Med-Data, a business associate responsible for handling health insurance claims data, has reached a $7 million settlement in a class action lawsuit following a data leak incident reported by independent researcher Jelle Ursem and DataBreaches.net in April 2021. The incident involved the unauthorized posting of patient information on GitHub by one of Med-Data’s employees in 2018 and 2019.
The settlement, announced by Top Class Actions, resolves claims that Med-Data failed to promptly notify affected individuals once they became aware of the leak. Attempts at responsible disclosure initially faced obstacles, with Med-Data reportedly blocking communication attempts by the researcher and failing to respond to inquiries from DataBreaches.net. However, intervention by legal counsel eventually prompted Med-Data to address the issue seriously.
The exposed data included sensitive patient information such as names, addresses, dates of birth, Social Security numbers, diagnoses, medical procedure codes, and health insurance policy numbers. Despite efforts to mitigate the impact of the leak, some data may have been archived in the Arctic Code Vault, presenting additional challenges for cleanup efforts.
The incident, reported to the Department of Health and Human Services (HHS) in April 2021, affected 135,908 patients according to MedData’s disclosure to HHS. In response, MedData implemented additional safeguards to protect patient data and notified affected individuals, the media, and posted substitute notices on its website.
The settlement, applicable to the case M.S., et al. v. Med-Data Inc., Case No. 4:22-cv-00187, underscores the legal consequences of mishandling sensitive health information and the importance of proactive data security measures. Despite previous litigation dismissals due to plaintiffs’ lack of standing, the settlement represents a significant step towards accountability and restitution for affected individuals.
