2 Orgs Reach Settlements to Resolve Healthcare Data Breach Lawsuits

February 17, 2023 - iCare Acquisition, the parent company of 20/20 Eye Care Network and 20/20 Hearing Care Network, agreed to a $3 million settlement to resolve a healthcare data breach lawsuit.

In January 2021, 20/20 discovered suspicious activity within its cloud storage environment and launched an investigation. The breach potentially exposed names, Security numbers, member identification numbers, health insurance information, and dates of birth.

In its initial breach notice, 20/20 stated that it had taken numerous steps to prevent future breaches, including “reporting the incident to law enforcement and cooperating fully with their investigation, immediately resetting all passwords, and beginning a robust review of existing policies and procedures to improve security for the future.”

A class action lawsuit filed after the incident alleged that 20/20 “failed to implement adequate, reasonable, and industry-mandated cyber-security procedures and protocols to protect the PII and PHI of Plaintiffs and Class Members.”

One plaintiff allegedly experienced at least four suspicious inquiries on her credit report and claimed that an unknown third party applied for a personal loan in her name.

20/20 denied any wrongdoing but agreed to a $3 million settlement. If approved, settlement class members will be eligible to receive up to $2,500 in reimbursement for out-of-pocket losses and up to 10 hours of lost time at a rate of $25 per hour. Those who experienced actual identity fraud may be eligible for up to $5,000.

Electromed Agrees to $825K Settlement After Breach

Minnesota-based company Electromed reached a $825,000 settlement to resolve a lawsuit following a June 2021 ransomware attack and data breach.

“On June 16, 2021, we determined that an unauthorized third party gained access to a limited number of our files,” Electromed said in its initial breach notification. “Upon discovery, we immediately initiated an investigation and hired third-party cybersecurity experts to assist in investigating the source and scope of the unauthorized activity, and to further secure our systems. Law enforcement was also notified.” 

The breach impacted 47,000 individuals and involved names, medical information, health insurance information, addresses, Social Security numbers, and financial account information.

The plaintiffs alleged claims of negligence as well as violations of the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act.

Electromed denied any wrongdoing and chose to settle the lawsuit. If approved, class members will be eligible to receive up to $250 for ordinary losses and up to $5,000 for extraordinary losses, as well as up to four hours of lost time at a rate of $25 per hour.