$12.25M Settlement Reached In Ambry Genetics Health Data Breach Lawsuit – Sc Media

$12.25M settlement reached in Ambry Genetics health data breach lawsuit – SC Media

Ambry Genetics has reached a $12.25 million settlement with the 232,772 patients affected by a two-day hack of its email system in January 2020. The lawsuit claimed the incident was a “direct result” of the clinical genomic diagnostics vendor’s inadequate cybersecurity protocols.
The proposed monetary settlement provides financial restitution for the affected patients and includes spending for Ambry Genetics to implement a number of updated security measures.
The lawsuit stems from an email incident first reported by the vendor in April 2020, where an attacker gained access to a single employee email account. The account contained patient names, medical information, diagnoses, and details into the services provided by Ambry. Social Security numbers were involved for a smaller subset of patients.
The investigation could not verify whether the actor accessed or exfiltrated the data. However, the hack occurred during a period of heightened targeting of healthcare providers during the pandemic, particularly COVID-19 research firms.
The impacted patients quickly filed a lawsuit, arguing that if Ambry remedied the known gaps in its data security and adopted industry best practices, the email intrusion and subsequent data leak could have been prevented.
Outside of the alleged questionable security, the patients also take issue with the lack of timely notification. The notice was indeed sent about two months outside of the 60-day requirement outlined in the Health Insurance Portability and Accountability Act. Ambry was also accused of not providing patients with adequate credit monitoring after the incident.
For the last two years, the involved parties have looked for an amenable agreement with multiple near-dismissals. The proposed terms aim to “fully, finally, and forever resolve, discharge, and settle” these claims.
Given the facts, applicable law, and “taking into account the burden and expense of such continued litigation … and the fair, cost-effective and assured method of resolving the claims, [the parties] believe resolution is appropriate … and reasonable means of ensuring [patients] are afforded important benefits and protections as expediently as possible,” according to the suit.
Under the terms, Ambry Genetics will deposit $12.25 million into a settlement fund. Of those funds, $2.25 million will cover costs of the notice plan, administrative expenses, and cost to provide victims with three years of credit monitoring and identity theft insurance services.
Individuals are also eligible to receive up to $10,000 to reimburse for out-of-pocket costs upon providing reasonable documentation. Patients can receive refunds for up to $30 an hour for up to 10 hours of documented time spent responding to the breach with proof of those actions, or another three hours of “default time” expended to remedy issues tied to the incident.
Certain “subclass” members in Illinois and California will also receive a check for about $150 to resolve possible violations of the California Confidentiality of Medical Information Act and the Illinois Genetic Information Privacy Act.
According to the suit, Ambry Genetics has spent an estimated $1.4 million on the initial breach notice, investigation, and other security measures.
The vendor has attested to enhancing its policies and procedures, and providing employees with training for handling health information. Ambry has also enhanced restrictions to accessing health data and “instituting prominent red-flag warnings” for externally sent emails and replacing old applications and adding additional security systems.”
Ambry has also revisited its vendor management, now retaining vendors that meet all “SOC 2- certification requirements, perform third-party risk assessments, penetration testing, and phish-testing emails to all employees.”
In total, the settlement may reach $14 million, making it one of the largest lawsuit resolutions in recent years despite its limited scope. For context, BJC HealthCare settled its 2020 email system hack impacting 287,873 patients over the summer for $2.7 million. Most of those funds were directed to a required implementation of multi-factor authentication on BJC’s email platform.
The $5 million settlement in the Solara Medical Supplies announced in April is yet another example where the proposed funds will be directed to required annual incident response tests and other security program improvements.
The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Iranian state-sponsored threat group TA453 has been discovered to be using the novel ‘multi-persona impersonation’ technique in an effort to facilitate more elaborate and legitimate-looking phishing emails, according to BleepingComputer.

New phishing attacks have been using the death of Queen Elizabeth II as lures to facilitate the theft of Microsoft account credentials and multi-factor authentication codes, reports BleepingComputer.

On-Demand Event

On-Demand Event

Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.


Leave a Comment

Leave a Reply

Your email address will not be published.

Procurement Software Market Analysis, Growth Status, Trends, Business Prospects, and Forecast 2022-2026 – The Colby Echo News – The Colby Echo News

Arctic Wolf And Its Mission To Own The Cybersecurity Journey – Forbes

Researchers Uncover UEFI Secure Boot Bypass in 3 Microsoft Signed Boot Loaders – The Hacker News

Cyber Safe Parent: How businesses can prevent cyber security vulnerability – KLAS – 8 News Now