The healthcare company, CarePro Health Services, based in Iowa, decided to settle a class action litigation for $1.3 million. The lawsuit is associated with a cyberattack in November 2023 resulting in a data breach impacting approximately 151,499 people.
HIPAA-covered CarePro identified the cyberattack on November 16, 2023. Unauthorized persons remotely gained access to a system that stored unencrypted patient data. They exfiltrated files that contain patients’ protected health information (PHI) before the attack was discovered and blocked. The breached data included names, contact details, birth dates, state ID numbers/driver’s license numbers, Social Security numbers, financial account data, and medical data. The affected persons were provided free credit monitoring and identity theft protection services.
After mailing notification letters to the affected individuals, CarePro patient Brandi Bell filed a lawsuit, personally and on behalf of individuals with similar situations. Brandie Keegan soon filed another lawsuit, personally and on behalf of her minor child, and individuals with similar situations. The lawsuits were combined into one, the Bell et al. v. C.R. Pharmacy Services, Inc. d/b/a CarePro Health Services lawsuit filed in the Iowa District Court for Linn County.
As per the lawsuit, the plaintiffs sustained injuries because of the data breach, which include lost or diminished value of personal data, violation of privacy, loss of benefit of the bargain, and lost time and opportunity costs. Cybercriminals still hold the plaintiffs’ and class members’ personal data and PHI, putting them at a greater risk of identity theft and fraud.
The plaintiffs assert that the data breach could have been avoided, but the defendant did not employ sufficient and proper cybersecurity steps to secure patient information, carelessly keeping patient data. The lawsuit stated claims of breach of implied contract, negligence, negligence per se, violation of privacy, unjust enrichment, breach of fiduciary duty, violation of privacy-intrusion upon seclusion, breach of confidence, and violations of the Iowa Personal Information Security Breach Protection Act and the Iowa Consumer Fraud Act.
CarePro does not admit to any wrongdoing and liability and do not agree with the claims and arguments in the lawsuit. All parties decided that the lawsuit, trial, and any connected appeals would probably be prolonged and costly and entail risks and uncertainties. Thus, CarePro decided to resolve the litigation. Negotiations took several months before the parties reached a settlement that is agreeable to all.
The settlement consists of three class members’ benefits, the payments of which will be taken from a $1,300,000 settlement fund after deducting the lawyers’ fees and expenses, and settlement management expenses, and class representative service awards.
Class members may file a claim for reimbursement of documented, unreimbursed losses because of the data breach up to $5,000 each. Aside from or in place of a claim for reimbursement of losses, class members could opt for a pro rata cash payment, likely to be $100 each. The cash payment is going to be computed upwards or downwards based on the number of legitimate claims gotten.
All class members are likewise eligible to get three-bureau credit monitoring, identity theft protection, and dark web monitoring services for two years. The price of the credit monitoring services is going to be subtracted from the settlement fund prior to computing the cash payments. The last day for exemption from and excluding oneself from the settlement is December 3, 2025. Claims should be filed by December 3, 2025. The schedule of the final fairness hearing is January 23, 2025.