Datavant agrees to $900k settlement following phishing breach

The settlement follows a data breach involving an employee’s email account.

What happened

Datavant, also known as Ciox Health, recently agreed to a settlement to resolve a class action lawsuit, Jackson v. Ciox Health, LLC d/b/a Datavant Group. The lawsuit alleged that Datavant, a health IT company, failed to protect patient’s sensitive information, amounting to negligence. The lawsuit also argued that Datavant violated the Illinois Consumer Fraud and Deceptive Business Practices Act. A settlement of $900,000 has received preliminary approval from the court.

The backstory

The lawsuit stems from a breach that took place on May 9th, 2024, when suspicious activity was identified within an employee’s email account. An investigation confirmed that an unauthorized individual had accessed the email between May 8th and May 9th, after an employee had unknowingly responded to a phishing email.

According to the report filed with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), 320,702 individuals were impacted. Accessed information included names, dates of birth, addresses, contact information, Social Security numbers, financial account information, driver’s license numbers, passport numbers, and health information.

The big picture

Email is a main vector for data breaches, and over 70% of breaches are attributed to phishing. According to Paubox reports, 88% of healthcare workers have clicked on phishing links, showing that healthcare organizations need a better strategy to prevent these attacks. Paubox takes away the guesswork by automatically flagging and quarantining suspicious emails for review, so employees and health centers can feel comfortable that their email accounts are safe.

FAQs

Does it matter what data is involved in a data breach?

Yes, generally some information, like financial information or Social Security numbers, are considered more valuable because that information can be used for identity theft. Other data, like addresses or dates of birth, can still be valuable, because, especially when combined with other known information about an individual, the information can help create a more complete victim profile.

Why weren’t all victims included in the class?

It’s unclear why not every victim was part of the class, but it likely means that individuals had to opt-in. Generally, class members opt in after the settlement has been reached, rather than before.