National Board of Examiners in Optometry Agrees to Settle 2016 Data Breach Lawsuit for $3.25 Million

Share this article on:

A settlement has been reached to resolve a class action lawsuit filed on behalf of victims of an alleged data breach at the National Board of Examiners in Optometry (NBEO) in 2016.

In the summer of 2016, hackers gained access to the sensitive information of optometrists and students, although it is unclear how the hackers obtained sensitive information and what database or system was hacked.

Breach investigations did not uncover any evidence of unauthorized access to any databases containing sensitive credentials. The American Optometric Association (AOA), American Academy of Optometry (AAO) and NBEO all investigated the breach and claimed, and still do, that they were not the source of the breach.

A breach certainly occurred as several optometrists and students had received Chase Amazon Visa credit cards in the mail that they had not applied for and many had credit card applications pending.

Following the breach, legal action was taken by 13 doctors of optometry who claimed the targeted information was still available. The cases were consolidated, but were thrown out as the breach could not be traced to NBEO and any allegations of harm were deemed speculative. However, the 4th Circuit U.S. Court of Appeals overturned the ruling of the lower court and allowed the case to proceed, ruling that it was “plausible and likely” that NBEO was the source of the breach and that it was clear that personal information had been misused.

NBEO still disputes it was the source of the breach but has now agreed to settle the case and will make $3.25 million available to compensate the 61,000 victims of the breach. Individuals eligible for a proportion of the settlement include those whose personal information was stored by NBEO in its systems as of November 15, 2018 along with individuals who have received notification that they have been named as class members.

The settlement will provide reimbursement for documented, out-of-pocket expenses traceable to the data breach, associated professional/legal fees, and the costs of credit repair services and other charges incurred after June 1, 2016 in relation to the breach. Claims will be considered up to a maximum of $7,500.

Claims can also be submitted for reimbursement for the time spent remedying issues related to the breach, up to a maximum of $1,000 per class member.

All breach victims will be entitled to three years of three-bureau credit monitoring services at no cost and free access to identity theft restoration services, all of which will be provided through Identity Guard. Victims will also be protected by a $1,000,000 insurance policy to cover losses due to identity theft and fraud.

NBEO has also agreed to overhaul its data security measures and will be retaining a third-party security firm to conduct a risk assessment of data security, encryption will be used on personal information, and the board will no longer store Social Security numbers in its database.

The settlement has received preliminary approval and the final hearing is scheduled for July 12, 2019.

Author: HIPAA Journal

Share This Post On