Morley Companies reached a $4.3 million settlement with the 694,000 individuals affected by its August 2021 data theft, reported to the public in February 2022. The Michigan-based third-party vendor provides process outsourcing for a range of U.S. companies, including healthcare. A little more than 521,000 patients were notified their data was stolen during a security incident.
Under the proposed settlement, breach victims may receive reimbursement for up to $2,500 for documented out-of-pocket expenses tied to the hack, a payment of up to four hours at $20 an hour for time lost responding to the incident, and up to three years of credit monitoring. The losses can be related to fraud, identity theft, and freezing or unfreezing credit.
Due to California’s strict Consumer Privacy Act, affected residents can receive a $75 cash payment.
Notably, approximately 33%, or $1.42 million of the proposed settlement will be directed to attorneys’ fees and costs. And the 15 individuals who filed the lawsuits against Morley will receive up to $1,500 each.
The settlement agreement also notes that Morley has provided assurances that it has or will take “certain reasonable steps to further secure its systems and environments and will prepare a confidential declaration detailing the same” as part of the preliminary approval.
If approved, the settlement will settle a host of allegations raised after the data exfiltration incident. Morley has continued to deny the claims raised during litigation.
While the notice from Morley did not detail how the theft occurred, the lawsuit provided details into the hack. It appears that the vendor was a target of a “ransomware-type malware” attack that possibly led to unauthorized access to customers’ and current and former employees’ data.
The initial notice only revealed that Morley found its data unavailable on Aug. 1 and worked to secure the digital environment. The subsequent investigation confirmed additional data was possibly obtained by the threat actor.
Health information and personal data were stolen during the hack, which included names, dates of birth, Social Security numbers, contact details, client identification numbers, diagnostic and treatment information, and health insurance data. The lawsuit shows driver’s licenses were also stolen during the incident.
One impacted individual filed a lawsuit against Morley in February for negligence, following its breach notice. An amended lawsuit filed in March added claims of unjust enrichment and breach of contract. The lawsuit alleges the incident was caused by a “lack of cybersecurity.”
As for the five-month delay in reporting the incident, the notice suggested it was caused by the lengthy process for collecting contact information needed to notify the affected individuals. As a healthcare business associate, Morley would be required by the Health Insurance Portability and Accountability Act to notify individuals of health data compromises within 60 days of discovery.
The lack of timely reporting was at the crux of the lawsuit filing. A total of 15 lawsuits were filed against Morley in the wake of its breach announcement, later consolidated and amended. A settlement was reached in May and the parties spent months negotiating the details.
This is the largest healthcare data breach settlement reached this month, joining at least a half a dozen others with similar results. As previously reported by SC Media, these types of breach lawsuits have become status quo, with many stakeholders concerned these suits are akin to modern day ambulance chasing.
A final hearing to approve the settlement is scheduled for April 2023.