Natali_Mis/istock via Getty Imag

US Fertility Reaches $5.75M Data Breach Settlement

US Fertility resolved a class action lawsuit following a 2020 ransomware attack and data breach that impacted nearly 900,000 individuals.

US Fertility (USF) reached a $5.75 million settlement to resolve allegations of negligence following a 2020 ransomware attack and data breach that impacted nearly 900,000 individuals. USF provides IT platforms and services to a network of more than 200 physicians across 100 clinic locations and more than two dozen IVF laboratories.

In September 2020, threat actors were able to infiltrate USF’s network and encrypt a number of servers and workstations connected to its domain. USF’s initial breach notice stated that it immediately removed systems from its network upon discovery and engaged third-party experts.

Further investigation determined that an unauthorized party had acquired a limited number of files between August 12, 2020 and September 14, 2020, when they executed the ransomware attack. The information involved in the cyberattack included names, addresses, MPI numbers, dates of birth, and some Social Security numbers.

USF said that it quickly implemented safeguards to prevent future incidents, including fortifying its firewall and adapting its employee training protocols.

By November 2021, plaintiffs had filed a consolidated class action complaint in the US District Court for the District of Maryland, alleging that USF had violated their trust as well as data security best practices.

“USF failed to take adequate and reasonable measures to ensure its computer/server systems were protected against unauthorized access and failed to take actions that could have stopped the Data Breach before it occurred,” the complaint stated.

“This is shown, in part, by the fact that the hackers were able infiltrate USF’s systems and exfiltrate data for over a month undetected. In fact, the only reason USF detected the hackers’ intrusion at all is because the hackers eventually executed a ransomware scheme that blocked USF’s access to its own system.”

Both the class representatives and USF agreed to a settlement rather than taking the risk of prolonged litigation. USF did not admit any wrongdoing by agreeing to the settlement.

All settlement class members may submit a claim for up to $15,000 to receive reimbursement for out-of-pocket losses, so long as they also submit third-party documentation supporting the loss. Class members can also submit a claim for reimbursement of time spent at a rate of $25 per hour for up to four hours.

USF also agreed to adopt updated business practices and remedial measures for at least three years following the effective date of the settlement agreement.

The court will hold a hearing in April to make a decision on settlement approval.

Next Steps

Dig Deeper on HIPAA compliance and regulation