Florida Orthopaedic Institute reached a $4 million settlement with the 647,000 patients affected by a server hack and subsequent ransomware attack in 2020. The data theft incident was the fifth-largest healthcare data breach that year.
The proposed settlement will resolve claims that the security incident was caused by FOI’s failure to adhere to industry security standards, as well as violations of the The Health Insurance Portability and Accountability Act and failure to timely notify impacted patients.
First reported to patients on July 1, 2020, a ransomware attack deployed against FOI on April 1, 2020, encrypted the data stored on its servers. The malware was discovered that same day, leading administrators to quickly secure the system.
However, the subsequent investigation revealed protected health information was possibly exfiltrated and/or accessed ahead of the cyberattack. The stolen data varied by patient, but may have included Social Security numbers, dates of birth, contact details, claims histories, insurance plan identification, diagnosis codes, provider locations, and other sensitive data.
A lawsuit against FOI was swiftly filed by several of the impacted patients, which made several allegations against the Florida provider. FOI was accused of failing to properly secure PHI as required by HIPAA, negligence, invasion of privacy, breach of implied contract, unjust enrichment, and a host of legal claims.
“In deliberate disregard to the fact that the stolen sensitive, unprotected information was readily viewable by unauthorized third parties, [FOI] downplayed the seriousness of the incident,” according to the suit. “And further downplayed the seriousness by stating ‘we immediately began an internal investigation to secure our environment and restore impacted data.’”
“These representations are just simple boilerplate language pulled off a common template, clearly evidencing Defendant’s lack of concern for the seriousness of the data disclosure,” it continued.
The patients were requesting an order to compel FOI to “fully and accurately disclose the nature” of the exposed data and mandate FOI adopt “reasonably sufficient” security safeguards, as well as provide impacted patients with a lifetime of identity theft protective services.
The lawsuit does not contain evidence of specific harm, just that the breach victims were now at an increased risk of identity theft and “will continue to spend significant time and money in the future to protect themselves due to [FOI]’s failures.
Under the settlement, impacted patients are eligible to receive up to $15,000 for out-of-pocket losses, in addition to up to five hours of attested time at $25 an hour, three years of identity theft protection services, monitoring services for minors, and eligibility to access fraud assistance and identity restoration services. In total, these services will cost FOI $1.2 million.
FOI has also agreed to pay attorneys’ fees. However, the settlement is not an admission of guilt. The provider “consistently denied the allegations and made clear that it would vigorously defend this case through trial as needed.”
A final hearing to approve the settlement is scheduled for September.
The FOI joins a growing, and concerning, trend of healthcare data breach lawsuits. In May, BakerHostetler data confirmed lawsuits filed against providers in the wake of a breach report are on the rise. In some instances, providers may face multiple legal filings, on both the state and federal level.
The report confirmed that the ongoing “duplicative litigation trend” has created a race to file in court, while raising the cost of initial litigation defense and overall settlement fees due to the sheer number of plaintiffs’ attorneys involved. Soon after a breach is reported, law firms will often set up investigations to find impacted patients.
“It takes $49 to file a complaint in any court. It’s a low threshold to get into the court system,” BakerHostetler Partner Lynn Sessions previously told SC Media. “What we find with these types of lawsuits, is that [the attorneys] find at least one person to serve as a member of the class.”