Shields Health Care Agrees to $15.35 Million Settlement to Resolve Data Breach Litigation
Shields Health Care Group has negotiated a $15.35 million settlement to resolve claims stemming from a 2022 data breach that affected more than 2 million patients. Shields Health Care is a Massachusetts-based provider of ambulatory surgical center management and medical imaging services throughout New England. A security breach was detected on March 28, 2022, and the forensic investigation determined that a threat actor had access to its network from March 7, 2022, to March 21, 2022. A security alert had been triggered on March 18, 2022, which was investigated and determined not to involve a HIPAA breach. Suspicious activity was then detected, with the investigation confirming unauthorized access and data theft.
Over the course of two weeks, the hackers exfiltrated sensitive data such as full names, Social Security numbers, dates of birth, contact information, provider information, billing information, insurance information, medical record numbers, diagnoses, and treatment information. More than 50 facility partners were affected by the breach. Notification letters started to be issued to the affected individuals on a rolling basis from July 25, 2022, and the notification process continued for several months. On April 19, 2023, the total number of affected individuals was confirmed. The HHS’ Office for Civil Rights Breach Portal now indicates that the protected health information of 2,380,483 individuals was compromised in the incident, although the lawsuit places the total figure as 2,382,578 affected individuals.
A data breach of this scale was certain to result in class action lawsuits, and several were filed in the days and weeks after notification letters were issued. Those lawsuits – Kossifos, et al., v. Shields Health Care Group, Inc., Johnson et al. v. Shields Health Care Group, Inc., and Biscan et al. v. Shields Health Care Group, Inc. – were consolidated into a single lawsuit, In Re Shields Health Group, Inc. Data Breach Litigation, which was heard in the U.S. District Court for the District of Massachusetts.
The lawsuit asserted several claims against Shields Health, including negligence for failing to implement reasonable and appropriate data security measures, negligence per se, breach of fiduciary duty, breach of contract, unfair and deceptive business practices, and a failure to provide timely and adequate breach notifications. Shields Health denied and continues to deny any wrongdoing and liability, as well as all material allegations in the lawsuit, including claims that the plaintiffs and class members suffered damages as a result of the data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The decision was taken to settle the lawsuit to avoid further costs and the risks and uncertainty from continuing with the litigation. The settlement has been agreed upon by all parties involved in the lawsuit and now awaits preliminary approval from the court. The settlement covers a class of more than 2.3 million individuals who received a notification that their data had been compromised in the incident, with the exception of Massachusetts residents, who are covered by a separate lawsuit pending in Massachusetts state court.
Under the terms of the settlement agreement, a $15,350,000 fund will be established to cover claims, legal expenses, class representative service awards, and attorneys’ fees. Attorneys’ fees will not exceed 33.33% of the settlement amount ($5,116,666.67). Class representative service awards are expected to be $2,500 per plaintiff. Class members may submit a claim for up to $2,500 to cover documented, ordinary out-of-pocket expenses incurred as a result of the data breach, including the cost of transport, phone calls, postage costs, and credit reports. Those claims may include up to 5 hours of lost time at $30 per hour as reimbursement for time spent mitigating the effects of the data breach.
In addition, class members may submit a claim for up to $25,000 for extraordinary losses fairly traceable to the data breach. Extraordinary losses may include losses related to fraud, identity theft, and other misuses of personal information. Like the ordinary losses, these must be documented and have not already been reimbursed. Claims for extraordinary losses may include up to 20 hours of lost time at $30 per hour. If claims are submitted for ordinary and extraordinary losses, they will be subject to the cap of $25,000 and 20 hours of lost time.
Alternatively, class members may submit a claim for a $50 cash payment, which will be paid pro rata after claims and costs, expenses, service awards, and attorneys’ fees have been deducted from the settlement fund. The settlement also includes a commitment to implement enhanced data security measures. If approved by the court, class members will be notified about the settlement within 30 days, will be given the opportunity to object to or opt out of the settlement, and will have 75 days to file a claim. Class counsel in the litigation consists of Lori G. Feldman of George Feldman McDonald PLLC, Kelly Iverson of Lynch Carpenter, LLP, and John Yanchunis of the Morgan & Morgan Complex Litigation Group.
