San Diego Family Care Agrees to $1 Million Settlement to Resolve Class Action Data Breach Lawsuit

San Diego Family Care, a Californian provider of medical, dental, & mental health services, has agreed to settle a class action lawsuit filed by patients affected by a data breach in 2020.

The data breach that sparked the lawsuit was announced by the healthcare provider in May 2021 and was reported to the HHS’ Office for Civil Rights (OCR) as affecting 125,500 patients, although the total was later revised to 154,513 patients. The compromised data included names, Social Security numbers, government identification numbers, financial account numbers, dates of birth, medical diagnosis or treatment information, health insurance information, and client identification numbers.

The security breach occurred in December 2020 at a technology provider and business associate, Netgain Technologies, and involved ransomware. Netgain Technologies reportedly paid a $2.3 million ransom for the keys to decrypt data and prevent any further disclosures of data. San Diego Family Care was one of several healthcare providers to have data compromised in the attack.

After notifying the affected individuals, two class action lawsuits were filed against San Diego Family Care over the data breach. While the ransomware attack was not conducted on San Diego Family Care, plaintiffs in the lawsuits alleged that San Diego Family Care had failed to protect patient information, had not implemented sufficient data security measures, and did not issue notification letters promptly. Netgain Technologies notified San Diego Family Care about the data breach in January 2021, but the notification letters were not sent to affected individuals until May.

San Diego Family Care has not accepted any wrongdoing and accepts no liability for the data breach but did agree to settle the lawsuit. The proposed settlement will see a fund of $1,000,000 created to cover claims from affected individuals. Claims may be submitted for a base payment of up to $100 per person, up to $1,000 for ordinary out-of-pocket expenses, and up to $5,000 for extraordinary out-of-pocket expenses.

Proof of losses and expenses should be submitted with claims, such as evidence of fraudulent charges, payments for credit monitoring services, and other expenses. Individuals will also be provided with complimentary identity theft protection services, the codes for activating those services will be sent to individuals who submit a claim. Valid claims must be submitted by July 15, 2022, and the final approval hearing for the settlement is scheduled for July 29, 2022.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.