Healthcare , Industry Specific , Legislation & Litigation
Fertility Test Lab Will Pay $1.25M to Settle Breach Lawsuit
ReproSource Also Agrees to Beef Up Security in Wake of 2021 Ransomware AttackA fertility testing laboratory has agreed to improve its data security practices and pay up to $1.25 million to settle a consolidated class action lawsuit filed in the wake of a 2021 ransomware attack that compromised sensitive health information of about 350,000 patients.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
A Massachusetts federal court preliminarily approved the proposed settlement on Wednesday. The proposed class action litigation, which consolidated two similar lawsuits against Marlborough, Massachusetts-based ReproSource Fertility Diagnostics, had alleged negligence, violations of Massachusetts data breach reporting and other state laws, and an array of other claims involving the data security incident.
The lawsuit sought punitive and other financial damages as well as n injunctive order for the fertility testing laboratory to improve its data security practices.
Besides a settlement fund of $1.25 million for payments to class members and plaintiffs, the agreement calls for ReproSource to implement a long list of data security improvements. One is that the company, at its own expense, will strengthen its monitoring and detection tools as safeguards against ransomware and other cyberthreats.
ReproSource in its 2021 breach notice about the incident said an "unauthorized party" had accessed the company's network on Aug. 8, 2021, and that the firm had discovered ransomware on the morning of Aug.10, 2021.
"In less than an hour we severed all network connection activity and contained the incident," the company said.
ReproSource said in its notice that its investigation did not confirm whether threat actors had acquired data in the incident. But the incident compromised a wide range of patient information.
The data includes names, addresses, phone numbers, email addresses, birthdates, and billing and health information, such as CPT codes, diagnosis codes, test requisitions and results, test reports, medical history information, health insurance identification names and numbers, and other information provided by individuals or by treating physicians.
For some individuals, other information compromised may include driver's license numbers, passport numbers, Social Security numbers, financial account numbers, and credit card numbers, according to the ReproSource breach notice.
The consolidated lawsuit alleges that plaintiffs and class members were not notified of the data breach until Oct. 21, 2021.
"There has been no assurance offered by ReproSource that all personal data or copies of data have been recovered or destroyed," the lawsuit alleges. Plaintiffs would not have paid to have their fertility tests conducted by ReproSource if they had known their highly sensitive information would be maintained "using inadequate data security systems," it says.
ReproSource is an independent unit of national testing laboratory Quest Diagnostics, which acquired the company in 2018. Quest submitted an 8K filing to the U.S. Securities and Exchange Commission about the incident in October 2021.
Neither ReproSource nor Quest immediately responded to Information Security Media Group's requests for comment about the settlement.
Attorneys representing the plaintiffs and class members in the consolidated lawsuit also did not immediately respond to ISMG's request for comment.
Settlement Terms
Under the settlement, class members can submit claims for reimbursement of up to $3,000 for out-of-pocket losses stemming from the data breach, including up to eight hours of lost time, three years of credit monitoring and $1 million identity theft insurance, or a $50 settlement payment from the settlement's cash fund.
Class members who choose the $50 settlement payment are not entitled to select the other benefits. Residents of California may be entitled to an additional $50 payment.
The three plaintiffs in the lawsuit will each receive a $2,500 service award under the proposed settlement.
Regulatory attorney Cory Brennan of the law firm Taft Law, which is not involved in the ReproSource litigation, said the settlement in the case reflects a growing trend, especially as it involves highly sensitive health data, such as information pertaining to reproductive healthcare.
"In 2023, we saw the obstacle course of data breach litigation, federal regulatory action and state data privacy laws become increasingly complex and difficult for companies handling sensitive consumer information - including health information - to navigate," she said.
This week the Federal Trade Commission issued "a groundbreaking ban" on the sale of individuals' medical location and other sensitive location data to third parties, Brennan said (see: Breach Roundup: FTC Bans Data Broker From Sharing Locations).
In its complaint against data broker X-Mode Social and its successor Outlogic, the FTC said the location data collected by the companies could be used to track consumers who have visited women's reproductive health clinics and as a result, may have had or contemplated having sensitive medical procedures such as an abortion or in vitro fertilization.
"Of course, the sensitive nature of the information involved in the ReproSource breach - and many other data breaches being litigated right now - likely contributed to the parties reaching a settlement," Brennan said.
"However, any company involved in this type of litigation just has to look around to see how the industry is responding to these issues, and it becomes quite clear that neither plaintiffs nor federal and state regulators are backing down from this fight.
"It sends a clear message to companies involved in the collection and processing of sensitive consumer data that investing the time and resources necessary to ensure compliance with all applicable privacy laws and the implementation of sufficient safeguards to protect consumer data could not be more important - and will likely save the company money in the long run."