Ambry Genetics has made a decision to resolve a class action lawsuit that was because of a breach of the protected health information (PHI) of 232,772 individuals. In April 2020, Ambry Genetics advised patients regarding an unauthorized person that viewed some of their PHI kept in an email account for 2 days in January 2020. Email messages and attachments included sensitive patient records for instance names, diagnoses, and other health data, with a few patients, likewise having their Social Security numbers compromised. The investigation cannot ascertain whether any details in the email account were extracted by the hackers.
A lawsuit was filed in the US District Court for the Central District of California soon after breach notifications were given that supposed Ambry Genetics was unable to apply reasonable safety measures to secure patient information and hadn’t adopted industry recommendations for cybersecurity and, as a direct effect of those problems, the PHI of patients was jeopardized. The lawsuit additionally mentioned the late sending of notification letters to affected persons. The HIPAA Breach Notification Rule calls for HIPAA-covered entities to send notification letters in 60 days from the identification of a security breach. However, it took more or less 4 months to send notification letters. The lawsuit in addition charged breach of contract, breach of privacy, and state privacy and business laws violations.
The lawsuit was terminated, corrected, and refiled on many times within the last 2 years, with the newest complaint submitted in December 2021. The settlement was recommended to avert more legal expenses and the uncertainty of trial. It is supposed to totally settle, discharge, and pay back all claims filed by the plaintiffs and class members. Ambry Genetics did not confess to any wrongdoing and didn’t accept any responsibility for the data breach.
With the stipulations of the settlement, Ambry Genetics has decided to put up a $12.25 million funding, $2.25 million of that will take care of the expenses of notifications, management expenses, and 3 years of credit monitoring and identity theft protection services given to the class members.
Persons impacted by the data breach are going to be allowed to send claims as much as $10,000 for compensation of documented out-of-pocket expenditures accrued because of the data breach, approximately 10 hours of recorded time at $30 an hour, and around 3 hours of ‘default time’ at $30 per hour. People who reside in California or Illinois during the data breach can claim a $150 reimbursement, along with any other claims, to take care of likely breaches of the California Confidentiality of Medical Information Act and the Illinois Genetic Information Privacy Act. Class reps will be eligible to claim a service award of $2,500.
Aside from the settlement, Ambry Genetics mentioned it has expended above $800,000 on sending breach notification letters and buying credit monitoring services, with those charges likely growing to $1.4 million. Ambry Genetics mentioned the whole settlement amount will probably grow to over $14 million, and possibly above $20 million if all remedial actions are undertaken.
Those actions involve adjustments to its business strategies and more security actions, like giving additional security awareness training for personnel, putting warnings to external email messages, and setting more rigid prohibitions on access to patients’ PHI. Ambry Genetics has furthermore toughened vendor management and demands all vendors to get SOC-2 certification, carry out penetration tests and phishing simulations on personnel, and conduct third-party risk checks.