American HomePatient’s proposal to settle for $1 million a class-action lawsuit filed on behalf of the 2017 data breach victims has gotten initial approval.
The data breach which led to the filing of the lawsuit transpired on January 6, 2017. There was a break-in the Delaware offices of American HomePatient. The thieves took a number of computers. The unencrypted hard drives contained sensitive data including names, addresses, birth dates, Social Security numbers, financial data, AHOM account details, diagnosis codes, and treatment data of 13,000 present and past patients and clients of American HomePatient and Lincare Holdings Inc.
After the data breach, a class action lawsuit was submitted on behalf of breach victims who alleged that American HomePatient’s negligence was behind its failure to encrypt sensitive information. Because of that, the thieves have easily accessed their sensitive data. The lawsuit additionally mentioned the following allegations: invasion of privacy, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and the state Unfair and Deceptive Trade Practices Act violation.
According to the conditions of the settlement, American HomePatient is going to give cash and non-monetary relief to class members in the following aspects: Free credit monitoring services for one year, up to $150 repayment for identity theft protection services, $350 payment for fake tax returns submitted with the IRS after January 6, 2017, identity theft payment of $350, $150 payment for the request of unauthorized IRS tax transcripts from the IRS after January 6, 2017, and repayment for expenditures sustained as a consequence of the breach amounting to as much as $500 for out-of-pocket expenditures and about 3 hours income at $15 per hour.
Plaintiffs could file a claim for registration in the Equifax Credit Watch Silver program, however, they need to submit documents proving their claims per category. Class members can file their claims until June 6, 2020. The final hearing schedule is on June 26, 2020.
Aside from the cash settlement, American HomePatient also agreed to employ security procedures for two years which include running a third-party HIPAA risk assessment every two years and yearly risk analysis. American HomePatient will also have an IT leader to manage the security plan for two years and will give regular employee HIPAA training on data security and safeguarding personally identifiable information.