Getty Images
Ambry Genetics Reaches $12.25M Settlement Over Healthcare Data Breach
The genetics company reached a multi-million-dollar settlement following a 2020 healthcare data breach that impacted more than 200,000 individuals.
California-based Ambry Genetics reached a $12.25 million settlement to resolve a healthcare data breach lawsuit. The clinical genomic diagnostics vendor suffered a breach in January 2020 that impacted 232,772 patients.
A hacker gained access to an Ambry employee email account containing patient names, medical information, Social Security numbers, diagnosis information, health insurance information, and other sensitive information.
Ambry was unable to determine whether the hacker managed to exfiltrate any data in the email account.
Following the breach, four class action complaints arose, which were later consolidated. Plaintiffs noted that Ambry Genetics notified them of the breach in April 2020, despite HIPAA’s 60-day breach notification requirement.
The plaintiffs alleged that the breach was “a direct result” of Ambry’s failure to implement reasonable cybersecurity measures to properly safeguard protected health information (PHI).
Additionally, an original complaint alleged that the class members’ information was “now in the hands of thieves” and that they would have to spend significant amounts of time and money on mitigating risk.
The settlement agreement resolves two years of back-and-forth actions by the plaintiffs and defendant.
Ambry Genetics agreed to put $12.25 million into a settlement fund, which includes $2.25 million directed at credit monitoring and identity theft protection services. The settlement does not symbolize an admission of guilt by Ambry Genetics.
Class members are also eligible to submit claims for up to $10,000 for reimbursement of out-of-pocket costs.
Out-of-pocket costs refer to costs related to purchasing credit reports, credit monitoring, placing a freeze or alert on credit reports, identity theft protection, and costs related to retrieving medical records or replacing a Social Security number.
Additionally, class members may submit claims for up to ten hours of documented time at $30 per hour, and up to three hours of default time at $30 per hour. Default time refers to time spent by class members “attempting to remedy or remedying issues fairly traceable to the data breach.”
Illinois and California subclass members are eligible to file additional claims stemming from the California Confidentiality of Medical Information Act and the Illinois Genetic Information Privacy Act.
Data breach settlements have become more frequent as healthcare organizations seek to avoid lengthier legal proceedings. Florida Orthopaedic Institute recently reached a $4 million settlement over a 2020 data breach. BJC Healthcare agreed to put $2.7 million toward implementing email security measures under the terms of its data breach settlement, which also stemmed from a 2020 breach.