ReproSource Fertility Diagnostics Proposes $1.25 Million Class Action Data Breach Settlement
ReproSource Fertility Diagnostics has proposed a settlement to resolve litigation stemming from a 2021 ransomware attack that potentially resulted in the theft of the sensitive health data of up to 350,000 patients. The Marlborough, MA-based fertility testing laboratory, which is owned by Quest Diagnostics, had its network breached on August 8, 2021. The intrusion was detected on August 10 when ransomware was deployed. The forensic investigation confirmed that the parts of the network that the threat actors could access included files that contained sensitive health information.
The data exposed included names, addresses, phone numbers, email addresses, dates of birth, billing, and health information, such as CPT codes, diagnosis codes, test requisitions, and results, test reports and/or medical history information, health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians, and for a limited number of individuals, Social Security numbers, financial account numbers, driver’s license numbers, passport numbers, and/or credit card numbers.
While no evidence of data exfiltration was found, data theft could not be ruled out, so ReproSource notified approximately 350,000 individuals on October 21, 2023, and was promptly sued. Two class action lawsuits were consolidated into a single lawsuit as they made similar allegations – that ReproSource was negligent by failing to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to patient data. The lawsuits alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and data breach notification and consumer protection laws in Massachusetts.
The decision was taken to settle the litigation with no admission of wrongdoing. Under the terms of the settlement, class members may submit claims for up to $3,000 to cover out-of-pocket, unreimbursed losses that are reasonably traceable to the data breach, including up to 8 hours of lost time, three years of credit monitoring services, and a $1 million identity theft insurance policy. Alternatively, class members can claim a cash payment of $50. $1.25 million has been set aside to cover claims, which will be paid pro rata if that total is reached. Class members who were California residents at the time of the breach will be entitled to an additional $50 payment.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The consolidated lawsuit also sought injunctive relief, which included major upgrades to data security to prevent similar cyberattacks and data breaches in the future. The settlement also includes the requirement for ReproSource to make significant improvements to its information security program, including enhancing its monitoring and detection tools. The settlement will need to receive final approval from a Massachusetts judge.
