District of Columbia Health Benefit Exchange Authority Agrees to $1.45M Data Breach Settlement
The District of Columbia Health Benefit Exchange Authority (HBX) has agreed to settle a class action lawsuit stemming from a 2023 data breach. HBX operates the Affordable Care Act online health insurance marketplace, DC Health Link, which residents and small businesses in the District use to obtain affordable health coverage. In March 2023, HBX confirmed that the data of some DC Health Link customers had been accessed by an unauthorized individual and released on a public forum.
The data related to residents of the Washington DC area, including members of Congress and their families. HCX confirmed that 56,415 customers had their data stolen and published online, although in total, up to 170,000 individuals may have been affected. The remaining individuals were notified out of an abundance of caution. The data compromised in the incident included name, Social Security number, date of birth, gender, health plan information, employer information, and enrollee information.
Legal action was taken by victims of the data breach claiming HCX failed to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to customer data, and had those measures been implemented, the data breach could have been prevented. Several lawsuits were filed in response to the data breach, which were consolidated into a single action in the U.S. District Court for the District of Columbia- Lawless, et al. v. District of Columbia Health Benefit Exchange Authority d/b/a DC Health Link.
HCX opted to settle the lawsuit with no admission of wrongdoing or liability to avoid the risk and uncertainty associated with continuing with the litigation. The benefits provided by the settlement differ depending on which group class members fall into. Group 1 consists of individuals whose data was stolen and published online, and Group 2 consists of individuals whose data was exposed in the incident.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Class members in Group 1 may submit claims for up to $10,000 to recover unreimbursed, documented extraordinary losses, such as losses from fraud, identity theft, and false tax returns. Class members in Group 1 and Group 2 may submit claims for reimbursement of ordinary losses such as credit monitoring costs and bank fees up to a maximum of $2,500. 12 months of complimentary credit monitoring and identity restoration services can be claimed by individuals in Group 1 or Group 2. Individuals in Group 1 and Group 2 who do not wish to submit a claim may instead opt to receive a cash payment, which will be paid pro rata from the settlement amount after attorneys’ fees, legal costs, expenses, and claims have been paid. The cash payments for Group 1 members will be three times that of the cash payments for Group 2 members.
The deadline for objection to and exclusion from the settlement is February 22, 2025. The final fairness hearing is scheduled for February 21, 2025, and all claims must be received by March 28, 2025. Individuals who do not submit a claim will be deemed to have participated in the settlement but will not receive any benefits.
