HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Solara Medical Supplies Proposes $5 Million Settlement to Resolve Class Action Data Breach Lawsuit

A preliminary settlement has recently been approved by a California Federal court to resolve a consolidated class action lawsuit against Solara Medical Supplies.

Solara Medical Supplies is a Chula Vista, California-based direct-to-consumer provider of medical devices and disposable medical products and a registered pharmacy. On June 28, 2019, Solara Medical identified suspicious activity in an employee email account. The subsequent investigation confirmed unauthorized individuals had gained access to multiple Office 365 email accounts between April 2, 2019, and June 20, 2019, as a result of employees responding to phishing emails.

The forensic investigation confirmed that the sensitive information of 114,007 of its customers had been exposed and potentially stolen, including names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and financial information. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months.

Four class action lawsuits were filed on behalf of the affected customers, and those lawsuits were consolidated into a single lawsuit. Solara Medical proposed the settlement to resolve the lawsuit to avoid ongoing legal costs; however, denied any wrongdoing. The settlement dismisses the lawsuit with prejudice and does not constitute any admission of fault, wrongdoing, or liability.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Under the terms of the settlement, Solar Medical has agreed to pay $5,060,000 to cover claims from the plaintiffs and class members and will take steps to improve data security to prevent further security breaches.  The six plaintiffs named in the lawsuits will be paid $4,000 each, and all class members who file timely claims will receive $100, plus a pro rata payment of up to $1,000 if any funds remain in the fund after the $100 cash payments have been made. The settlement amount includes $2.3 million in attorneys’ fees. If any funds remain, they will be donated to the Juvenile Diabetes Research Foundation.

For the next two years, Solara Medical will undergo a SOC 2 Type 2 audit, which will be repeated until it is passed, engage an independent third party to perform a HIPAA IT assessment, conduct at least one cybersecurity incident response test a year, undergo third-party phishing and external-facing vulnerability tests at least twice a year. Solara Medical will also implement a security information event and management (SIEM) tool with a 400-day lookback on activity logs. Improved versions of the remedial actions or the same actions will be conducted to new industry standards for the subsequent three years.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.