIPAA and had not followed FTC guidelines for protecting sensitive data. The lawsuit alleged negligence, breach of third-party beneficiary contract, and unjust enrichment.
Advent Health Partners chose to settle the lawsuit to avoid further legal costs and has admitted no wrongdoing. Under the terms of the settlement, a $500,000 fund will be created to cover claims and legal costs. Claims may be submitted for reimbursement of ordinary expenses up to $750 per class member, which can include documented losses such as out-of-pocket expenses, fees for credit reports and credit monitoring between September 1, 2021, and April 20, 2023, and up to four hours of lost time at $18 per hour. Claims may also be submitted up to a maximum of $5,000 per class member for reimbursement of extraordinary losses that have not already been reimbursed, such as losses to identity theft and fraud. Class members will also be provided with 3 years of credit monitoring services.
The deadline for objection to or exclusion from the settlement is March 21, 2023. Claims must be submitted by April 20, 2023, and the final approval hearing has been scheduled for April 14, 2023.
The post Advent Health Partners Proposes $500,000 Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.