HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ambry Genetics Settles Class Action Data Breach Lawsuit for $12.25 Million

Ambry Genetics has agreed to settle a class action lawsuit that stemmed from a breach of the protected health information of 232,772 patients. In April 2020, Ambry Genetics notified patients that some of their protected health information was stored in an email account that was accessed by an unauthorized individual over a two-day period in January 2020. Emails and attachments contained sensitive patient data such as names, diagnoses, and other medical information, with a subset of patients also having their Social Security numbers exposed. The investigation was not able to determine whether any information in the email account was exfiltrated by the attackers.

A lawsuit was filed in the US District Court for the Central District of California shortly after notifications were issued that alleged Ambry Genetics had failed to implement reasonable safeguards to protect patient information and had not followed industry best practices for cybersecurity and, as a direct consequence of those failures, the protected health information of patients was compromised. The lawsuit also took issue with the delay in issuing notification letters to affected individuals.  The HIPAA Breach Notification Rule requires HIPAA-covered entities to issue notification letters within 60 days of the discovery of a data breach, but it took almost 4 months for notification letters to be issued. The lawsuit also alleged invasion of privacy, breach of contract, and violations of state privacy and business laws.

The lawsuit had been dismissed, amended, and refiled on multiple occasions over the past two years, with the latest complaint filed in December 2021. The settlement was proposed to prevent further legal costs and the uncertainty of trial, and is intended to fully resolve, discharge, and settle all claims made by the plaintiffs and class members. Ambry Genetics has not admitted to any wrongdoing and accepts no liability for the data breach.

Under the terms of the settlement, Ambry Genetics has agreed to create a $12.25 million fund, $2.25 million of which will cover the costs of notifications, administrative costs, and three years of identity theft protection and credit monitoring services to the class members.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Individuals affected by the data breach will be entitled to submit claims of up to $10,000 for reimbursement of documented out-of-pocket expenses incurred due to the data breach, up to 10 hours of documented time at $30 per hour, and up to 3 hours of ‘default time’ at $30 an hour. Individuals who were residents of California or Illinois at the time of the data breach are entitled to claim $150 compensation, in addition to any other claims, to resolve potential violations of the California Confidentiality of Medical Information Act and the Illinois Genetic Information Privacy Act. Class representatives will be entitled to claim a service award of $2,500.

In addition to the settlement, Ambry Genetics said it has spent in excess of $800,000 on issuing notifications and paying for credit monitoring services, with those costs potentially increasing to $1.4 million. Ambry Genetics said the total settlement amount is likely to increase to more than $14 million, and potentially more than $20 million when all remedial actions have been taken.

Those actions include changes to its business practices and additional security measures, including providing further security awareness training for staff members, adding warnings to external emails, and placing more stringent restrictions on access to patients’ protected health information. Ambry Genetics has also strengthened vendor management and requires all vendors to have SOC-2 certification, perform third-party risk assessments, and conduct penetration tests and phishing simulations on employees.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.