Breach Notification , Critical Infrastructure Security , Cybercrime
CaptureRx, Inmediata Breaches: Proposed Settlements Reached
CaptureRx CEO Warns of Company Bankruptcy if Litigation Is Not SettledHefty proposed settlements have been reached in class action lawsuits involving two separate health data breaches affecting millions of individuals. The incidents involved a Texas-based administrative services vendor in 2021 and a Puerto Rico-based clearinghouse and cloud services vendor in 2019.
See Also: Gartner Guide for Digital Forensics and Incident Response
The proposed agreements include a $4.75 million settlement in consolidated class action litigation filed against San Antonio, Texas-based NEC Networks LLC, a healthcare technology and administrative services firm that does business as CaptureRx. The case involved a 2021 hacking incident reported as affecting 2.4 million individuals.
CaptureRx's CEO also warns in court documents that the company would likely file for bankruptcy if the class action litigation is not settled.
The other proposed agreement is a $1.1 million settlement in a class action lawsuit against San Juan, Puerto Rico-based Inmediata Health Group in the wake of a 2019 hacking incident involving an IT misconfiguration. That incident exposed the protected health information of nearly 1.6 million individuals.
Proposed CaptureRX Settlement
According to documents filed in a Texas federal court on Friday, under terms of CaptureRx's proposed settlement, each class member who files a valid claim will be eligible for one cash payment of up to $25, regardless of whether the individual experienced identity theft as a result of the incident. But California subclass members are eligible for an additional benefit of up to $75.
The proposed settlement also calls for CaptureRx, within 90 days of the agreement becoming effective - to "further develop, implement, and maintain a comprehensive information security program that is reasonably designed to protect the security, integrity, and confidentiality of personal Information that CaptureRx collects or obtains from patients" - if the company has not already done so.
Under the proposed settlement, CaptureRX's information security program "shall contain administrative, technical, and physical safeguards appropriate to the size and complexity of the company's operations; the nature and scope of firm's activities; and the sensitivity of the personal information the company maintains," court documents say.
As of Monday, a final approval hearing for the proposed CaptureRx settlement had not yet been scheduled by the court.
Bankruptcy Warning
In a declaration filed Friday along with other proposed settlement documents, CaptureRx CEO Chris Hotchkiss, who has been in that position since 2021, says that if the class action litigation is not settled, "CaptureRx will strongly consider filing for bankruptcy."
In his court statement, Hotchkiss says that CaptureRx "is not a large national or multinational company and has limited resources." The company has a "wasting insurance policy" related to this case, he adds.
"The insurer is making a substantial contribution to the settlement but based on its policy limits, the amount covered is less than half of the total settlement," he says. "CaptureRx faces demands for indemnity from numerous customers that were also named as defendants in the class action cases and that have and continue to put severe financial strain on the company."
CaptureRx’s owners are funding part of the settlement with their own money, Hotchiss says.
Insurance Considerations
Technology attorney Steven Teppler of the law firm Sterlington PLLC, who is not involved in the CaptureRx case, says: "Threatening bankruptcy is to my knowledge not illegal and is a time-honored bargaining chip for a distressed entity to limit losses and perhaps stay in business. From the distressed entity perspective, bankruptcy should be seen as a last resort. That said, what this underscores is the gap in understanding between having insurance and having enough insurance, based upon your knowledge of high-potential liability."
Insurance attorney Peter Halprin of the law firm Pasich LLP - who also is not involved in the CaptureRx case - says that all companies should be aware that while most liability policies treat defense expenses as outside of the available policy limits, others - such as so-called "wasting insurance policies" - take the opposite approach and policy limits are reduced by defense expenditures.
"In practice, this means that expensive litigations can reduce and even eliminate whatever insurance proceeds might be available to fund a settlement. Companies should work with their brokers to understand whether an insurance policy treats defense costs as outside or inside of limits to avoid any surprises," he says.
"The concept of defense [expenses] in or out of limits is common to all policies. But I haven’t seen the issue arise in the cyber context yet."
Teppler says the CaptureRx situation offers important lessons to other entities: "Pay for the right insurance and keep the company afloat. If you know that your business vertical is susceptible to cyberattack and the information you handle is sensitive, don’t be pound foolish. If you handle millions of people’s PHI, you should consider protecting patient information an essential core business function and take appropriate steps in turn to resource that core business function."
Another Breach Bankruptcy Case
If the CaptureRx proposed data breach litigation settlement falls through and the vendor files for bankruptcy, the company would not be the first to declare bankruptcy following a major health data breach.
In June 2019, Retrieval-Masters Creditors Bureau, which does business as American Medical Collection Agency, sought Chapter 11 bankruptcy protection "to provide the best opportunity for a cost-effective and orderly liquidation" following the March 2019 discovery of a major data breach (see: AMCA Bankruptcy Filing in the Wake of Breach Reveals Impact).
The breach, a hacking incident discovered in June 2019, not only caused AMCA’s largest clients to end their business relationships with the Elmsford, New York-based debt collection agency, but has also resulted in "enormous expenses that were beyond the ability of [the company] to bear," Russell Fuchs, RMCB’s owner and CEO, said in court documents.
That breach affected the PHI of several large AMCA clients. In 2019 U.S. Securities and Exchange Commission documents, the following AMCA clients revealed the impact of the breach:
- Quest Diagnostics - Nearly 12 million patients affected;
- LabCorp - 7.7 million individuals affected;
- BioReference Laboratories - Nearly 423,000 patients affected.
AMCA and some of its affected clients faced more than a dozen class action lawsuits following the data breach.
Inmediata Settlement
Meanwhile, under the proposed $1.1 million settlement involving Inmediata announced last week, the company has agreed to provide cash payments to class members for reimbursement of certain documented out-of-pocket losses and up to $15 per hour for up to three hours for time spent addressing issues "plausibly traceable" to the security incident, according to ILYM Group Inc., the claims administrator handling the settlement.
For class members qualifying under the California Confidentiality of Medical Information Act, the company will also provide cash payments of up to $50.
Inmediata will also pay for credit monitoring services and identity theft insurance for class members, including for up to one additional year for individuals who already have certain current credit and identity monitoring plans.
Under the proposed agreement, Inmediata is not admitting to any wrongdoing, settlement documents say.
A final hearing for the approval of the Inmediata settlement is slated for April 21 in a Puerto Rico federal court.
Inmediata in April 2019 disclosed that its computer network system had been the target of an external cyberattack that began in January 2019. Data that could have been accessed by hackers included personal information for patients of Inmediata customers, including names, addresses, birthdates, Social Security numbers, protected health information and telephone numbers, court documents say.
In a breach notification statement posted on its website in 2019, Inmediata said the company became aware in January 2019 "that some electronic health information was viewable online due to a webpage setting that permitted search engines to index internal webpages that are used for business operations."