A Colorado urology practice has agreed to compensate up to nearly 138,000 individuals affected by a September 2021 hacking incident in a class action settlement that could cost millions of dollars.
A proposed settlement headed for final court approval next month would allow class members to claim up to $500 for ordinary out-of-pocket expenses related to a 2021 data breach at The Urology Center of Colorado that exposed information including diagnoses and Social Security numbers of 137,820 patients.
Class members can also gain up to $2,500 for extraordinary expenses. Any patient who lived in California at the time of the data breach is eligible for an additional $50 in compensation. Class members can also sign up for two years of identity and credit monitoring.
The proposed settlement does not specify a cap on how much the urology practice agreed to pay. If each of the nearly 138,000 individuals affected by the data breach were to file a valid claim for $500 in reimbursements for ordinary out-of-pocket expenses, that alone would cost the practice nearly $69 million.
Some legal experts doubt the settlement costs will reach that amount.
“It is unlikely that many, if any, class members will be able to produce documentation necessary to sustain a valid claim under the terms of this settlement,” says regulatory attorney Paul Hales of the law firm Hales Law Group, who was not involved in the case.
The practice “made a good business decision to settle this lawsuit quickly under favorable terms,” Hales says.
The settlement could nonetheless become costly for the urology practice, says regulatory attorney Rachel Rose, who also was not involved in the case. Total settlement and lawsuit costs potentially could reach many tens of millions of dollars, she estimates.
“Damages experts from both sides submit potential damages, and they must be based on accepted methodologies,” she says.
“The [settlement] number that was reached is within a range that was acceptable to both sides. It could be higher if certain individuals have extraordinary damages, such as the theft of information leading to their identity being utilized and residual monetary damage occurring.”
Neither attorneys representing The Urology Center of Colorado nor the plaintiffs and class members in the lawsuit immediately responded to Information Security Media Group’s request for comment and additional information about the breach and the settlement.
Two medical practice patients filed the lawsuit in state court in April 2022. A court gave preliminary approval to the settlement in July, deferring final settlement until Oct. 10.
In a breach notification statement issued Nov. 5, 2021, the urology practice said it discovered on Sept. 8, 2021, that its network may have been accessed “for a brief period” between Sept. 7 and Sept. 8, 2021.
By Oct. 30, 2021, the practice said it had completed its review of the incident, and the center reported the hacking incident to the Department of Health and Human Services’ Office for Civil Rights a few days later, on Nov. 5, 2021, as affecting 137,820 individuals.
TUCC said the type of information potentially compromised varied by individual but included name, date of birth, Social Security number, address, phone number, email address, medical record number, diagnosis, treating physician, insurance provider, treatment cost and/or guarantor name.
The organization at that time also offered affected individuals credit monitoring and identity protection services.
In addition, TUCC said in its breach notification statement that in response to the incident, the entity had changed account passwords and was implementing “additional security measures.”
The lawsuit alleged that TUCC negligently failed to take the necessary precautions required to safeguard and protect the sensitive information from unauthorized disclosure.
That included TUCC’s alleged failure to encrypt data, install software patches, update its firewalls, check user account privileges, appropriately train and supervise employees in the proper handling of inbound emails, and ensure proper security practices, the lawsuit claimed.
As a result of the incident, the plaintiffs and class members face “substantial, increased, and immediate risk of fraud and identity theft,” the lawsuit alleged.
The lawsuit sought damages and other relief, including a court order compelling TUCC to utilize “appropriate methods and policies with respect to consumer data collection, storage, and safety.”
While the settlement provides financial payments to eligible class members who file valid claims, the agreement makes no mention of TUCC being required to improve its security practices.
Provisions for breached organizations to implement a list of data security improvements as part of their data breach class action lawsuit settlements are becoming more common in similar cases (see: Dental Care Alliance Settles Breach Lawsuit for $3 Million).
“It is notable that TUCC negotiated a settlement that does not require specific modifications to its data security practices,” says Hales. “However, no doubt it has taken steps to plug the leak that caused the breach,” he says.
Rose says the lawsuit might have stopped short due to the cause of the breach. “Oftentimes, companies have appropriate safeguards in place and it only takes one person to click on a phishing email – despite having been trained – and a breach occurs.”