MedData Settles Class Action Data Breach Lawsuit for $7 Million
Last month, the Spring, TX-based revenue cycle management firm MedData agreed to a $7 million settlement to resolve a class action lawsuit filed following the exposure of the personal and health information of 136,000 individuals on a public-facing website.
MedData helps healthcare providers and health plans by processing Medicaid eligibility, third-party liability, workers’ compensation, and patient billing, including healthcare providers and health plans such as Memorial Hermann, Aspirus Health Plan, OSF HealthCare, and the University of Chicago Medical Center. All of those HIPAA-covered entities had member and patient data exposed by MedData.
Between December 2018 and September 2019, a MedData employee inadvertently uploaded the data to personal folders on GitHub Arctic Code Vault, which is a public-facing part of the GitHub website. The data remained there unprotected and exposed for more than a year. MedData was informed about the data exposure by a security researcher on December 10, 2020, and the files were removed from GitHub on December 17, 2020.
MedData has faced 5 class action lawsuits over the data breach, four of which have been dismissed. This amended lawsuit is the last remaining action against MedData over the data breach. Under the terms of the settlement, class members can choose one of two payment tiers. The first option allows class members to claim back documented, unreimbursed out-of-pocket expenses fairly traceable to the data breach up to a maximum of $5,000 per class member. Alternatively, class members can claim up to $500 for “de-minimis” or minimal affirmative action in response to being notified about the data breach. Regardless of the option chosen, class members can also claim 36 months of health data and fraud monitoring services at no cost. Those services include a $1 million identity theft insurance policy.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The settlement also requires MedData to implement and maintain an enhanced cybersecurity program, which must include robust monitoring and auditing for data security issues, annual cybersecurity testing, training on data privacy for employees, data encryption, enhanced access controls, annual penetration testing, a data deletion policy, and a monitored internal whistleblowing mechanism. The board must also consider appropriate cybersecurity spending annually, and regularly update internal security policies and procedures.