Getty Images/iStockphoto

Acuity Agrees to Lawsuit Settlement After 100K-Impacted Data Breach

 Acuity has agreed to bolster cybersecurity and compensate up to $500 per victim to settle the lawsuit involving a healthcare data breach that exposed PHI. 

Acuity, which also operates under the name Comprehensive Health Services, reached a proposed settlement following a 2022 healthcare data breach that impacted nearly 106,910 individuals. 

Acuity is a global solutions company that specializes in providing medical management support.  

In mid-February 2022, the organization issued a notice to patients of unauthorized access to their systems occurred. The original breach notification revealed that protected health information (PHI) was compromised, including names, Social Security numbers, driver's license numbers, and financial account information of individuals. 

Following the incident, patients filed a lawsuit alleging Acuity/Comprehensive Health Services failed to adequately safeguard patient and employee information as required by HIPAA.   

While Acuity denied any misconduct, the company agreed to an out-of-court settlement on February 2, 2023, to sidestep additional litigation and related costs and inconveniences. 

 
Under the settlement terms, class members can claim up to $500 for out-of-pocket costs. Class members may also submit claims for up to three hours of lost time, at a rate of $20 per hour. 

These include bank fees, phone charges, postage, travel expenses, data charges, and expenses for credit reports or identity theft products purchased between September 30, 2020, and the settlement date. 

For those who suffered identity theft due to the breach, the settlement allows for claims up to $3,500 for documented expenses related to the theft. 

Additionally, all class members are eligible for 24 months of free identity theft protection services. 

While the lawsuit does not specify any settlement amounts, it's worth noting that settlements are a typical resolution for healthcare data breach cases, and they can result in substantial payouts. 

Along with monetary compensation, the settlement mandates Acuity to reinforce the protection of patients' personally identifiable information (PII). Since the data security incident, Acuity has enhanced its cybersecurity measures. 

As part of the agreement, Acuity must share details of these improved security measures with Class Counsel within a two-month timeframe.

Next Steps

Dig Deeper on Healthcare data breaches