HealthEC LCC and its clients finally reached a settlement to resolve a class action data breach lawsuit involving a hacking incident and data breach in 2023. Analytics software vendor HealthEC, based in New Jersey, provides healthcare companies with a platform to determine high-risk patients and limitations to optimal healthcare. From July 14, 2023 to July 23, 2023, hackers viewed its system and took files that contain sensitive information. The breach report was at first submitted to the HHS’ Office for Civil Rights as affecting the protected health information (PHI) of 4,452,782 people; nevertheless, the total has changed to 4,656,293 people.
HealthEC faced multiple class action lawsuits because of the data breach. Because the legal cases had similar details and made identical claims, they were combined into one lawsuit filed in the U.S. District Court in the New Jersey District. The defendants in the In Re: HealthEC, LLC Data Breach Litigation include HealthEC, LLC, Oakwood Accountable Care Organization, LLC, Corewell Health, Community Health Care Systems, and MD Valuecare, LLC.
The plaintiffs claimed that the data breach was due to the defendants’ negligence, particularly the inability to carry out acceptable and proper data security procedures, adhere to standard cybersecurity tactics, and sufficiently provide HIPAA training to workers on cybersecurity. The plaintiffs stated that HealthEC decided to prioritize profits more than its responsibility to safeguard patient information, although it is aware of potential cyberattacks on its systems.
The defendants state that they did no wrong, that they aren’t accountable to pay compensation, and that they firmly reject all claims and allegations in the lawsuit. HealthEC, Beaumont ACO, and Corewell Health submitted a motion to dismiss the case; nevertheless, the motion was administratively ended with no prejudice to let the parties show up at mediation. Although the mediation did not end with a resolution, talks carried on, and an appropriate arrangement was decided by all parties to avoid further slowdowns and expenses and to prevent the uncertainty of a trial.
As per the settlement terms, HealthEC will create a $5,482,500 settlement fund to pay for attorneys’ charges, legal expenses, class benefits, and class representative awards. Attorneys’ fees will likely be about 34% of the settlement fund or $1.8 million, class representative awards for the seven lead plaintiffs are estimated to be $2,500 each, and notice and settlement management fees are likely to be $100,000. Part of the settlement is providing three years of credit monitoring fees, which is roughly $500,000, and the rest of the settlement will pay for claims and cash payments.
Class members could file claims for compensation of documented out-of-pocket expenses and costs fairly linked to the data breach, and documented lost time up to 10 hours with a rate of $25 per hour. Class members who do not want to file a claim can opt to get a $25 cash payment. Class members may also avail of three-bureau credit monitoring services for three years, including an identity theft insurance policy and dark web monitoring.
Hon. Stacey D. Adams gave preliminary approval for the settlement. Class members can opt out or object to the settlement; nonetheless, if over 1,000 people opt out, the defendants can end the settlement agreement. No dates have been set yet for filing claims, objecting to, opting out of the settlement, and final court approval.
Image credit: Crystal, AdobeStock / ©HealthEC
