The Florida Orthopedic Institute has reached a $4 million settlement with the 647,000 patients affected by a server hack and subsequent ransomware attack in 2020. The data theft incident was the fifth-largest data breach health that year.
The proposed settlement will resolve allegations that the security incident was caused by FOI’s failure to adhere to industry security standards, as well as violations of the Health Insurance Portability and Accountability Act and failure to notify affected patients in a timely manner.
First reported to patients on July 1, 2020, a ransomware attack deployed against FOI on April 1, 2020 encrypted data stored on its servers. The malware was discovered the same day, leading administrators to quickly secure the system.
However, the ensuing investigation revealed that protected health information may have been exfiltrated and/or accessed prior to the cyberattack. The data stolen varied by patient, but could include social security numbers, dates of birth, contact information, claim histories, insurance plan identification, diagnostic codes, provider locations and other sensitive data.
A lawsuit against FOI was quickly filed by several of the affected patients, who made several allegations against the Florida provider. FOI has been accused of failing to properly secure PHI as required by HIPAA, negligence, invasion of privacy, breach of implied contract, unjust enrichment, and a host of legal claims.
“In willful disregard that the stolen sensitive and unprotected information was readily visible to unauthorized third parties, [FOI] downplayed the seriousness of the incident,” according to the lawsuit. “And further downplayed the severity by stating ‘we immediately launched an internal investigation to secure our environment and restore the affected data’.”
“These representations are merely boilerplate language drawn from a common pattern, clearly demonstrating the defendant’s lack of concern about the seriousness of the data disclosure,” he continued.
The patients were seeking an order to compel FOI to ‘fully and accurately disclose the nature’ of the exposed data and order FOI to adopt ‘reasonably sufficient’ security measures, as well as provide affected patients with protective services against identity theft for life.
The lawsuit contains no evidence of specific harm, just that victims of the breach were now at increased risk of identity theft and “will continue to spend significant time and money in the future to protect themselves due to [FOI]failures.
As part of the settlement, affected patients are eligible to receive up to $15,000 for personal losses, in addition to up to five hours of certified time at $25 per hour, three years of protection services against identity theft, monitoring services for minors and eligibility to access fraud assistance and identity restoration services. In total, these services will cost $1.2 million FOI.
FOI also agreed to pay attorney’s fees. However, the settlement is not an admission of guilt. The supplier “has consistently denied the allegations and made it clear that it will vigorously defend this case through litigation if necessary”.
A final hearing to approve the settlement is scheduled for September.
FOI joins a growing and worrying trend of healthcare data breach lawsuits. In May, data from BakerHostetler confirmed that lawsuits filed against vendors following a report of breach are on the rise. In some cases, vendors may face multiple legal filings, both state and federal.
The report confirmed that the ongoing “duplicate litigation trend” has created a race to file a lawsuit, while increasing the cost of the initial litigation defense and overall settlement costs due to the large number of attorneys in the plaintiffs involved. Shortly after a breach is reported, law firms often initiate investigations to find affected patients.
“It takes $49 to file a lawsuit in any court. It’s a low threshold to get into the justice system,” BakerHostetler partner Lynn Sessions previously told SC Media. “What we find with these types of lawsuits is that [the attorneys] find at least one person to serve as a class member.
Since the report was released, at least 10 other health care breach lawsuits have been filed and two more have reached settlements with victims this month alone.