CorrectCare Integrated Health, a medical billing, claims administration, and medical services organization that specializes in correctional facility healthcare, will pay $6.49M to settle a data breach class action lawsuit brought against it by consumers who had their personal information compromised in a 2022 data breach.
CorrectCare discovered the data breach in July 2022 and announced the breach in November 2022.
The plaintiffs claimed that CorrectCare failed to protect their personal information from hackers. They alleged that compromised information was collected during medical claims processing.
Individuals identified by CorrectCare as potentially having their data compromised could receive payments.
Under the terms of the settlement, Customers with documented data breach-related losses can receive up to $10,000 in reimbursement for "bank fees, communication charges, travel expenses, professional fees, credit expenses and damages from fraud that occurred between the date of the data breach and Aug. 27, 2024." Other class members may receive an alternate cash payment, the amount of which will vary depending on the number of valid claims filed. "$6.49M CorrectCare data breach class action settlement" topclassactions.com (Jul. 12, 2024).
Commentary and Checklist
Healthcare organizations are often targeted by cyber criminals because they collect a large amount of personal information in the course of providing medical care. In addition, because of the life-or-death aspects of providing healthcare, the criminals know these organizations cannot tolerate shut-downs or other disruptions, making them more likely to pay.
To help prevent a data breach in your organization, it is important to implement the latest cybersecurity best practices.
The Health Sector Council provides cybersecurity objectives to guide health care organizations. They recommend that organizations:
- "Develop, adopt and demand safety and resilience requirements for products and services offered, from business to business, as well as health systems to patients, with the concept of secure-by-design and secure-by-default";
- "Simplify access to resources and implementation approaches related to the adoption of controls and practices aligned with regulatory and sector standards for securing devices, services, and data";
- "Increase new partnerships with public/private entities on the front edge of evaluating and responding to emerging technology issues to enable safe, secure, and faster adoption of emerging technologies";
- "Enhance health sector senior leadership and board knowledge of cybersecurity and their accountability to create a culture of security within their organizations";
- "Increase incentives, development and promotion of health care cybersecurity-focused education and certification programs";
- "Develop health subsector specific integrated cybersecurity profile aligned with regulatory requirements";
- "Develop meaningful cross-sector third-party risk management strategies for evaluating, monitoring, and responding to supply chain and third-party provider cybersecurity risks"; and
- "Increase meaningful and timely information sharing of cyber related disruptions to improve sector readiness."
"Health Industry Cybersecurity – Strategic Plan (2024–2029)" healthsectorcouncil.org (Feb. 2024).