A $3 million settlement was proposed to resolve a lawsuit filed after a December 2020 breach of the Dental Care Alliance. (Navy)

A $3 million proposed settlement has been reached in a breach lawsuit filed against Dental Care Alliance after its December 2020 report of a monthslong system hack that led to the access of data tied to more than 1 million patients and employees.

The monetary agreement will cover documented losses for the impacted individuals and requirements for DCA to strengthen its security measures.

DCA is a support vendor with over 300 affiliated practices in 20 states. The lawsuit stems from a mid-December 2020 notice informing hundreds of DCA clients that some of their patient data was accessed during an undetected cyberattack launched between Sept. 18. 2020, and Oct. 11, 2020, when it was discovered.

The subsequent investigation determined that during the dwell time, the attacker was able to access confidential files, including patient data, such as names, contact details, treatments, diagnoses, patient account numbers, dentist names, billing details, and health insurance data.

Bank account numbers were compromised for just 10% of the impacted patients. The DCA breach was the second-largest reported in 2020.

Filed in January 2021 in the State Court of Fulton County Georgia, the lawsuit claimed DCA’s failed monitoring and inadequate security enabled the unauthorized access to patient health information.

DCA was accused of negligence and reckless behavior for failing to properly maintain and safeguard its systems and infrastructure, in addition to failing to properly monitor its systems for existing intrusions, upgrade its security, implement proper cybersecurity hardware and software, and adequately train employees.

The patients claimed they were now facing an increased risk of fraud and identity theft. DCA filed a motion to dismiss the case in April 2021, arguing there was a lack of standing because of a lack of “cognizable injury of fact,” or “any facts tracing her purported injury to DCA.” The patients responded by adding more impacted individuals to the lawsuit.

After another failed attempt to dismiss the case later in 2021, the parties agreed to mediate a settlement. An agreement was reached in November 2021, with mediation continuing to work out the minute details.

The settlement is divided into two subclasses, by whether the individual saw their financial or government data compromised during the incident. Impacted patients will need to file a claim in order to receive reimbursement for financial losses incurred as a result of the breach.

Individuals are eligible to receive up to $2,000 for all documented losses and up to two hours of time spent responding to the incident. Those with financial data impacted may be eligible to receive another $3,000 for documented losses tied to breach response. The settlement also includes two-years of identity theft protection for all impacted parties.

The security enhancements DCA is required to implement as part of the agreement were not shared. But it’s the second proposed healthcare data breach lawsuit settlement to include required security improvements in the last month. BJC Healthcare is required to spend up to $2.7 million on multi-factor authentication for email access to reduce the risk of phishing, the cause of its March 2018 breach impacting 288,000 patients.