A class action lawsuit from patients of ReproSource Fertility Diagnostics, a Massachusetts-based fertility center, is nearing settlement. ReproSource was acquired by Quest Diagnostics in 2018 and offers fertility diagnostic services nationwide.
A ransomware attack in August 2021 caused ReproSource to shut down its servers. According to the company’s breach notice, the attack began on August 8 but wasn’t discovered until August 10. The company started an investigation and notified law enforcement. The investigation revealed that the protected health information (PHI) of 350,000 individuals was compromised.
The patients alleged that ReproSource was negligent by failing to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to patient data. They also alleged that the breach notification was delayed unreasonably. ReproSource did not notify affected individuals of the breach until October 2021, months after it was discovered. The lawsuits also alleged the company violated the Health Insurance Portability and Accountability Act (HIPAA) and data breach notification and consumer protection laws in Massachusetts.
The breach exposed names, addresses, phone numbers, email addresses, dates of birth, billing and health information, such as CPT codes, diagnosis codes, test requisitions and results, test reports and medical history information, health insurance or group plan identification names and numbers, and other information provided by individuals or by treating physicians. For some individuals, personal information may have included a driver’s license, passport, Social Security, financial account, and credit card numbers.
ReproSource agreed to pay the $1.25 million settlement, which will go toward approved claims, administrative expenses, and service awards. Members of the class in the lawsuit can submit a claim of up to $3,000 for losses, including unreimbursed costs and losses associated with identity fraud, credit freezes and mitigation, professional fees related to the case, and lost time.
The company is not admitting wrongdoing as part of the settlement. However, the settlement requires the company to enhance its cybersecurity defenses to prevent future cyberattacks.
Lawsuits are Enforcing HIPAA
This is the latest in a long string of class action lawsuits from patients against healthcare providers alleging negligence in protecting privacy. Last week, we wrote about a $6.6 million settlement by Novant Health for using web trackers that disclosed private information to third parties. Other recent examples include Kroger Pharmacy, PH Tech, Johns Hopkins, Accellion, and One Brooklyn Health.