Ambry Genetics has made a decision to settle a class action lawsuit that was due to a breach of the protected health information (PHI) of 232,772 patients. In April 2020, Ambry Genetics informed patients about an unauthorized individual that accessed some of their PHI stored in an email account for two days in January 2020. Emails and file attachments contained sensitive patient information like names, diagnoses, and other medical data, with some patients, also having their Social Security numbers exposed. The investigation could not establish whether any details in the email account were exfiltrated by the attackers.
A lawsuit was filed in the US District Court for the Central District of California immediately after breach notifications were issued that claimed Ambry Genetics did not implement reasonable safeguards to keep patient information safe and had not implemented industry guidelines for cybersecurity and, as a direct result of those failures, the PHI of patients was exposed. The lawsuit likewise mentioned the delayed issuance of notification letters to affected people. The HIPAA Breach Notification Rule demands HIPAA-covered entities to give notification letters within a 60-day period from the detection of a data breach. But it took about 4 months to issue notification letters. The lawsuit furthermore alleged breach of contract, privacy breach, and state privacy and business laws violations.
The lawsuit had been sacked, modified, and refiled on several instances in the last two years, with the most recent complaint submitted in December 2021. The settlement was offered to avoid further legal expenses and the uncertainty of trial. It is meant to completely resolve, discharge, and compensate all claims made by the class members and plaintiffs. Ambry Genetics did not admit any wrongdoing and did not take any liability for the data breach.
Under the conditions of the settlement, Ambry Genetics has decided to set aside a $12.25 million fund, $2.25 million of which will pay for the price of notifications, admin fees, and three years of identity theft protection and credit monitoring services provided to the class members.
People impacted by the data breach will be eligible to file claims as high as $10,000 for repayment of documented out-of-pocket costs sustained as a result of the data breach, as much as 10 hours of recorded time at $30 per hour, and as much as 3 hours of ‘default time’ at $30 an hour. Those who were locals of California or Illinois at that time of the data breach are eligible to claim a $150 payment, besides any other claims, to settle probable violations of the Illinois Genetic Information Privacy Act and the California Confidentiality of Medical Information Act. Class representatives can claim a $2,500 service award.
Besides the settlement, Ambry Genetics stated it has spent around $800,000 on sending breach notification letters and purchasing credit monitoring services, with those charges possibly escalating to $1.4 million. Ambry Genetics explained the full settlement amount will likely increase to over $14 million, and probably above $20 million when all remedial actions have been done.
Those actions consist of changes to its business procedures and extra security steps, such as offering more security awareness training for employees, including alerts to external emails, and placing more strict limitations on access to patients’ PHI. Ambry Genetics has additionally strengthened vendor management and necessitates all vendors to have SOC-2 certification, do phishing simulations and penetration tests on staff members, and execute third-party risk analysis.