The settlement comes after an employee inadvertently exposed health and personal information of approximately 136,000 individuals on GitHub.
04/15/2024 1:45 P.M.
2.5 minute read
In a landmark case concerning data security and privacy, revenue cycle management firm MedData has reached a $7 million settlement in response to a class action lawsuit stemming from a significant breach, according to a recent article from Bank Info Security.
The incident, in which an employee inadvertently exposed the health and personal information of approximately 136,000 individuals on GitHub, underscores the critical importance of robust cybersecurity measures in today’s digital landscape.
The settlement, recently approved by a Texas federal court, marks the resolution of the last of five proposed federal class actions filed against MedData following the breach. The agreement requires MedData, now part of Elevate Patient Financial Solutions, to provide affected individuals with compensation and enhanced cybersecurity practices.
Under the terms of the settlement, class members have the option to choose from two payment tiers. The first tier covers documented out-of-pocket expenses related to the breach, while the second tier offers compensation for minimal affirmative actions taken in response to the incident. Additionally, all affected individuals are eligible to receive 36 months of complimentary health data/fraud monitoring services and $1 million in fraud and medical identity theft insurance coverage.
In response to the breach, MedData is mandated to implement and maintain an enhanced cybersecurity program for two years. This program includes annual cybersecurity testing and training, robust monitoring and auditing for data security issues, data encryption, access controls, annual penetration testing, a data deletion policy, and a monitored internal whistleblowing mechanism.
While the settlement appears to be “hard-fought” by the plaintiffs and class members’ counsel, “it must be kept in mind that these incidents involve non-ephemeral sensitive information rather than payment card data, etc.,” said cybersecurity attorney Steven Teppler of the law firm Mandelbaum Barrett PC, who is not involved in the MedData case. “Victims may be working to fix identity compromise events for years to come.”
Additionally, Teppler notes that the settlement does not explicitly address the implementation of secure software development policies, which could be crucial in preventing similar incidents in the future. Teppler emphasizes the need for comprehensive risk assessment efforts, policy development, and enforcement governing internal coding efforts, including the use of third-party or open-source software.
The breach, discovered in December 2020 by independent security researcher Jelle Ursem, exposed a vast array of sensitive information, including patient names, addresses, Social Security numbers, diagnoses, and health insurance policy numbers. The data remained accessible on GitHub for at least 13 months before being removed.
Notably, several health care clients of MedData were affected by the breach, including Memorial Hermann, Aspirus Health Plan, OSF HealthCare, and the University of Chicago Medical Center. The incident has highlighted the broader implications of data breaches within the health care sector, emphasizing the need for stringent security measures to safeguard patient information.
While MedData has not commented on the settlement, a spokesperson for Elevate, the firm’s parent company, clarified that the incident occurred under different ownership and that the responsible employee had left the company prior to its acquisition.
Remember, subscribe to ACA Daily and Member Alerts under your My ACA profile when logged in to acainternational.org to receive updates on the ACA Huddle.