Proposed $5M settlement in Solara Medical lawsuit mandates security overhaul

A proposed $5 million settlement in the data breach class-action lawsuit against Solara Medical Supplies would require the diabetes medical supply vendor to undergo annual incident response tests and make a number of improvements to its security program. 

If approved, Solara will be required to pay the settlement amount of $5.06 million and perform “specified remedial measures for a minimum of the next two years and ‘perform either improved versions of such recommendations or the new industry standard thereafter for at least three additional years.’”

Solara continues to deny wrongdoing, and the settlement doesn’t constitute an “admission or finding of any fault, liability, wrongdoing, or damage.” A final approval hearing is scheduled on Sept. 12, 2022, in the U.S. District Court of Southern California.

The lawsuit stems from a months-long employee email system compromise, first discovered in June 2019. The California vendor did not begin notifying the 114,007 patients of the impact to their personal and health data until November 2019.

The notice was scant on details but explained that at first, it appeared that only one employee account was affected. But a follow-up investigation led by a third-party firm determined that several Solara Medical Office365 email accounts were hacked between April 2 and June 20. 

The vendor conducted a manual review of the accounts and confirmed the hacker could have accessed the patient data contained in the accounts. The data varied by patient and could include Social Security numbers, employee IDs, passports, health insurance data, state or IDs or driver’s licenses, Medicare or Medicaid IDs, birthdates, and other sensitive, personal data.

The lawsuit provides more specific details, showing the accounts held 105,681 dates of birth; 64,232 instances of billing/claims information; 92,852 instances of health insurance data; 115,747 instances of medical data; 374 financial accounts; 10,723 SSNs; 217 driver’s licenses or state IDs; and 37 financial cards; and 7,739 Medicare or Medicaid IDs; and two passport numbers.

Security training, use of SIEM in proposed Solara settlement

A number of patient-filed lawsuits soon followed the breach notice, arguing that Solara’s security failures enabled hackers “to steal everything they could possibly need to commit nearly every conceivable form of identity theft.” In fact, a number of patients provided evidence of multiple cases of fraudulent charges against their financial accounts.

Among the allegations, the lawsuits accused Solara of failing to implement reasonable security measures to secure its systems and prevent the breach, as well as failure to timely notify victims. Solara was also accused of failing to “disclose material facts that they didn’t have adequate computer systems and security practices to safeguard…” patient data.

The breach victims sought actual, statutory, and punitive damages, as well as attorney fees, costs, and expenses under the California Consumer Privacy Act and other state and medical privacy laws and regulations.

The proposed settlement includes many of those elements, as well a laundry list of security program requirements that include undergoing audits for an American Institute of Certified Public Accountants System and Organization Controls for Service Organizations Type 2, this year. These audits must be repeated until Solara passes the program requirements.

Beginning this year, Solara will also be required to hire an outside firm to perform an IT assessment based on requirements outlined in The Health Insurance Portability and Accountability Act and conduct at least one cyber incident response test each year. A third-party firm must also conduct tests of its phishing and external-facing vulnerabilities twice a year.

Upon approval, the vendor must also deploy an enterprise SIEM tool with a 400-day look-back on logs. Solara’s workforce will also be required to partake in periodic privacy security training at least twice a year. Solara’s compliance officer will be tasked with ensuring compliance with these remedial measures.

The monetary settlement will provide each breach victim who files a claim $100. If any funds remain in the lawsuit fund, it will be distributed to all class action members in “a pro rata supplemental distribution for a maximum of $1,000 in total cash payments.” And any remaining funds will be donated to the Juvenile Diabetes Research Foundation.

The settlement also includes “taxes and tax expenses, administration costs, any fees and expenses” to the patients’ counsel. Notably, the counsel intends to request an attorneys’ fee award of $2.3 million or 45.45% of the settlement, and reimbursements of up to $350,000.

The staggering numbers highlight the deep financial impact brought on by data breaches in healthcare.