Solara Medical Supplies Faces $5M Proposed Settlement After Data Breach

April 26, 2022 - A proposed settlement would require Solara Medical Supplies to pay $5 million and perform remedial security measures after a 2019 data breach that impacted 114,000 individuals. Judge Marilyn L. Huff from the US District Court for the Southern District of California preliminarily approved the deal, and the final hearing is set for September 12, 2022.

In November 2019, the California-based medical supply vendor began notifying patients that their data was potentially compromised after some employee email accounts were breached for several months between April and June.

The breach exposed names, Social Security numbers, birth dates, billing information, insurance information, driver’s license numbers, and medical information. Solara Medical Supplies denied all wrongdoing, and the settlement does not qualify as an admission of guilt.

Plaintiffs alleged that Solara failed to notify patients of the breach in a timely manner and failed to disclose that the company did not have adequate security practices to safeguard patient information.

If approved, each class member who files a claim will receive $100 in a cash payment. If money remains in the settlement fund after the first distribution, class members will receive supplemental funds at a maximum of $1,000 total.

In addition to the monetary penalties, the settlement stated that Solara would have to undergo an American Institute of Certified Public Accountants (AICPA) System and Organization Controls for Service Organizations 2 (SOC 2) Type 2 audit in 2022, to be repeated each year until Solara passes.

In addition, Solara will have to engage a third party to perform a HIPAA IT assessment and undergo at least one cyber incident response test per year starting in 2022. The settlement also requires Solara to implement staff security and privacy training at least twice per year and engage a company to test its phishing and vulnerabilities at least twice per year. Solara would also be required to deploy a Security Information Event and Management (SIEM) tool.

As healthcare data breaches increase, lawsuits are following suit. Law firm BakerHostetler’s latest data security incident report showed an increase in duplicative lawsuits, often resulting in steep defense and settlement costs.

BakerHostetler analyzed more than 1,200 data security incidents from 2021 that its Digital Assets and Data Management Practice Group members helped clients manage.

The incidents spanned a variety of sectors, but the results showed that healthcare was the most impacted industry, with 23 percent of the analyzed incidents affecting the sector. The firm predicted that this trend would increase into 2022.