Lawsuits and Proposed Settlements of Data Breach Lawsuits in Early 2023

$3 Million Settlement Offered to Resolve 20/20 Eye Care Network Data Breach Lawsuit

iCare Acquisitions has offered to pay $3 million to settle claims from victims of a 2021 data breach that impacted roughly 3.3 million health plan members of 20/20 Hearing Care Network and 20/20 Eye Care Network.

iCare Acquisitions detected a security breach in January 2021 upon noticing suspicious activity in its AWS cloud storage account. It was confirmed by the forensic investigation that attackers accessed its AWS S3 storage buckets, downloaded their contents, then deleted the files in the buckets. The account contained the protected health information (PHI) of health plan members, such as names, birth dates, member ID numbers, Social Security numbers, and medical insurance data.

Because of the nature of the attack, the company could not determine which health plan members were affected by the breach and the scope of stolen data. Thus, notification letters had been mailed to the 3,253,822 persons possibly impacted by the breach in May 2021. The company also offered free credit monitoring and identity theft protection services. The cause of the breach was insider wrongdoing, resulting in the exposure of plan members’ data online.

The Desue, et al. v. 20/20 Eye Care Network Inc., et al. lawsuit had been filed in the U.S District Court for the Southern District of Florida. The lawsuit alleged that the data breach happened because of the failure of 2020/ Eye Care Network and iCare Acquisitions to carry out reasonable and proper cybersecurity procedures. There was a failure to adhere to HIPAA requirements as well as industry-standard cybersecurity guidelines. The lawsuit likewise argued the amount of time it took to send breach notifications to victims. The notices were sent over 3 months after discovering the data breach.

The plaintiff states that right after getting the data breach notification, her credit card had been fraudulently used for purchases online. She also encountered a lot of voice phishing calls, and she discovered that her mail was changed to another address.

20/20 Eye Care Network and iCare Acquisitions did not admit any wrongdoing and did not accept any responsibility for the data breach. The defendants proposed this settlement to avoid ongoing legal expenses and the concern of trial. As per the stipulations of the settlement, the defendants will create a fund of $3,000,000 to pay for claims from victims of the data breach.

Claims shall be paid after deducting the legal fees from the settlement amount and will be paid pro rata according to the number of filed claims. Class members are eligible to file claims of as much as $2,500 to recuperate out-of-pocket expenses, which include about 10 hours of lost time valued at $25 an hour. Those who had recorded losses due to identity theft and fraud that were not yet refunded will be eligible to claim for up to at most $5,000 of losses, up to a combined maximum of $600,000. Victims also will receive three years of credit monitoring services, or otherwise claim for a cash payment instead of those services.

The last day for objecting to or not joining the settlement is on April 3, 2023. Claimants should submit the requirements by May 1, 2023. The schedule of final approval hearing is on June 22, 2023.

Umass Memorial Health Offers $1.2 Million to Settle Data Breach Lawsuit

Umass Memorial Health has submitted a $1.2 million settlement proposal in the hopes of resolving a class action lawsuit that was filed by victims of a hacking incident and data breach in 2020.

Cyber attackers acquired access to the email environment of Umass Memorial Health from June 24, 2020 to January 7, 2021 due to a phishing attack. The breached email accounts held patient names, driver’s license numbers, Social Security numbers, financial account details, medical record numbers, medical insurance details, and clinical or treatment data.

Umass Memorial Health send notification letters to affected persons in October 2021 and offered free credit monitoring and identity theft protection services to those who had their Social Security numbers exposed. There were more or less 3,000 Massachusetts residents affected. The breach report submitted to the HHS Office for Civil Rights indicates that 209,048 persons were affected.

The Kesner, et al. v. UMass Memorial Health Care Inc. lawsuit alleged that Umass Memorial Health did not use proper security measures to keep patient data safe and did not send timely notifications. Umass Memorial Health opted to negotiate the lawsuit to avoid even more legal expenses and steer clear of the uncertainty of trial. Umass Memorial Health has not admitted to any wrongdoing.

The terms of the settlement entitle class members to file claims for reimbursement of ordinary expenditures as much as $150. Claims for bank charges, communications costs, and as much as three hours of lost time worth $25 an hour may be included. Eligible victims may also submit claims for extraordinary losses of as much as $5,000, which may include recorded, unreimbursed charges of fraud and identity theft. UMass Memorial Health Care will also provide class members with two years of credit monitoring services. Class members not wanting to claim the benefits can receive a $40 cash payment instead of the benefits.

The last day to object to the settlement is March 15, 2023. Benefits claims or cash payments should be filed by April 14, 2023. The schedule of final approval hearing is on May 23, 2023.

Electromed’s Proposed $825,000 Settlement of its Class Action Data Breach

The medical device company Electromed has offered a $850,000 settlement to pay for claims associated with a ransomware attack and data breach in June 2021 affecting the PHI of 47,200 persons. Electromed detected the attack and blocked it on June 16, 2021. According to the forensic investigation, the attacker accessed and potentially stole the files, which included the first and last names of customers, mailing addresses, medical data, and medical insurance data. The financial account data, Social Security numbers, and driver’s license numbers of associates impacted by the breach were exposed. Electromed sent notifications about the ransomware attack to the affected individuals in August and offered them free credit monitoring and identity theft protection services.

The Lutz, et al. v. Electromed Inc. lawsuit was filed against Electromed alleging its failure to use reasonable and proper cybersecurity standards to secure customers’ information. Electromed did not admit any wrongdoing and opted to negotiate the lawsuit to steer clear of additional legal charges and the uncertainty of trial. There will be a $850,000 settlement fund created to pay for claims for reimbursement of losses traceable to the data breach. Class members can submit claims for up to $250 for the repayment of ordinary expenditures, including bank charges, communication charges, and up to 4 hours of lost time worth $25 an hour. Eligible individuals must file claims for reimbursement of documented, not yet refunded extraordinary losses because of identity theft and fraud, as much as $5,000.

Besides any filed claims, class members will receive a $30 cash payment. California residents when the data breach happened are eligible to claim a $100 cash payment. Cash payments and claims will be paid pro rata after totaling the settlement. The last day for objection to and exemption from the settlement offer is March 2, 2023. Filing of claims is until April 1, 2023. The schedule of the settlement‘s final approval hearing is on June 5, 2023.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at