Healthcare , Industry Specific , Legislation & Litigation
600,000 Prison Inmates to Share in $6.49M Breach Settlement
CorrectCare to Settle Lawsuit After 'Inadvertently' Exposing PHI on Web for MonthsA misconfigured web server and the exposure of sensitive information for nearly 600,000 prison inmates in 2022 will cost medical claims processing company CorrectCare $6.49 million to settle a consolidated proposed class action lawsuit, according to court records.
See Also: Alleviating Compliance Pain Points in the Cloud Era
The incident affected inmates who received medical care between January 2012 and July 2022 in correctional facilities in Louisiana, Georgia, South Carolina and California, for which the firm, CorrectCare Integrated Health, provided claims processing services (see: Misconfigured Server Exposed PHI of 600,000 Inmates).
CorrectCare clients included the Louisiana Department of Public Safety and Corrections, Sacramento County Adult Correctional Health and Mediko Correctional Healthcare, a firm that provides medical and mental health services to inmates at correctional facilities. CorrectCare reported the breach to federal regulators in November 2022.
Experts say the case demonstrates that even prison inmates can succeed in class action privacy claims.
"This is a case with a different set of variables than we often see - a particularly vulnerable population that may not have realistic access to many of the typical means of protection in the event of a security breach," said privacy attorney Kirk Nahra of the law firm WilmerHale, which is not involved in the CorrectCare litigation.
"In general it is critical to ensure that security protections are substantial for this population going forward," he said.
Under the settlement agreement that a federal Kentucky court finalized on Sept. 17, class members who submitted eligible claims can receive up to $10,000 each for unreimbursed out-of-pocket losses that are "fairly traceable" to the data breach.
That includes bank fees, certain phone charges, credit reports, and other expenses, as well as actual fraud occurring from the time of the breach in 2022 until Aug. 27, 2024.
As an option, class members can also choose a yet-undetermined alternative cash payment based on a formula contained in the settlement agreement involving what is left of the settlement fund after other claims are paid.
Eligible class members from California also may receive an unspecified additional cash payment due to the California Consumer Privacy Act.
The five lead plaintiffs in the case will receive $2,500 service awards.
"Counsel notes that these plaintiffs exposed themselves to reputational harm by placing their names on the complaint. Not only will the public know that their data has been breached, but it will be revealed that they were incarcerated," court documents said.
Plaintiff attorneys are set to receive about $2.1 million, or about one-third of the settlement fund.
'Noteworthy' Case
While the plaintiffs and class members may be novel, some experts noted that the settlement payments appear somewhat less than often seen in other recent health data breach class action settlements.
"Class members are inmates of correctional institutions. This class action settlement gives them lower benefits than data breach victims typically receive, probably because of issues related to their status," said regulatory attorney Paul Hales of Hales Law Group, who was not involved in the CorrectCare case.
In addition potential of five-figure cash payments, some other recent multimillion dollar breach settlements involving involving third-party firms have offered credit and identity monitoring for several years to class members, as well as injunctive relief requiring the breached organization to improve its data security practices (see: Law Firm to Pay $8M to Settle Data Hack Lawsuit).
Neither provisions are included in the CorrectCare settlement.
But the CorrectCare settlement is noteworthy "because it sheds light on the American corrections industry," Hales said.
"CorrectCare is a third-party administrator for correctional facilities and a HIPAA business associate. How diligent are correctional institutions in selecting vendors to perform HIPAA-regulated services?" he said. "HIPAA security rule safeguards should detect an IT misconfiguration."
Neither attorneys representing the plaintiffs nor CorrectCare immediately responded to Information Security Media Group's requests for comment on the settlement.
The amended consolidated class action complaint filed in January 2023 against CorrectCare alleged several claims, including that the company was negligent in failing to protect the highly sensitive information of plaintiffs and class members.
"CorrectCare failed to employ security standards commonly accepted among businesses and required by security standards of businesses that store protected health information and personally identifiable information and use the internet," the lawsuit alleged.
CorrectCare in a breach notice posted in November 2022 said it became aware of the exposure of information stores on its web server to the public July 6, 2022, and that the two directories may have been exposed as early as Jan. 2, 2022.
Among inmate data exposed were full names, date of birth, Social Security numbers, California Department of Corrections and Rehabilitation numbers, and certain health information, such as a diagnosis code and current procedure terminology code.
CorrectCare blamed the incident on a misconfigured web server.
"Upon discovery of the data exposure, CorrectCare took immediate steps to remediate the exposure by securing the server in less than nine hours," the company said.