A class action lawsuit filed against the Urology Center of Colorado has reach a settlement agreement. The lawsuit was filed against the healthcare provider in response to a data breach involving the PHI of 137,820 individuals.
Between September 7th and September 8th 2021, an unauthorized third-party had gained access to the Urology Center’s networks and potentially obtained files storing sensitive patient information. The information obtained by the malicious actors included full names, birth dates, addresses, Social Security numbers, medical record numbers, diagnoses, physician names, insurance provider names, guarantor names, and treatment cost infomation. After learning the nature of the attack and what information had been gathered through a forensic investigation, the Urology Center of Colorado issued breach notification letters to all individuals who were potential affected by the breach. In the letter, patients were notified which information had been exposed and the steps they can take to mitigate harm. Affected individuals were also offered credit monitoring and identity theft protection services for 12 months free of charge.
In response to the breach notification letters, a class action lawsuit was filed against the Urology Center of Colorado on behalf of plaintiffs Kristen Snyder, Diona Lopez, and other individuals who had their information exposed in the breach. The plaintiffs contend that the Urology Center of Colarado was negligent for failing to put in place the necessary safeguards to safeguard the privacy of patient information, such as failing to encrypt patient data, implement patches immediately to mitigate security weaknesses, assess and keep users’ account privileges, update firewalls, offer additional adequate training to employees on the procedures for handling inbound emails, and ensure adequate security practices were abided. A violation of an implied contract, a breach of fiduciary responsibility, and a violation of Colorado’s data security regulations were also claimed in the case. The plaintiffs contend they will incur costs as a result of the carelessness. The plaintiff contend that, as a result of the carelessness, they encounter a significant, increased, and imminent danger of fraud and identity theft.
Despite denying any wrongdoing, the Urology Center of Colorado has agreed to settle the class action lawsuit due to ongoing legal costs and the uncertainty of trial. The healthcare provider has agreed to compensate affected individuals for their out-of-pocket losses and lost time. All individuals who received a breach notification letter are eligible to receive compensation of up to $500 for documented losses. For specific documented monetary losses, class members can apply for up to $2,500. Class members may also apply for up to five hours of lost time spent dealing with the data incident. Additonally, identity theft protection and credit monitoring services will also be provided to class members for a further 2 years from the date of the data breach.