Getty Images

Maxim Healthcare Reaches Settlement Over 2021 Data Breach Case

The company, which admitted the 2021 data breach had impacted over 28K, has agreed to pay victims up to $5K, covering extraordinary costs.

Maxim Healthcare has reached a monetary agreement to settle claims that it failed to protect the personal health information of about 28,000 patients impacted in a 2021 data breach.

According to a November 2021 breach notice, the healthcare company said it became aware of unusual activity on December 4, 2020, and later discovered that some employee email accounts were accessed between October 1 and December 4.

The compromised data ranged from names, birth dates, and addresses to medical histories, diagnosis codes, patient account details, and even Medicare and Medicaid numbers. For some individuals, Social Security numbers were exposed.

The suit, filed in 2022 against Maxim Healthcare, asserted that the healthcare company had inadequate data security controls and failed to employ appropriate measures to protect patient data.

At the time of the breach, the healthcare company stated, that it had “instituted additional security protocols, including implementation of Multi-Factor Authentication for all email accounts, and transitioned to a new Security Operations Center with advanced detection and response capabilities.

The plaintiff believes that Maxim Healthcare's tardiness in implementing basic, industry-standard security measures indicates a previous lack of proper cybersecurity protection. This lack of protection, they argue, left patients vulnerable to malicious cyber actors before the data breach.

The class action lawsuit also stated that the data breach victims entrusted their private information with the expectation of confidentiality and security. They believed that their data would not be shared or disclosed without their consent.

Furthermore, Maxim Healthcare delayed notifying impacted patients and regulatory authorities for nearly a year, thereby breaching its legal obligations of the HIPAA Breach Notification Rule.

In the lawsuit, the plaintiff alleged that “there were no measures taken by Defendant to determine the scope of the breach or to restore the reasonable integrity of their computer systems, which justify Defendant’s decision to wait 335 days before beginning to issue the notification.”

While it was not clear how much the total settlement was for, the proposed agreement suggests that victims could receive up to $5,000 each. This compensation would cover expenses related to the breach, including up to three hours of lost time reimbursed at $20 per hour.

Those who were California residents between October 1, 2020, and December 4, 2020, are entitled to an additional flat monetary benefit of around $100, which can be added to their claim for reimbursement of extraordinary expenses.

Additionally, all class members are eligible for 12 months of free identity theft protection services, regardless of whether they submit a claim.

The company denied all charges of wrongdoing and acknowledged in its settlement deal that pursuing the litigation further would be costly.

Next Steps

Dig Deeper on Cybersecurity strategies