Massachusetts Fertility Test Center Reaches $1.25M Data Breach Settlement

January 18, 2024 - Massachusetts-based ReproSource Fertility Diagnostics reached a $1.25 million settlement to resolve claims of negligence tied to a 2021 data breach. ReproSource, which was acquired by Quest Diagnostics in 2018, suffered a ransomware attack in August 2021 that impacted 350,000 individuals.

ReproSource discovered unauthorized activity within its systems and cut off network connection activity immediately. However, threat actors were able to view patient information.

The breach exposed names, email addresses, CPT codes, diagnosis codes, health insurance billing information, physician information, and dates of birth to threat actors. For some individuals, Social Security numbers, passport numbers, and financial account numbers were also impacted.

ReproSource did not notify impacted individuals of the breach until October 2021, months after it was discovered. The notice assured patients that ReproSource had contained the incident, notified law enforcement, and implemented additional security safeguards.

The notification was quickly followed by multiple class action complaints, which were later consolidated. The plaintiffs alleged that ReproSource was negligent by failing to safeguard patient information from threat actors, especially considering the frequent cyberattacks against healthcare organizations.

What’s more, the plaintiffs took issue with ReproSource’s delayed notification. HIPAA requires covered entities to notify impacted individuals of a protected health information (PHI) breach within 60 days of discovery.

ReproSource denied the allegations but agreed to the $1.25 million settlement, which will go toward approved claims, administrative expenses, and service awards. Class members may submit a claim of up to $3,000 to reimburse them for out-of-pocket losses, the settlement agreement stated. This amount will also cover the costs necessary to freeze credit reports and to pay attorneys’ fees.

The settlement agreement also noted that ReproSource had adopted additional data security measures at its own expense, including enhancing its cybersecurity by implementing monitoring and detection tools to protect against ransomware.

Other notable recent healthcare data breach settlements include an agreement reached between plaintiffs and Novant Health. The North Carolina-based health system reported a breach after it discovered that the third-party tracking tools it was using were transmitting information back to the tech companies that created them. Novant Health agreed to pay $6.6 million to settle the class action lawsuit.