$5 Million Settlement Calls for Vendor to Improve SecurityProposed Agreement to Settle Class Action Lawsuit in Solara Medical Supplies Breach
A diabetes medical supply vendor has agreed to pay more than $5 million and implement a host of security improvements under a proposed settlement of a consolidated class action lawsuit involving a 2019 phishing incident that affected sensitive information of more than 114,000 individuals.
Under the preliminary settlement approved on Wednesday by a California federal court, Chula Vista, California-based Solara Medical Supplies LLC will pay each class member with valid claims $100 - and up to $1,000; six lead plaintiffs, who filed four lawsuits that were consolidated into the case, $4,000 each; and $2.3 million in attorney fees.
In addition to the financial settlement, Solara is required to take specific steps to improve its data security. That includes performing various "remedial measures" for a minimum of the next two years and performing "either improved versions of such recommendations or the new industry standard thereafter for at least three additional years."
Solara is a direct-to-consumer supplier of medical devices related to the care of diabetes and a registered pharmacy in in the state of California, court documents say.
They also say that under the settlement, Solara continues to deny any wrongdoing, and the agreement does not constitute an admission or finding of any fault, liability, wrongdoing or damage by the company.
In the lawsuit, the plaintiffs, who were customers who used Solara products to manage their health conditions, allege that their personal and medical information was exposed after the company's computer systems were compromised by hackers in 2019 (see: Tale of Two Breach Lawsuits).
The Department of Health and Human Services' HIPAA Breach Reporting Tool website shows that Solara Medical Supplies reported the breach to federal regulators on Nov. 13, 2019, as a hacking/IT incident involving email affecting 114,007 individuals.
In a data breach notification statement posted on its website, Solara says that on June 28, 2019, the company determined that an unknown actor had gained access to a limited number of employee Office 365 accounts, from April 2, 2019, to June 20, 2019, as a result of a phishing email campaign.
Solara's investigation into the incident determined on July 3, 2019, that certain information present within the affected employee Office 365 accounts may have been accessed or acquired by an unknown actor at the time of the compromise.
Court documents allege that personally identifiable information and protected health information potentially compromised included individuals' names; dates of birth; billing/claims information; health insurance information; medical information; financial account information; Social Security numbers; driver's licenses or state IDs; credit or debit card information; passwords, PINs or account logins; Medicare or Medicaid IDs; and two individuals' passport numbers.
Under the proposed settlement, the remedial security improvements that Solara is required to make for at least two years include:
- Undergoing a SOC 2 Type 2 audit in 2022, which is to be repeated until Solara passes;
- Engaging an independent third party to perform a HIPAA IT assessment starting in 2022;
- Undergoing at least one cyber incident response test per year starting in 2022;
- Requiring its staff to undergo periodic training in security and privacy at least twice a year;
- Engaging a company to test its phishing and external-facing vulnerabilities at least twice a year;
- Deploying a third-party enterprise security information event and management, or SIEM, tool with a 400-day look-back on logs.
The proposed settlement designates Solara's compliance officer to be responsible for ensuring compliance with the remedial security measures.
Privacy attorney David Holtzman of the consulting firm HITPrivacy LLC - who was not involved in the Solara case - says the proposed class action lawsuit settlement "is forward-thinking in its approach" to address allegations that the company's information security program was inadequate.
"Among the features that I like are the settlement requiring Solara to conduct a robust information security risk analysis, plus a SOC 2 audit, and have a risk management plan to mitigate gaps identified in the assessment," he says. "Solara will be required to educate and make their workforce members aware of information security and privacy issues."
Under the settlement, each class member who files a timely claim will receive $100 in cash payment. If funds remain in the settlement fund following the first distribution, class members will receive a pro rata supplemental distribution for a maximum of $1,000 in total cash payments, court documents say.
If funds remain in the settlement fund after all class members have received the maximum of $1,000 cash payment, the remaining funds will be donated to the Juvenile Diabetes Research Foundation, court documents say.
Holtzman says that the settlement's cash payments to class members whose personal information was disclosed is in line with the damages consumers are entitled to receive under the California Consumer Privacy Act.
"The CCPA allows consumers to sue businesses when their non-encrypted personal information is disclosed through unauthorized access and exfiltration, theft or disclosure because of the business's violation of the duty to implement and maintain reasonable security procedures and practices that are appropriate to the sensitivity of the information," he says, adding that consumers whose data has been disclosed because of failure to have reasonable security measures in place are entitled to seek statutory penalties of $100 to $750 per incident.
A court hearing for the final approval of the settlement is slated for Sept. 12.
Solara did not immediately respond to Information Security Media Group's request for comment on the proposed settlement.
The call for Solara to make specific improvements to its data security as part of the proposed settlement follow a pattern seen in some other recent settlements involving health data breach class action lawsuits.
For instance, a proposed settlement in a class action lawsuit filed against health insurer Excellus Blue Cross Blue Shield in the wake of a cyberattack discovered in 2015 that affected 10.5 million individuals also called for the company to take a series of measures to improve data security.
Unlike the Solara settlement, however, the proposed Excellus settlement does not include monetary relief for class members. That's due to the court earlier concluding that classes seeking damages could not be certified for various legal reasons, says an attorney representing the Excellus class members.
A hearing for the final approval of the Excellus settlement is slated for this month in a New York federal court.