Retina Group of Washington agrees to lawsuit settlement

The company agreed to pay a $3.6 million settlement over a 2023 data breach. 

What happened

In December of 2023, Retina Group of Washington, a provider with clinics in Maryland and Virginia, filed a data breach notice with the Maine Attorney General. The breach impacted about 456,000 individuals, who have had data like names, addresses, telephone numbers, email addresses, dates of birth, demographic information, Social Security numbers, Driver’s license numbers, medical record numbers, health information, payment information, and health insurance information accessed. 

Following the breach, seven lawsuits were filed. They were ultimately consolidated into a single lawsuit, filed in the United States District Court for the District of Maryland. The plaintiffs claimed that the Retina Group was negligent by “failing to implement reasonable and appropriate safeguards to protect sensitive data against unauthorized access” and for not following best practices for cybersecurity. 

What’s new

Recently, the Retina Group agreed to a settlement but maintains that they did not commit any wrongdoing. The group agreed that a settlement would be best to avoid litigation costs and the uncertain outcomes of a trial. Class members may submit a claim for reimbursement or a cash payment, which is estimated to be around $100. Individuals who submit a claim for reimbursement may seek up to $300 with proof. Extraordinary losses due to identity theft or fraud can be claimed for up to $5,000. 

The settlement has been given preliminary approval, and the final hearing is scheduled for June 9th, 2025. The deadline for exclusion from the settlement is May 27th, and the deadline for submitting claims is June 23rd, 2025.  

The bottom line

Cases like these have become increasingly common, and it’s now fairly normal for a data breach to result in a class action lawsuit. These lawsuits aim to penalize organizations for bad security practices and encourage them and other organizations to take more preventative measures. While this case will likely make the Retina Group revisit their policies, the most important component of cybersecurity is to have the right training and tools, like HIPAA complaint email, to keep data safe. 

FAQs

What happens if I don’t agree with the settlement?

If an impacted individual doesn’t agree to the terms of the settlement, they can ask the entire suit to be thrown out (object) or opt out of the settlement.  

What caused the data breach

According to Retina Group of Washington’s notification letters, employees began having difficulty accessing information on some of its systems in March of 2023. While Retina Group did not confirm the cause of the breach, they did say they were the “victim” of an incident, which may suggest it was a ransomware attack.