Datavant Group to Pay $900,000 to Settle Class Action Data Breach Lawsuit
A settlement has been agreed to resolve a class action lawsuit against Ciox Health, which does business as Datavant Group, an Arizona-based health IT company, over a May 2024 email-related data breach.
Suspicious activity was identified within an employee’s email account on May 9, 2024. The forensic investigation confirmed that an unauthorized individual had access to the account between May 8 and May 9, 2024. Access to the account was gained after an employee responded to a phishing email. The breach was reported to the HHS’ Office for Civil Rights as affecting 320,702 individuals. Data potentially compromised in the incident included names, dates of birth, addresses, contact information, Social Security numbers, financial account information, driver’s license numbers, passport numbers, and health information.
A lawsuit was filed in response to the data breach – Jackson v. Ciox Health, LLC d/b/a Datavant Group – in the United States District Court for the District of Arizona. The lawsuit alleged that the defendant failed to implement sufficient security measures to protect patients’ sensitive information. The lawsuit alleged that the failure amounted to negligence and that the defendant had violated the Illinois Consumer Fraud and Deceptive Business Practices Act.
As is common in class action data breach lawsuits, the parties explored the possibility of an early resolution to the lawsuit to avoid the costs and risks associated with continuing with the litigation. An appropriate settlement was agreed upon by all parties, and the settlement has received preliminary approval from the court. Datavant Group has agreed to pay $900,000 to resolve the lawsuit. The settlement fund will be used to pay attorneys’ fees and expenses, service awards for the class representatives, settlement administration and notification costs, and benefits for the class members. While the OCR breach portal states that more than 320,000 individuals were affected, the class consists of 58,309 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Class members may submit a claim for up to $5,000 as reimbursement for documented, unreimbursed losses incurred as a result of the data breach. Alternatively, a claim may be submitted for a one-time pro rata cash payment. The amount of each cash payment will depend on the number of valid claims received. In addition to one of those benefits, class members may also enroll in one year of expanded identity theft protection and fraud monitoring services. The deadline for objection and exclusion is July 20, 2026. Claims must be submitted by August 18, 2026, and the final fairness hearing has been scheduled for September 4, 2026.
