A class action lawsuit has been settled by Ambry Genetics for $12.25 million following a data breach affecting 232,772 patients. The lawsuit stems from an incident regarding the unauthorized access of an employee email account over a two-day period in January 2020.
The incident was reported by Ambry Genetics to the Department of Health and Human Services’ Office for Civil Rights in April 2020. After a comprehensive forensic investigation was completed, the organization determined that the account that had been accessed by the third party had contained information such as patient full names, medical information, diagnoses, and information detailing the services provided by Ambry to the patient. However, the instigation could not conclude whether the malicious actor had accessed or exfiltrated the data. But the attack had occurred in a period of the pandemic where healthcare providers were targeted particularly. Affected patients were then notified of the incident and were recommended a number of mitigations to reduce its risk.
A lawsuit was then promptly filed by the affected patients in the U.S. District Court for Central District of California. The plaintiffs allege that Ambry Genetics had failed to implement reasonable safeguards to protect sensitive patient information and had not followed the sector’s best practices for cybersecurity. In addition, the plaintiffs contend that Ambry genetics had not issued their notification within a timely manner. They point to the Health Insurance Portability and Accountability Act (HIPAA) which requires HIPAA-regulated entities to notify victims of a data breach within a 60-day period, of which Ambry Genetics failed to do so. Furthermore, the lawsuit alleges an invasion of privacy, breach of contract, and violations of state privacy and business laws. The plaintiffs state that, as result of the organization’s negligence, they face an increased risk of identity theft and fraud.
Initially, the lawsuit had been dismissed. However, after multiple amendments and refiles over a period of two years, the lawsuit has reached a settlement. Despite no admission of liability or wrongdoing, Ambry genetics has agreed to fully resolve, discharge, and settle all claims made by plaintiffs and class members to prevent further legal costs and due to the uncertainty of trials. Under the terms of the settlement, Ambry Genetics will establish a fund amounting to $12.25 million, $2.25 million of which will cover administrative and notification costs and to provide three years of identity theft protection and credit monitoring services to class members free of charge. The organization has also promised to take a number of remedial actions including providing further security awareness training for employees, implementing warnings to external emails, and implementing more stringent restrictions on access to patients’ protected health information.