A Michigan dental practice settled for $2.7 million following a 2023 data breach impacting over 1 million patients.
Following a 2023 data breach, plaintiffs filed a consolidated class action lawsuit against Great Expressions Dental Centers (GEDC), alleging negligence. GEDC attempted to dismiss the claims, arguing that the impacted parties did not suffer direct harm.
Instead of taking the case to trial, both parties agreed to mediation reaching a tentative settlement on March 21, 2024.
The proposed agreement provides affected individuals a payment of $2.7 million for compensation and to cover expenses related to the breach. As part of the settlement, GEDC also committed to improving cybersecurity practices. Within the terms of the settlement, GEDC denied any wrongdoing and maintained that the breach was not due to negligence.
GEDC, a Michigan-based dental practice with over 250 locations in nine states experienced a breach in early 2023. The breach is estimated to have compromised the data of more than 1.9 million patients and employees and was reported to the U.S. Department of Health and Human Services (HHS) in May. Reportedly an unknown threat actor accessed unencrypted data on the GEDC network from February to February 22, 2023.
The settlement document said, “On or before February 22, 2023, Defendants learned of a data security incident (the Data Security Incident) that occurred between February 17, 2023, and February 22, 2023, in which an unauthorized, outside actor (the Threat Actor) accessed certain of Defendant information technology systems. Defendants investigation of the Data Security Incident determined that the Threat Actor potentially accessed certain records containing personal information.”
Related: HIPAA Compliant Email: The Definitive Guide
Patients receive settlement money after the settlement is officially, rather than tentatively, approved. It can generally take a few months, but in more complex classes, it may take longer.
A healthcare organization may be found negligent if it failed to take reasonable steps to protect sensitive information.
A legal document that combines multiple plaintiffs' claims into one revised complaint.