Ambry Genetics reached a $12.25 million settlement with 232,772 patients affected by the two-day email system hack in January 2020. The lawsuit alleged that the incident was a “direct result” of inappropriate cybersecurity protocols for the clinical genetic diagnosis vendor.
The proposed cash settlement provides financial compensation to affected patients and includes spending by Ambry Genetics to implement a number of updated security measures.
The lawsuit stems from an email incident first reported by the seller in April 2020, in which an attacker gained access to a single employee email account. The account contained patient names, medical information, diagnoses, and details on the services provided by Ambry. Social Security numbers were included for a smaller subgroup of patients.
The investigation was unable to verify whether the perpetrator had access to or stolen the data. However, the hack occurred during a period of increased targeting of healthcare providers during the pandemic, especially COVID-19 research firms.
Affected patients quickly filed a lawsuit, arguing that if Ambry had addressed known gaps in data security and adopted industry best practices, the email hack and subsequent data leak could have been prevented.
Outside of the alleged questionable security, patients also suffer from a lack of timely notification. The notice was actually sent for about two months outside the 60-day requirement under the Health Insurance, Portability and Accountability Act. Embry was also accused of not providing patients with adequate credit monitoring after the accident.
Over the past two years, the parties involved have searched for a viable agreement with several cases of imminent eviction. The proposed terms are intended for the “full, final and permanent resolution, settlement and settlement” of such claims.
In view of the facts and applicable law and “considering the burden and expense of this ongoing litigation… and the fair, cost-effective and assured method of resolving claims, [the parties] We believe the solution is appropriate… and a reasonable way to ensure that [patients] They are given important benefits and guarantees as quickly as possible,” according to the lawsuit.
Under the terms, Ambry Genetics will deposit $12.25 million into a settlement fund. Of that money, $2.25 million will cover the costs of the notice plan, administrative expenses, and the cost of providing victims with three years of credit monitoring services and identity theft insurance.
Individuals are also eligible to receive up to $10,000 in out-of-pocket reimbursement upon presentation of reasonable documentation. Patients can recoup up to $30 per hour for up to 10 hours of documented time spent responding to the breach with proof of those actions, or another three hours of “virtual time” spent addressing issues related to the incident.
Some “subclass” members in Illinois and California will also receive a check for around $150 to resolve potential violations of the California Medical Information Privacy Act and the Illinois Genetic Information Privacy Act.
According to the lawsuit, Ambry Genetics spent an estimated $1.4 million on the initial breach notification, investigation and other security measures.
The vendor testified to strengthen its policies and procedures, and to provide employees with training in handling health information. Ambry has also strengthened restrictions on access to health data, “created red-flag warnings” for emails sent externally, replaced outdated apps, and added additional security systems.
Ambry has also re-reviewed its vendor management, and now retains suppliers that meet all “SOC 2″ certification requirements, and performs third-party risk assessments, penetration testing, and phishing test emails to all employees.”
In all, the settlement could reach $14 million, making it one of the largest lawsuits resolutions in recent years despite its limited scope. For context, BJC HealthCare has settled a 2020 email system hack that affected 287,873 patients Over the summer for $2.7 million. Most of that money was directed to the required implementation of multi-factor authentication on BJC’s email platform.
The $5 million settlerThe Solara Medical Supplies announced in April is another example where the proposed money will be directed towards required annual incident response tests and other security program improvements.