Professional Finance Company (PFC), a financial institution, recently settled a class action lawsuit regarding a data breach that impacted healthcare data. The settlement totaled $2.5 million.
PFC assists hospitals as a payment vendor, and thus had access to some protected health information. The company initially reported the breach to the Department of Health and Human Services in July of 2022. The breach impacted 1.9 million patients from a variety of hospitals and health centers.
According to the breach notice, the incident was the result of a ransomware attack and involved information including names, addresses, birth dates, Social Security numbers, financial information, and health insurance information.
Now, over two years later, PFC has reached a settlement following a class action suit. The suit alleged that PFC was negligent and failed to implement reasonable and appropriate safeguards to protect the sensitive data.
An investigation determined that 657 healthcare providers, who were clients of PFC, had their patient’s data impacted.
Multiple lawsuits were combined into a single class action case, which was filed in the US District Court for the District of Colorado. The lawsuit claimed that PFC was negligent, breached their implied contract, and violated several consumer protection and fraud acts.
As part of the settlement, PFC did not admit to any wrongdoing. The settlement will entitle class action members to submit claims for up to $500. Class action members in California may also receive a $50 cash payment.
While the settlement has received preliminary approval, its final approval hearing is scheduled for April 17th, 2025.
Breaches against vendor organizations are increasingly common and can be difficult for victims to keep track of, especially if their contact information is outdated. In this case, some healthcare organizations reported the breach, while others relied on PFC to officially report the incident.
Class action suits take a significant amount of time to finalize. After the settlement is finalized, class action members may have waited over three years since the breach occurred. For victims, this restitution, while legally sufficient, may not protect patients from the impact of having their data available on the dark web.
Related: HIPAA Compliant Email: The Definitive Guide