A class action lawsuit has been settled by Magellan Health on behalf of approximately 273,000 patients who had their protected health information exposed in a data breach in 2019. The health care company has agreed to establish a fund of $1.43 million to cover claims made by affected individuals.
In May 2019, Magellan Health discovered that they had suffered a phishing attack resulting in the unauthorized disclosure of sensitive patient information. The threat actors had gained access to company email with attachments that contained personal patient information such as full names, Social Security numbers, and health information. After the individuals who had their information exposed were notified of the incident, a lawsuit was promptly filed in the Arizona Superior Court against Magellan Health Ins. and Magellan RX management, LLC.
In the lawsuit, the plaintiffs claimed that the defendants failed to implement adequate cybersecurity safeguards to prevent access to the sensitive patient data. They assert that, had the safeguards been put in place prior to the attack, the exposure of information would have been prevented. The plaintiffs alleged that Magellan’s failure to implement the appropriate security measures was a violation of HIPAA and state laws. Additionally, the plaintiffs had concerns about the manner in which Magellan Health handled the data breach and the delay in notifying the affected parties. The phishing attack took place in May 2019, was discovered in July 2019, and letters informing those impacted did not reach them until November 2019, six months after the incident. The plaintiffs claimed that they could have taken actions to safeguard themselves if notifications had been made earlier.
Despite no admission of wrongdoing or liability, Magellan Health agreed to settle the class action lawsuit due to the uncertainty of trial and ongoing legal costs. The settlement stipulates that $1.43 million will be made available to pay class members’ claims.All members of the class are eligible to file claims for up to $225 to cover standard out-of-pocket expenditures including the price of credit reports, phone calls, and internet usage, as well as up to two hours of missed time at the rate of $15 per hour. Class members who have spent money on credit monitoring and fraud resolution may also be eligible to get reimbursement for those expenses.