Great Expressions Dental Centers, a Michigan-based dental practice with 250 locations across nine states, has reached a preliminary settlement of $2.7 million in a consolidated class action lawsuit stemming from a data breach that affected over 1.9 million patients and employees. This settlement, which is set for final approval in a Michigan federal court on December 12, aims to provide compensation to affected individuals, particularly those whose Social Security numbers were compromised. Subclass members whose information was accessed could receive up to $500 for ordinary out-of-pocket losses, along with potential reimbursement for extraordinary losses up to $5,000. For those not directly impacted, the settlement allows claims for time spent responding to the breach.
The hacking incident, reported to the U.S. Department of Health and Human Services on May 12, 2023, involved unauthorized access to sensitive patient and employee information stored in an unencrypted, internet-accessible network. Between February 17 and 22, 2023, the attackers acquired personal identifiable information, including names, Social Security numbers, driver’s license numbers, and financial account details. The breach also affected patients’ medical and dental histories, diagnosis and treatment information, and billing records, raising significant concerns about the security practices of Great Expressions.
As part of the settlement agreement, Great Expressions has committed to enhancing its data security measures. The company plans to implement multifactor authentication, develop centralized information security protocols, and utilize a vulnerability management tool for enterprise patching. Additionally, all workstations will be encrypted to prevent future breaches. These improvements aim to strengthen the overall security framework within the organization and protect sensitive patient data moving forward.
Despite the settlement, Great Expressions denies any wrongdoing regarding the incident. The case highlights the ongoing challenges faced by healthcare organizations in safeguarding sensitive data from cyber threats. With the healthcare sector being a frequent target for hackers, the importance of robust security practices cannot be overstated. The outcomes of this case may serve as a cautionary tale for other organizations in the industry, emphasizing the necessity of stringent data protection measures and compliance with regulations to maintain patient trust and safety.
Reference:
