Florida Orthopaedic Institute has offered to pay $4 million to settle claims from patients impacted by a data breach in 2020. In April 2020, Musculoskeletal Institute, doing business as Florida Orthopaedic Institute, found that an unauthorized third party had acquired access to a server keeping patients’ protected health information (PHI) and employed ransomware for file encryption.
The forensic investigation confirmed the exposure of the PHI of 640,000 persons and possible theft during the attack. The affected PHI included names, contact details, dates of birth, Social Security numbers, medical insurance data, medical data, and other types of information. The institute sent notifications to the affected persons in July 2020 and offered them a one-year membership to a credit monitoring service.
Soon after mailing the notifications, the Stoll et al. v. Musculoskeletal Institute lawsuit was submitted to the U.S. District Court for the Middle District of Florida. Allegedly, Florida Orthopaedic Institute had been lackadaisical, not so serious, careless, or negligent with regard to protecting the patients’ privacy and had not adopted standard cybersecurity recommendations. The lawsuit furthermore claimed intrusion of privacy, breach of implied contract, breach of fiduciary duty, unjust enrichment, and breach of Florida’s Deceptive and Unfair Trade Practices Act.
The lawsuit claimed that cybercriminals currently possess the sensitive PHI of patients. Patients are now facing a big threat of identity theft and fraud. Florida Orthopaedic Institute did not admit any wrongdoing yet made the decision to negotiate the lawsuit to prevent increasing legal expenses and the uncertainness of trial.
As per the conditions of the offered settlement, present and past patients who received notifications regarding the data breach can file a claim for as much as $15,000 cash payment to take care of out-of-pocket expenditures and as much as 5 hours of time spent taking care of the data breach at $25 for every hour.
Attorneys contended that a one-year credit monitoring services membership was not enough. All persons impacted by the data breach can now receive 3 years of identity theft protection, identity restoration services, and credit monitoring, irrespective of whether he or she submitted a claim. Parents or guardians of those under 18 impacted by the data breach are eligible to sign up their affected kids in these services for 3 years when their children are under 18 during the settlement deal. These services consist of a $1,000,000 identity theft insurance coverage. The services sell for about $196 per person.
All claims should be filed on or before September 16, 2022. The final hearing for the approval of the settlement is on September 29, 2022.