HIPAA/HITECH
,
Litigation
,
Standards, Regulations & Compliance
Several Affected HealthEC Healthcare Clients Are Chipping in to Fund Settlement
A provider of artificial intelligence-enabled hospital cost-cutting software and several of its healthcare clients agreed to $5.48 million to settle proposed class action litigation involving a 2023 hacking incident affecting 4.6 million individuals.
See Also: Demonstrating HIPAA Compliance
A U.S. federal judge on June 6 granted preliminary approval of a settlement in a consolidated proposed class action filed in January 2024 against New Jersey-based software vendor HealthEC and several of its customers whose patients were affected by the hack.
Clients named as defendants include Community Health Care Systems, Corewell Health, MD Valuecare and Oakwood Accountable Care Organization, which does business as Beaumont ACO.
Under terms of the $5.48 million agreement, the settlement will be funded by all defendants, with HealthEC contributing the lion’s share of $3.33 million. Corewell will pay $1.3 million, Beaumont will pay $350,000, and MD Valuecare and Community Health will each contribute $250,000.
The preliminary settlement states that plaintiffs say they represent 1.6 million class members. Plaintiffs alleged the defendants failed to protect their personally identifiable information and protected health information “when a hacker infiltrated HealthEC’s insufficiently protected computer systems.”
HealthEC “failed to adequately train their employees on cybersecurity and failed to maintain reasonable safeguards or protocols to protect the information,” the complaint states.
HealthEC knew its systems were vulnerable, plaintiffs charged, but the company “prioritized profits over its obligation to protect patients’ data.”
“Plaintiffs further claim that the provider defendants are also responsible for the data breach because they have a non-delegable duty to protect their patients’ information,” court documents said.
Under the settlement, class members who file a claim are eligible to receive their out-of-pocket losses and lost time at the rate of $25 per hour for up to 10 hours – or an alternate cash payment of $25. California residents can get $50.
Settlement class members are also eligible for three years of complimentary Medical Shield credit monitoring.
HealthEC in a sample breach notice filed in December 2023 said it launched an investigation after becoming aware of suspicious activity potentially involving its network. The company said its investigation determined that certain systems were accessed by an unknown actor between July 14 and July 23, 2023. During that time certain files were copied, HealthEC said.
Data compromised in the hack potentially included individuals’ names, addresses, birthdates, Social Security numbers and medical information such as diagnosis code, mental and physical condition, prescription information, and provider’s name and location (see: Population Health Management Firm’s Breach Affects Millions).
The lawsuit alleged that defendants discovered the data breach in July 2023, but waited until December 2023 to notify affected patients.
Vendor Risk
Covered entities aren’t always named in health data lawsuits involving vendors and whether they end up contributing to the settlement fund depends on individual circumstances, said regulatory attorney Rachel Rose, who is not involved in the HealthEC litigation.
If both the business associates and covered entities were deficient in applying safeguards and can be connected to the attack, then there is likely joint liability, she said.
Rose recommended HIPAA-covered entities get reasonable assurances from their business associates about their compliance before doing business with them. “A five-point attestation that is signed can be helpful,” she said. The five points should scrutinize whether the business associate conducts annual risk analysis and annual training, has adequate policies and procedures, has implemented encryption at rest and in transit, and has a business associate agreement in place, she said.
As of Tuesday, a hearing for final approval of the HealthEC lawsuit settlement has not yet been set by the court.
Neither HealthEC nor any of the other defendants named in the lawsuit settlement, immediately responded to Information Security Media Group’s requests for comment and additional details about the incident.
