Harvard Pilgrim Health Care to Pay $16 Million to Settle Data Breach Litigation
Harvard Pilgrim Health Care and its parent company Point32Health have agreed to a $16 million settlement to resolve claims related to a 2023 ransomware attack that affected approximately 3 million patients.
In 2023, hackers gained access to systems containing the protected health information of 2,967,396 health plan members. Ransomware was used to encrypt files after a significant volume of data was exfiltrated from its systems. That data included names, contact information, dates of birth, medical histories, diagnosis and treatment information, Social Security numbers, and other sensitive data. The forensic investigation confirmed that the hacking group had access to its systems between March 28, 2023, and April 17, 2023. Notification letters started to be issued to the affected individuals on a rolling basis starting on May 24, 2023; however, the notification process continued until at least June 2024 as further individuals were determined to have been affected.
Several class action lawsuits were proposed in response to the data breach against Point32Health and Harvard Pilgrim Health Care, which were consolidated into a single complaint in the U.S. District Court for the District of Massachusetts as they were based on the same facts and asserted similar claims. The plaintiffs claimed the defendants “intentionally, willfully, recklessly, or negligently” maintained the sensitive data of its health plan customers, and that those actions amounted to negligence. The lawsuits claim that as a direct result of that negligence, hackers were able to steal class members’ data, placing them at an imminent and ongoing risk of harm, including but not limited to identity theft and fraud. In addition to negligence, the lawsuits asserted claims of breach of implied contract, breach of fiduciary duty, and unjust enrichment.
Following arm’s length negotiations and a full-day mediation, a settlement was agreed that delivers tangible and immediate benefits to all settlement class members, with neither defendant admitting to any wrongdoing or liability. The settlement class consists of 2,967,396 individuals, all of whom are entitled to benefits. Under the terms of the settlement, a cash fund of $16 million will be created to pay for approved claims, alternative cash payments, credit monitoring services, notice and administrative expenses, service awards for class representatives, and attorneys’ fees and expenses. The settlement agreement has been designed to exhaust the entire settlement fund.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Class members are entitled to submit claims for up to $2,500 for compensation for documented, unreimbursed out-of-pocket expenses incurred as a result of the ransomware attack; up to 7 hours of lost time at $30 per hour, “fairly traceable extraordinary losses up to $35,000, and two years of credit monitoring services. If no claims are submitted, class members may instead choose a cash payment of $150.
The deadline for opting out of and objecting to the settlement will be 60 days after the yet-to-be-set notice deadline, and the claims deadline will be 90 days from the notice deadline. The final approval hearing will be scheduled at least 90 days after all notices are mailed or 14 days after the claims deadline, whichever is later.
