Specialty Networks Settles Class Action Data Breach Lawsuit for $2.6 Million
Specialty Networks LLC, a Cardinal Health company that provides radiology information systems and PPS analytics to urology, gastroenterology, and rheumatology practices to improve patient outcomes, has agreed to settle a class action lawsuit stemming from a 2023 data breach. The data breach was reported to the HHS’ Office for Civil Rights (OCR) as affecting 411,037 individuals.
The Chattanooga, TN-based firm announced on August 15, 2024, that hackers had access to its network from December 11, 2023, to December 18, 2023, and exfiltrated files containing sensitive patient data. The stolen data included names, dates of birth, driver’s license numbers, Social Security numbers, medical record numbers, treatment and condition information, diagnoses, medications, and health insurance information.
Six class action lawsuits were filed against Specialty Networks, LLC, and Prime Imaging, LLC in response to the data breach. The lawsuits were materially and substantively similar, had overlapping claims, and were based on the same facts; therefore, they were consolidated into a single action – Smith et al. v. Specialty Networks et al. – in the U.S. District Court for the Eastern District of Tennessee at Chattanooga. The plaintiffs alleged negligence, breach of fiduciary duty, breach of third-party beneficiary contract, unjust enrichment, and invasion of privacy.
Soon after the consolidated class action lawsuit was filed, all parties began discussing a potential settlement and scheduled mediation on February 3, 2025. Mediation was successful, and an agreement in principle was reached on a settlement. The terms have now been agreed, and the settlement has received preliminary approval from the court.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Under the terms of the settlement, the defendants will establish a $2.6 million settlement fund that includes three types of benefits for class members. Class members consist of the 395,866 individuals who were notified about the data breach by mail and 12,234 individuals who did not have adequate address information and were notified via a substitute breach notice.
Class members are entitled to three years of credit monitoring and identity theft services, which include a $1 million fraud insurance policy. Class members may also submit a claim for reimbursement of documented losses fairly traceable to the data breach up to a maximum of $5,000 per class member. Alternatively, individuals not wishing to submit a claim for reimbursement of losses may choose to receive a cash payment, which is estimated to be $100. The cash payments may be higher or lower depending on the number of valid claims received and will be paid pro rata. The cash payments will exhaust the settlement fund.
The settlement also includes injunctive relief. The defendants have agreed to make adjustments to their cybersecurity practices over the next three years, and those investments have been valued at $300,000 over that period. Benefits will be paid from the settlement fund once attorneys’ fees, expenses, class representative awards, and settlement administration costs have been deducted. Attorneys’ fees will be up to one-third of the settlement fund, and class representative awards will be $2,500 per named plaintiff. The plaintiffs and class were represented by J. Gerard Stranch, IV and Grayson Wells of Stranch, Jennings & Garvey, PLLC.
