Ambry Genetics has reached a $12.25 million settlement with the 232,772 patients affected by a two-day hack of its email system in January 2020. The lawsuit claimed the incident was a “direct result” of the clinical genomic diagnostics vendor’s inadequate cybersecurity protocols.
The proposed monetary settlement provides financial restitution for the affected patients and includes spending for Ambry Genetics to implement a number of updated security measures.
The lawsuit stems from an email incident first reported by the vendor in April 2020, where an attacker gained access to a single employee email account. The account contained patient names, medical information, diagnoses, and details into the services provided by Ambry. Social Security numbers were involved for a smaller subset of patients.
The investigation could not verify whether the actor accessed or exfiltrated the data. However, the hack occurred during a period of heightened targeting of healthcare providers during the pandemic, particularly COVID-19 research firms.
The impacted patients quickly filed a lawsuit, arguing that if Ambry remedied the known gaps in its data security and adopted industry best practices, the email intrusion and subsequent data leak could have been prevented.
Outside of the alleged questionable security, the patients also take issue with the lack of timely notification. The notice was indeed sent about two months outside of the 60-day requirement outlined in the Health Insurance Portability and Accountability Act. Ambry was also accused of not providing patients with adequate credit monitoring after the incident.
For the last two years, the involved parties have looked for an amenable agreement with multiple near-dismissals. The proposed terms aim to “fully, finally, and forever resolve, discharge, and settle” these claims.
Given the facts, applicable law, and “taking into account the burden and expense of such continued litigation … and the fair, cost-effective and assured method of resolving the claims, [the parties] believe resolution is appropriate … and reasonable means of ensuring [patients] are afforded important benefits and protections as expediently as possible,” according to the suit.
Under the terms, Ambry Genetics will deposit $12.25 million into a settlement fund. Of those funds, $2.25 million will cover costs of the notice plan, administrative expenses, and cost to provide victims with three years of credit monitoring and identity theft insurance services.
Individuals are also eligible to receive up to $10,000 to reimburse for out-of-pocket costs upon providing reasonable documentation. Patients can receive refunds for up to $30 an hour for up to 10 hours of documented time spent responding to the breach with proof of those actions, or another three hours of “default time” expended to remedy issues tied to the incident.
Certain “subclass” members in Illinois and California will also receive a check for about $150 to resolve possible violations of the California Confidentiality of Medical Information Act and the Illinois Genetic Information Privacy Act.
According to the suit, Ambry Genetics has spent an estimated $1.4 million on the initial breach notice, investigation, and other security measures.
The vendor has attested to enhancing its policies and procedures, and providing employees with training for handling health information. Ambry has also enhanced restrictions to accessing health data and “instituting prominent red-flag warnings” for externally sent emails and replacing old applications and adding additional security systems.”
Ambry has also revisited its vendor management, now retaining vendors that meet all “SOC 2- certification requirements, perform third-party risk assessments, penetration testing, and phish-testing emails to all employees.”
In total, the settlement may reach $14 million, making it one of the largest lawsuit resolutions in recent years despite its limited scope. For context, BJC HealthCare settled its 2020 email system hack impacting 287,873 patients over the summer for $2.7 million. Most of those funds were directed to a required implementation of multi-factor authentication on BJC’s email platform.
The $5 million settlement in the Solara Medical Supplies announced in April is yet another example where the proposed funds will be directed to required annual incident response tests and other security program improvements.