The Iowa-based healthcare service and product provider recently reached a settlement following a 2023 data incident.
What happened
A $1.3 million settlement has been reached against C.R. Pharmacy Services, who does business as CarePro Health Services. The lawsuit claims that CarePro failed to protect patients’ personal information and that the company should have been aware that its cybersecurity protections were insufficient.
CarePro has maintained that they did not commit any wrongdoing. Under the terms of the settlement, class members can receive up to $5,000 for losses related to the breach. A fairness hearing will be held on January 23rd, 2026.
The backstory
The settlement stems from a 2023 breach that was announced by Care Pro in early 2024. According to their breach notice, which is still published on its website, the incident took place on November 16th, 2023, nearly two years ago. The breach resulted in information being accessed, including names, contact information, dates of birth, diagnosis/condition information, treatment information, prescription information, health insurance information, Social Security numbers, driver’s license numbers, and financial account information.
Ultimately, 151,499 individuals were impacted in the breach, according to reports to the Department of Health and Human Services. The HHS also reported that Care Pro provided adequate notification and was implementing additional safeguards. Thus, it appears Care Pro will not be facing any additional penalties.
The big picture
The case highlights the long-lasting repercussions of a data breach. Even after several years, a breach can continue to have repercussions on organizations. Legal cases can be uncertain, leading to organizations being in financial limbo as the case unfolds. Generally, they wind up being pricey; Solara Medical Supplies, for instance, paid a $9.76 million class action settlement following an email breach. In general, it’s estimated the cost of a data breach has risen to $11 million, which includes legal and administrative costs, fines, and updates to technology and practices that can accompany a data breach.
Notably, Care Pro, while a large company, isn’t as big as some might think; they have only six locations. Ultimately, the incident shows that organizations of any size can face hefty consequences that may not be realized for years after the incident. With these drawn out cases, the company may face overall uncertainty regarding financials, reputation, and the impact on future profitability. Care Pro has already closed one location, albeit it’s unclear if the closure is related to the breach.
FAQs
When do organizations face additional penalties for data breaches?
The OCR has the ability to issue penalties to organizations if they fail to comply with HIPAA, fail to correct violations, or are found to be willfully negligent in regards to data security. If organizations were HIPAA compliant and not willfully negligent, then other financial repercussions will likely come from a class action suit.
What caused the breach at Care Pro?
The HHS described the incident as a hacking/IT breach, and Care Pro further stated that their network was accessed. The exact vulnerability has not been revealed and, at this point, it’s unlikely to be.
Abby Grifno
