$7 Million Settlement Reached in Data Breach Class Action Lawsuit

Med-Data provides business intelligence software, analytics solutions, and billing services for the healthcare sector. In early April, Med-Data agreed to a $7 million settlement to resolve a class action lawsuit related to a data breach discovered in December 2022. This incident involved an employee who had improperly stored sensitive files in personal folders on GitHub between December 2018 and September 2019. Med-Data was alerted to the publicly accessible files by a third party, and promptly removed the files in December 2020. The exposed files contained personal and medical information of nearly 136,000 individuals, including names, social security numbers, addresses, dates of birth, telephone numbers, medical conditions, and diagnoses. Affected individuals were informed about the breach through notification letters from Med-Data, and multiple lawsuits followed soon after.

According to the lawsuit, the defendant allegedly failed in their duty of care by not adequately safeguarding and protecting the Personal Health Information (PHI) and Personally Identifiable Information (PII) of the plaintiff and other class members. The plaintiff claims that the defendant did not take sufficient measures to prevent the healthcare data breach, neglected to disclose the lack of robust security practices and employee training, and failed to provide timely and adequate notification of the data breach. This negligence reportedly allowed cybercriminals to access and potentially exploit sensitive information, putting the affected individuals at significant risk of personal and medical identity theft. It is unknown whether the uploaded data was accessed or compromised by an unauthorized party.

The $7 million settlement, approved by a Texas court, offers two compensation options for class members. Under the first option, class members can claim up to $5,000 for unreimbursed losses associated with the breach, with adequate documentation. Eligible claims may include costs related to financial fraud, medical fraud, identity theft, bank fees, credit-related costs, communication expenses, and up to 5 hours of lost time compensated at $25 per hour. The second option allows class members to choose an alternate payment of up to $500 for proactive measures taken in response to the breach, such as changing account passwords, subscribing to credit monitoring services, and requesting credit reports. Additionally, all affected individuals are entitled to 36 months of complimentary health data/fraud monitoring services and $1 million in coverage for fraud and medical identity theft insurance.

Storing sensitive data on public-facing resources is a risk that should never be taken. Organizations must establish and clearly communicate policies regarding the use of cloud services and data repositories. To bolster data security, several critical measures should be implemented to protect against such an incident:

• Data Identification and Classification: The first step in securing your data is to identify exactly what data resides across your network. Implement a system to classify data so that sensitive information can be prioritized and protected accordingly.
• Data Loss Prevention (DLP): Deploy DLP systems to monitor and control the transfer of sensitive data. These tools should be capable of automatically detecting and preventing the upload of sensitive information to unauthorized platforms like GitHub.
• Strict Access Control Policies: Enforce access control policies that adhere to the principle of least privilege (PoLP), ensuring that only authorized personnel whose roles require access to sensitive data are granted such access.
• Regular Audits and Monitoring: Conduct regular audits of data usage and access within the organization. Utilize automated tools to detect, report, and respond to policy violations or any unusual activities.

In addition, sensitive data should be encrypted at rest, regardless of its location within the network infrastructure to ensure that sensitive information remains protected in the event of unauthorized access.