MedData, a Spring, TX-based revenue cycle management firm, recently settled a class action lawsuit for $7 million following the exposure of personal and health information belonging to 136,000 individuals on a public-facing website.
The inadvertent data exposure occurred between December 2018 and September 2019 when a MedData employee uploaded the data to personal folders on GitHub Arctic Code Vault, a public-facing part of the GitHub website. The exposed data remained unprotected for over a year until a security researcher notified MedData about the breach on December 10, 2020. The files were subsequently removed from GitHub on December 17, 2020.
This settlement concludes the last remaining class action lawsuit against MedData related to the data breach, with four previous lawsuits having been dismissed. Under the terms of the settlement, class members have two payment options. They can claim documented, unreimbursed out-of-pocket expenses related to the breach up to $5,000 per class member, or they can claim up to $500 for minimal affirmative action in response to being notified about the breach. Additionally, all class members are eligible for 36 months of health data and fraud monitoring services at no cost, including a $1 million identity theft insurance policy.
As part of the settlement, MedData is required to implement and maintain an enhanced cybersecurity program. This program includes robust monitoring and auditing for data security issues, annual cybersecurity testing, employee training on data privacy, data encryption, enhanced access controls, annual penetration testing, a data deletion policy, and a monitored internal whistleblowing mechanism. The company’s board must also consider appropriate cybersecurity spending annually and regularly update internal security policies and procedures.
