Alex - stock.adobe.com
Magellan Health Settles Healthcare Data Breach Lawsuit For $1.43M
The healthcare data breach lawsuit stemmed from a 2019 phishing attack at Magellan Health that impacted 273,000 individuals.
Managed care company Magellan Health agreed to pay $1.43 million to resolve a healthcare data breach lawsuit stemming from a May 2019 phishing attack on its subsidiary, Magellan Rx Management.
The phishing attack impacted 273,000 individuals, including individuals associated with Geisinger Health Plan, McLaren Health, TennCare, Florida Blue, and Presbyterian Health. The compromised data potentially included names, Social Security numbers, member IDs, provider names, and other sensitive information.
Impacted TennCare patients filed a lawsuit against Magellan, alleging that the company failed “to abide by its obligations as a [healthcare] provider and business associate” under HIPAA. Although Magellan discovered the May 2019 breach in July, patients were not notified until November 2019.
The HIPAA Breach Notification Rule requires covered entities and business associates to disclose a protected health information (PHI) breach within 60 days of discovery (if the breach impacted more than 500 individuals).
In addition to a delayed notification, the plaintiff alleged that Magellan failed to take steps to prevent the breach from occurring and that their information was “now in the hands of thieves.”
Two months after the breach, the plaintiff alleged that she discovered that a credit card had been opened under her name without authorization.
Since the breach announcement, the original complaint stated, the plaintiff has “spent countless hours monitoring her accounts in an effort to detect and prevent any misuses of her personal information.”
Magellan denied any wrongdoing but agreed to a $1.43 million settlement. All class members are eligible to receive up to $225 for ordinary, out-of-pocket expenses, such as credit monitoring services and up to $15 per hour to compensate for lost time spent dealing with the incident.
Class members are also eligible to receive up to $2,500 for extraordinary out-of-pocket expenses, such as documented expenses directly related to dealing with identity theft or fraud relating to the incident.
As healthcare data breaches continue to impact the sector, subsequent lawsuits are becoming more common. Due to the Supreme Court's ruling in Ramirez v. TransUnion, data breach victims must demonstrate actual injury and prove that the defendant’s conduct caused the damage in order to succeed in court.