Ambry Genetics is reported to have settled their lawsuit for $12.25M, following a January 2020 data breach that affected 232,772 patients. The breach was email based and this shows that the criminals are still exploiting email accounts. One of the hardest aspects of cases like this is that Ambry was not able to tell if the criminals exfiltrated any ePHI, which means they're paying for failing to secure patient information instead of paying for actual damages. Another aspect is that this case took two years of lawyer fees to settle, which we assume significantly added to the breach cost. We looked on the Office of Civil Rights (OCR) "Newsroom" page and don't see that a Corrective Action Plan has been agreed, so we assume that the civil lawyers have moved faster to resolution than the ones from Health and Human Services (HHS).
LifeBridge Health also recently made the news, following their 18-month breach affecting 530,000 patients; they also settled their civil lawsuit for $9.5M. Their lawsuit also maintained a second breach "...sometime between December 2019 and April 2020...". Notably, LifeBridge is also paying $775K in fees and is investing $7.9M to improve their security program. We always wonder when we read news like this, whether their HIPAA Security Officer or Information Services staff was asking for improvements "not in the budget". Like Ambry Genetics, no OCR news release was found on the HHS website.
This post serves to remind ourselves that these HUGE settlements aren't yesterday's news - they are here today as well. Engage someone if you don't have the confidence that your program's outcome will be different, post breach. We help people who are answering their OCR investigation letters and offer services we believe* could help reduce the impact of a post-breach lawsuit.
Stay (HIPAA) safe,
*not legal advice