ReproSource Fertility Diagnostics, owned by Quest Diagnostics, recently proposed a $1.25 million settlement for a class action case.
What happened
On August 8th, 2021, ReproSource, a Massachusetts-based fertility laboratory and research center, faced a ransomware attack.
Based on a month-long investigation, ReproSource announced that personal information including names, addresses, phone numbers, email addresses, dates of birth, billing and health information, and health insurance information was breached. For some, leaked data may have also included Social Security numbers, financial account information, driver’s license numbers, and more.
ReproSource did not have evidence that data was exfiltrated but notified approximately 350,000 patients of potential data exposure. They offered free credit monitoring services and identity fraud loss reimbursement to those impacted.
Soon after the notice was released, ReproSource was sued by two class action lawsuits, which were ultimately compiled into one.
What’s new
The lawsuit alleged ReproSource egregiously failed to protect patient data and notify patients in a timely manner.
The plaintiffs demanded the fertility clinic enhance their security systems and pay compensatory damages to class action members.
Now, it seems a settlement has been reached. According to court documents, ReproSource has agreed to pay $1.25 million to the suit members. Members can submit a claim of up to $3,000 for losses including unreimbursed costs and losses associated with identity fraud, credit freezes and mitigation, professional fees associated with the case, and lost time.
To receive reimbursement, individuals must submit a claim showing the costs are reasonably traceable to the data breach.
ReproSource is not making any admission of wrongdoing as part of the settlement. The clinic will be required to enhance its data security protocols and monitoring and detection tools to prevent future cyberattacks in the future.
While it’s likely for the settlement to go through, final approval will be issued by a Massachusetts judge before any settlement payments can be made.
Why it matters
Lawsuits like this show the impacts of a data breach can be far-reaching and difficult to resolve. With the public increasingly aware of proper security protocols and processes, organizations must hold themselves to the highest security standard.
While breaches are becoming increasingly sophisticated, it’s every HIPAA compliant organization’s responsibility to stay ahead of the curve and continuously improve security efforts.
Related: HIPAA Compliant Email: The Definitive Guide
The big picture
Paubox continues to cover breach cases that can significantly impact healthcare organizations and patients.
ReproSource is owned by Quest, which likely made it possible to have additional legal and financial resources. Many healthcare companies are smaller and cases like these can be devastating.
Security breaches don’t just have financial impacts, but can make it difficult for hospitals to operate or continue serving patients. For some, it can even lead to closure.
Organizations should think beyond preventing and mitigating a cyber attack and develop contingency plans for continuing operations and responding to increasingly common lawsuits.
Read more: Rural Illinois hospitals set to close after ransomware attack
Abby Grifno
