Med-Data Inc., a revenue cycle management services provider based in Spring, TX, has reached a $7 million settlement to address all claims arising from a data breach spanning from 2018 to 2019, affecting around 136,000 individuals. Between December 2018 and September 2019, an internal audit revealed that an employee of Med-Data, a revenue cycle management services provider based in Spring, TX, had improperly transferred patient data onto GitHub, a widely used public software development hosting platform. This data, which was intended to be kept confidential, found its way into personal folders within GitHub’s Arctic Code Vault, a long-term storage repository. The files contained an extensive collection of protected health information (PHI) belonging to patients of several Med-Data clients, representing a large breach of privacy and security protocols. The compromised data included highly sensitive personal details such as individuals’ full names, residential addresses, dates of birth, Social Security numbers, specific diagnoses, medical conditions, detailed claims information, dates of service, unique subscriber IDs, medical procedure codes, provider names, and comprehensive health insurance policy numbers. This comprehensive dataset, including a large set of confidential medical and personal information, presenting a concerning risk to the affected individuals’ privacy and security.
Med-Data took immediate action to rectify the situation upon discovering the unauthorized data exposure. The company immediately initiated an internal investigation to determine the scope and severity of the breach, working to identify all impacted individuals and affected data sets. Med-Data subsequently removed the illicitly uploaded files from GitHub, aiming to mitigate any further unauthorized access or potential misuse of the compromised information. Recognizing the severity of the situation and the potential harm to affected individuals, Med-Data proactively engaged in remediation efforts to address the fallout from the breach. The company extended comprehensive support to impacted patients, offering complimentary credit monitoring services and identity theft protection measures to safeguard their financial and personal information from misuse or exploitation. This proactive approach sought to mitigate the adverse impact of the breach on the affected individuals and demonstrate Med-Data’s commitment to addressing the breach responsibly and ethically.
A subsequent lawsuit alleged that Med-Data had failed to sufficiently safeguard the sensitive data entrusted to it by clients and had delayed in notifying affected parties upon discovering the breach. Opting to settle the lawsuit, Med-Data’s settlement has received preliminary approval from the court. The settlement structure comprises two tiers: the first tier permits affected individuals to claim reimbursement of up to $5,000 for documented, unreimbursed losses incurred due to the breach, covering expenses like bank fees, credit costs, communication charges, up to five hours of lost time at $25 per hour, and losses attributable to identity theft or medical identity theft. Alternatively, class members can opt for the second tier, offering a cash payment of up to $500 to cover time spent responding to the breach, including activities like monitoring credit reports, enrolling in credit monitoring services, changing passwords, and other related tasks. Claims will be distributed proportionately based on the number of claims submitted. Irrespective of the chosen tier, class members are entitled to a 3-year membership to a health data and fraud monitoring service called Medical Shield Premium, inclusive of a $1 million identity theft insurance policy provided by Pango. Class members have until April 26, 2024, to voice objections or exclude themselves from the settlement, and the final approval hearing is scheduled for September 11, 2024.
