Magellan Health has agreed to pay $1.43 million to resolve data breach claims stemming from a 2019 phishing attack that exposed thousands of patient data.
The settlement benefits individuals who received a notification that their personally identifiable information or personal health information may have been compromised in the 2019 Magellan Health data breach. This definition includes approximately 273,000 patients.
In November 2019, Magellan Health announced that it had been the victim of a phishing scheme that put patient data at risk. The phishing scheme, which happened in May 2019, allegedly compromised an employee’s email account. The breach gave hackers access to sensitive information such as the names, social security numbers and health information of 273,000 patients, including 44,000 TennCare participants.
Affected TennCare patients quickly filed a lawsuit against Magellan, arguing that the company could have prevented the data breach with reasonable cybersecurity measures. According to the lawsuit, Magellan evaded its obligations as a healthcare provider under the Health Insurance Portability and Accountability Act (HIPAA) by failing to secure patient data.
The plaintiffs also took issue with Magellan’s handling of the breach. Despite learning of the May 2019 breach in July 2019, Magellan allegedly failed to notify patients that their information had been compromised until November 2019. Had they been notified sooner, according to the plaintiffs, they would have been able to use those months to protect their data and remain vigilant for fraud.
Magellan has not admitted any wrongdoing, but has agreed to resolve these data breach allegations with a $1.43 million settlement.
Under the terms of the settlement, class members may receive cash payment for disbursements.
The settlement allows class members to claim up to $225 in ordinary disbursements, including telephone charges, credit report charges, internet usage and up to two hours of lost time at a rate $15 per hour.
Class Members may be able to collect reimbursement for ordinary expenses for credit monitoring and fraud resolution services if they have sufficient documentation.
Class members may also be eligible for payments of $2,500 if they suffered extraordinary expenses such as fraud, identity theft and up to three additional hours of lost time at a rate of $15.
The exclusion and objection deadline is November 15, 2022.
Magellan Health’s data breach settlement final approval hearing is scheduled for December 2, 2022.
In order to receive settlement benefits, Class Members must submit a valid Claim Form by December 15, 2022.