Healthcare , Industry Specific , Standards, Regulations & Compliance
Dental Care Alliance Settles Breach Lawsuit for $3 Million
2020 Cyberattack Affected Patients, Employees at Hundreds of Dental PracticesA support services contractor for dental practices is set to pay out $3 million to settle a putative class action launched over a 2020 cyberattack that affected more than 1.2 million of the practices' patients and employees.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The settlement is set for final approval by a Georgia state judge on Sept. 1.
Under the proposed agreement, which already gained preliminary approval, Sarasota, Florida-based Dental Care Alliance LLC will pay individuals who submit valid reimbursement claims for losses tied to the breach. The company has also agreed to enhance its data security.
The Dental Care Alliance website describes the company's customers as 380 affiliated dental practices in 21 states for which it provides support services including billing, accounting, payroll, volume purchasing, operations management and IT.
Attorney Paul Hales of the Hales Law Group says that lawsuits arising from major health data breaches are increasingly being settled in part because the agreements allow defendants to cap their costs and also allow class action counsel to recoup their expenses and earn fees.
"Because of the relative success of these lawsuits, I expect to see them increase to match the snowballing number of health information data breaches."
Settlement Terms
Under the proposed settlement agreement, the Dental Care Alliance will pay class members up to $2,000 for documented losses "more likely than not" caused by the security incident and up to two hours of time spent responding to the breach, at a rate of $20 per hour.
The company also agreed to pay a subclass of 220,000 settlement class members an additional $3,000 - for a total of $5,000 - for documented losses likely caused by the breach and compensation for up to four hours of time spent responding to the incident, at a rate of $20 per hour.
The subclass may have had their Social Security numbers, financial accounts, bank accounts, or driver’s licenses exposed by the breach.
All settlement class and subclass members are eligible to enroll in two years of complimentary identity theft protection under the settlement.
All benefits to settlement class and subclass members are capped at a total of $3 million.
Security Enhancements
Under the preliminary settlement, Dental Care Alliance also agreed to implement enhanced data security measures. The details of those improvements were not specified in public court documents.
The security enhancements are the most important outcome of the settlement for Steven Teppler, a partner at law firm Sterlington PLLC and chair of its cybersecurity and privacy practice.
"What is interesting - and promising - is that there is actually a particularized list of security enhancements, filed under seal, which DCA has expressly committed to address," says Teppler, who is not involved in the lawsuit.
"Specifically articulated, enforceable - and enforced - security improvements and protections should always be part and parcel of any cybersecurity incident settlement agreement. It appears here that plaintiffs' counsel demanded fairly specific corrective action rather than obtaining a simple promise to do better," Teppler says.
The company did not immediately respond to Information Security Media Group's request for comment on the proposed settlement.
Breach Details
The 2021 class action lawsuit was filed by several patients and employees of dental practices affected by the DCA breach on behalf of themselves and others similarly situated.
Among other claims, the lawsuit alleges negligence in how DCA maintained private information, invasion of privacy, breach of express contract, breach of implied contract, and violations of various Florida state laws.
The lawsuit alleges that on or about Oct. 11, 2020, DCA became aware of a cybersecurity incident on its network. A forensics investigation determined that there had been unauthorized activity on DCA's network for nearly a month between Sept. 18 and Oct. 13, 2020, and that confidential files belonging to more than 1 million individuals had been accessed, the complaint alleges.
For patients of DCA's dental practice clients, information accessed by attackers included names, addresses, dental diagnoses, treatment information, account numbers, billing information, bank account numbers and health insurance data, court documents say.
For employees at affected dental practices, that information included names, Social Security numbers, dates of birth, employee identification numbers and financial account numbers, court documents say.
DCA reported the HIPAA breach as a business associate in Dec. 8, 2020, to the Department of Health and Human Services' Office for Civil Rights as a hacking/IT incident involving a network server affecting 1.7 million individuals.