HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Patients’ Patience Pays Off: Class Action Payout for InSync HIPAA Breach

Two years ago a class-action lawsuit was filed against Cottage Health System after the healthcare provider – via its Business Associate (BA) InSync – suffered a serious data breach. It has been a victory for the victims – and the legal team – as Cottage Health agreed to settle the case.

Rather than fight the case in court, Cottage Health System agreed to settle and pay damages to the individuals affected by the data breach, without any finding of legal liability.

50,918 Individuals Affected by CHS/InSync Data Breach

The HIPAA security breach was discovered in December 2013, with the data of up to 32,500 individuals believed to have been exposed. The patients were those that had visited Santa Barbara Cottage Hospital, Goleta Valley Cottage Hospital or the Santa Ynez Valley Hospital between September 29, 2009 and December 2, 2013. However the number of affected individuals was later found to be higher, and 50,918 are understood to have been affected.

The data breach was discovered when the company received a voicemail message alerting it to a file containing the PHI of patients that had been found on Google. The file was freely available on the Internet, and while it did not contain financial information or Social Security numbers, it did list names, addresses, dates of birth, laboratory test results, diagnoses, medical procedures performed, medical record numbers and account numbers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Settlement and Patient Notifications

The case of Rice v. Insync, et al., was settled and now checks have been posted to the affected individuals. The settlement amount to be received by the affected patients was determined by dividing the remainder of a $4,125 million fund between the 50,917 settlement class members.

According to the settlement notice, placed on ricesettlement.com, the fund covers:

Settlement administration expenses, attorneys’ fees and litigation expenses, an incentive for the Class Representative, and any other related expenses which may be approved by the Court. Each Settlement Class member will share equally in the net amount of the settlement fund after deduction of such fees, expenses, and incentive.

The checks were issued are for $51.11 – a total of $26,023,368, leaving $4,099 million to cover the above costs and expenses.

Breach Victims Only Have 180 Days to Cash Settlement Checks

The checks have been mailed to victims; however many may not realize that they have been listed in a class action suit or why they are being sent a check. The bank on the check is from Dublin, Ohio, and Cottage Health System is not named, neither is the hospital where the data breach occurred. On the check InSync is mentioned, although some recipients may not be aware who they are. The checks reference: Rice v. InSync, et al.

The victims of the breach should have received a breach notice in the past, but since they were notified more than 2 years ago, they may have forgotten about the incident. According to a report issued to KEYT News Channel 3, Cottage Health System has confirmed that the checks are genuine:

Cashing the check draws funds from the settlement payment that our insurance provider made available. That sum is already paid, regardless of whether recipients cash their checks. Cottage Health will not receive records of who cashed the checks.

The checks are not being mailed or administered by Cottage Health, but if community members have questions, the settlement administrator provided a website address in the letter that was attached to the checks. They asked that inquiries be provided to them in writing at the mailing address listed in their letter.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.