Federal Court Approves $115 Million Settlement in Data-Breach Litigation

A federal court has approved a proposed $115 million class action settlement arising from a breach of protected health information (PHI) that was discovered in 2015 and affected more than 78 million individuals (see our Checkpoint article). The court confirmed that the technical requirements for certifying federal class action lawsuits were satisfied and concluded that the settlement would provide substantial benefits to all class members. Specifically, class members who took corrective or protective actions in response to the data breach would receive up to $10,000 each (up to $15 million in the aggregate) to reimburse out-of-pocket costs. Furthermore, all class members would receive fraud resolution services, and those submitting claims would also be entitled to credit monitoring services, including identify theft insurance, or an alternative cash payment. Class members whose personal information continues to be stored by the insurer would benefit from the insurer’s commitment to triple its annual spending on data security for the next three years and to adopt certain cybersecurity controls and reforms.

In evaluating the settlement, the court observed that data-breach litigation is in its infancy, with threshold issues such as the adequacy of security measures and measurement of damages still playing out in the courts. Thus, a trial would be lengthy and costly, with an uncertain outcome. The court also noted that implementing the settlement would ensure prompt resumption of credit monitoring for class members and fortification of the insurer’s security measures. On both an aggregate and per capita basis, the court viewed the size of the settlement as significant—referring to the parties’ assertion that the settlement would be the largest to date in a data-breach class action. Rejecting the few objections to the proposed settlement, the court emphasized that class members would receive credit monitoring for six years (longer than the period of heightened risk of identity theft cited by the class members’ expert) and that credit monitoring would be provided at no cost to class members. The court also found that the insurer adequately described its proposed cybersecurity improvements and explained that disclosing additional details would give attackers a greater opportunity to defeat the defenses, harming both the insurer and class members.

EBIA Comment: Although much of the opinion focuses on technical issues unique to class-action litigation, HIPAA covered entities and business associates will be interested in the court’s observations regarding the state of data-breach cases and adequate remedies. Breaches of personal information are particularly challenging because the information cannot generally be recovered once it has been disclosed, and it is hard to predict when—or whether—the information will be used for improper purposes. Constant vigilance is still the best policy. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXI.D.3 (“Litigation Based on State-Law Claims”) and XXV (“Breach Notification for Unsecured PHI”).

Contributing Editors: EBIA Staff.