Harvard Pilgrim Health Care and Point32Health, its parent company, have decided to pay $16 million to settle claims associated with a ransomware attack in 2023 that impacted roughly 3 million individuals.
In 2023, hackers accessed systems that contained 2,967,396 health plan members’ protected health information (PHI). After exfiltrating data, the hackers used ransomware to encrypt files. That stolen information included names, contact details, Social Security numbers, birth dates, medical backgrounds, diagnosis and treatment details, and other sensitive information. Based on the forensic investigation, the hacking group accessed its systems from March 28, 2023 to April 17, 2023. The healthcare provider, in compliance with HIPAA breach notification laws, started sending notification letters to the impacted individuals on May 24, 2023. The notification process carried on until June 2024 since more individuals were confirmed to have been impacted.
Multiple class action lawsuits were filed against Point32Health and Harvard Pilgrim Health Care as a result of the data breach. The lawsuits were combined into one lawsuit in the U.S. District Court for the District of Massachusetts since they have similar facts and made similar claims. According to the plaintiffs, the defendants deliberately, willfully, negligently or recklessly managed the sensitive information of its health plan members, and their actions were negligent. The lawsuits claim that because of the negligence, hackers had stolen class members’ information, putting them at an impending and continuing risk of harm, which includes but is not restricted to identity theft and fraud. Besides negligence, the lawsuits stated claims of breach of fiduciary duty, breach of implied contract, and unjust enrichment.
After the negotiations and mediation, the provider agreed to a settlement that provided concrete and quick benefits to settlement class members, although the defendants did not admit to any liability or wrongdoing. The settlement class is made up of 2,967,396 persons, all of whom are eligible to receive benefits. The terms of the settlement require the creation of a $16 million cash fund to cover approved claims, credit monitoring services, alternative cash payments, service awards for class representatives, notice and administrative costs, and attorneys’ fees and expenditures. The settlement agreement was intended to deplete the whole settlement money.
Class members can claim up to $2,500 as payment for recorded, unreimbursed out-of-pocket costs sustained due to the ransomware attack; fairly traceable extraordinary costs up to $35,000; approximately 7 hours of lost time rated at $30 per hour; and credit monitoring services for two years. If class members do not submit any claims, they can opt to receive a $150 cash payment.
The due date for excluding from and objecting to the settlement is 60 days after the notice deadline. Filing of claims will be until 90 days after the notice deadline. The schedule of the final approval hearing is about 90 days from the mailing of all notices or 14 days after the claims deadline.