fertility test

Fertility Center Offers $1.25 Million to Settle Data Breach

A class action lawsuit from patients of ReproSource Fertility Diagnostics, a Massachusetts-based fertility center, is nearing settlement. ReproSource was acquired by Quest Diagnostics in 2018 and offers fertility diagnostic services nationwide.

A ransomware attack in August 2021 caused ReproSource to shut down its servers. According to the company’s breach notice, the attack began on August 8 but wasn’t discovered until August 10. The company started an investigation and notified law enforcement. The investigation revealed that the protected health information (PHI) of 350,000 individuals was compromised.

The patients alleged that ReproSource was negligent by failing to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to patient data. They also alleged that the breach notification was delayed unreasonably. ReproSource did not notify affected individuals of the breach until October 2021, months after it was discovered. The lawsuits also alleged the company violated the Health Insurance Portability and Accountability Act (HIPAA) and data breach notification and consumer protection laws in Massachusetts.

The breach exposed names, addresses, phone numbers, email addresses, dates of birth, billing and health information, such as CPT codes, diagnosis codes, test requisitions and results, test reports and medical history information, health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians. For some individuals, personal information may have included a driver’s license, passport, Social Security, financial account, and credit card numbers.

Settlement Terms

ReproSource agreed to pay the $1.25 million settlement, which will go toward approved claims, administrative expenses, and service awards. Members of the class in the lawsuit can submit a claim of up to $3,000 for losses, including unreimbursed costs and losses associated with identity fraud, credit freezes and mitigation, professional fees related to the case, and lost time. 

The company is not admitting wrongdoing as part of the settlement. However, the settlement requires the company to enhance its cybersecurity defenses to prevent future cyberattacks.  

Lawsuits are Enforcing HIPAA

This is the latest in a long string of class action lawsuits from patients against healthcare providers alleging negligence in protecting privacy. Last week, we wrote about a $6.6 million settlement by Novant Health for using web trackers that disclosed private information to third parties. Other recent examples include Kroger PharmacyPH Tech, Johns Hopkins, Accellion, and One Brooklyn Health.

You can reduce exposure to lawsuits by strengthening cybersecurity defenses and following the HIPAA Security Rule. Conduct an annual Risk Analysis and follow a Risk Management plan year-round.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU