EyeMed Vision Care and Maxim HealthCare Services Resolve Data Breach Lawsuit

Maxim HealthCare Services Offers to Settle Email Breach Lawsuit

Maxim HealthCare Services offered to settle all claims associated with a cyberattack and data security breach in 2020 wherein unauthorized people accessed several email accounts of employees. The compromise of email accounts happened from October 1, 2020, to December 4, 2020, however, the healthcare organization discovered the unauthorized access only in November 2021.

The analysis of the email accounts affirmed the inclusion of protected health information (PHI) like names, addresses, birth dates, telephone numbers, names of providers, medical histories, health conditions, treatment data, medical record numbers, patient account numbers, diagnosis codes, Medicaid/Medicare numbers, usernames/passwords, and a number of Social Security numbers. Maxim HealthCare Services reported to the HHS’ Office for Civil Rights that the breach affected 65,267 individuals.

In response to the data breach, the Wilson, et al. v. Maxim Healthcare Services Inc. lawsuit was filed in the Superior Court of the State of California County of San Diego that claimed Maxim HealthCare Services did not use proper security procedures to avert unauthorized access to patient information. Maxim HealthCare Services decided to resolve the lawsuit to steer clear of the uncertainty of trial and additional legal expenses. Maxim HealthCare Services does not admit all claims stated in the lawsuit and take the position there was no wrongdoing. The settlement offer is applicable to all persons who were advised that they were impacted by the breach and that their PHI was exposed.

According to the terms of the settlement, each class member can file claims up to as much as $5,000 for repayment of extraordinary expenses sustained due to the data breach, which include around three hours of lost time valued at $20 an hour. California Residents from October 1, 2020 to December 4, 2020, are eligible to get a fixed monetary benefit of around $100 which could be mixed with claims for repayment of extraordinary expenditures. All class members are entitled to get complimentary identity theft protection services for 12 months, irrespective of whether they file a claim.

The last day for filing an objection to or exclusion from the offered settlement is June 23, 2023. The last day for filing claims is July 24, 2023. The schedule of the final approval hearing is on July 28, 2023. Maxim HealthCare Services has put in place or will implement extra security procedures to avoid the same occurrences later on.

EyeMed Vision Care Pays $2.5 Million to Resolve Multistate Data Breach Investigation

EyeMed Vision Care is a vision insurance company owned by the Luxottica Group PIVA. In June 2020, the company encountered a data breach affecting 2.1 million patients’ PHI. An unauthorized person acquired access to the email account of an employee that included roughly 6 years of personal and medical data such as names, contact details, birth dates, vision insurance account/ID numbers, health diagnoses and conditions, treatment data, and Social Security numbers. The unauthorized entity then utilized the email account to send about 2,000 phishing emails.

State attorneys general are authorized to look into data breaches and can issue penalties to organizations that violate the HIPAA. State attorneys general in New Jersey, Oregon, and Florida launched a multi-state investigation into the data breach that occurred at EyeMed. Later, Pennsylvania also joined the multistate action. The state attorneys general wanted to confirm if the data breach was avoidable and if it was due to non-compliance with the HIPAA Security Rule and also state data protection regulations.

The investigation found data security breakdowns that violated HIPAA and state regulations. As per the HIPAA and state data protection regulations, entities that gather, retain, or process sensitive personal and medical data have to use technical, administrative, and physical safety measures to protect the confidentiality, availability, and integrity of that data. But EyeMed lacked those safety measures. The investigation showed a failure to be sure all individuals having access to PHI had a unique username and password. A number of EyeMed employees were identified to be using just one password for an email account that was utilized for communicating sensitive data, which includes PHI associated with vision benefits enrollment and insurance coverage.

As per the terms of the settlement, EyeMed consented to pay $2.5 million in financial penalties, which will be given to Florida, New Jersey, Oregon, and Pennsylvania. The terms of settlement additionally require EyeMed to be sure to comply with the HIPAA law, the state personal information protection acts, and the state consumer protection acts. EyeMed should be sure that it is not misrepresented to the extent that it keeps and secures the privacy, confidentiality, or security of consumer data.

The data security specifications of the settlement consist of the creation, implementation, and upkeep of a written data security plan; upkeep of sensible policies and procedures regulating the collection, usage, and maintenance of patient data; and maintenance of proper controls to handle access to all accounts that obtain and transfer sensitive data. ”New Jerseyans depended on EyeMed for their vision care and the company broke that trust with its poor PHI security measures. This is not only a monetary settlement, it’s also about changing companies’ conduct to better safeguard critical patient information.

The Office of the New York Attorney General furthermore looked into EyeMed concerning the data breach and signed another settlement agreement in 2022, which called on EyeMed to give $600,000 as a penalty. In October 2022, EyeMed and the New York Department of Financial Services (NYDFS) consented to a $4.5 million settlement to take care of the supposed violations of the NYDFS (Part 500) cybersecurity rules. The security issues included not restricting employee access rights to email accounts for nine workers, a partial setup of multifactor authentication, risk assessment problems, the insufficiency of an adequate data minimization strategy, and inaccurate submissions of compliance with Part 500 for four years. The settlements with NYDFS and the New York Attorney General additionally had information security specifications, which includes the creation and upkeep of a complete data security program, encryption of information, penetration testing, and multi-factor authentication for every remote access and administrative provider.

HIPAA compliance investigations are different from that of the HHS’ Office for Civil Rights (OCR), which could likewise opt to call for civil monetary penalties for HIPAA violations. OCR didn’t issue any penalty CR as of May 2023 and the incident is noted as closed on the OCR breach website.

 

 

Author: Joe Murray

Joe Murray is the Editor-in-Chief of HIPAA 101, where he leads the writing team in delivering high-quality news and insights on HIPAA regulations. With over 15 years of experience in healthcare journalism, Joe has established himself as a trusted writer. At HIPAA 101, Joe is dedicated to providing healthcare professionals and administrative staff with accurate, timely, and comprehensive information to help them navigate the complexities of HIPAA.