Fertility Centers of Illinois has offered a $450,000 settlement to resolve a legal dispute brought forward by those affected by the data breach which occurred on February 1st, 2021. The hack exposed a vast amount of sensitive information such as names, employee ID numbers, Social Security numbers, passport numbers, financial accounts, payment information, diagnoses, treatment information, medical record numbers, billings and claims information, occupational health information, Medicare/Medicaid information, and usernames and passwords with PINs or account login information. The HHS’ Office for Civil Rights was notified of the data breach on December 27, 2021, after it affected 79,943 patients. Although the investigation of the breach took six months, notification letters were not sent out until December 2021, four months after the discovery of the breach. This is despite the HIPAA Breach Notification Rule requiring the HHS and affected individuals to be notified about breaches of protected health information within 60 days of the discovery.
Monegato, et al. v. Fertility Centers of Illinois PLLC was filed in the Circuit Court of Cook County, IL, alleging that the company delayed notifications, attempted to hide the seriousness of the breach, and misrepresented the breach and the risk it posed to individuals. Furthermore, the lawsuit claims that Fertility Centers of Illinois failed to secure patient data, with a lack of security protocols and a breach notification delay that contravened Illinois law. These security failures included storing PHI/PII in multiple locations with varying security measures, inadequate training of employees on security protocols, and insufficient security measures for protecting PHI/PII. The lawsuit further alleges that the response to the breach was ineffective and took 6 months to discover that hackers had accessed PHI/PII. The breach notification letters stated that electronic medical records had not been accessed, yet the following paragraph made it apparent that the information in medical records had been breached. This caused victims of the data breach to worry about a lifetime risk of identity theft and fraud, and has thus led to them suffering damages such as financial losses, lost time, anxiety, and emotional distress. Additionally, they have lost the ability to choose how their PHI/PII is used, and the value of their PII and PHI has decreased. Despite all the risks, they were only offered identity theft protection services for 12-24 months.
Fertility Centers of Illinois has not accepted any wrongdoing, and instead elected to settle the lawsuit to prevent further legal costs and the potential risks of going to trial. Affected individuals are allowed to submit claims for up to $450 to cover ordinary losses such as fees associated with the data breach, or up to four hours of lost time at $20 per hour. If the individual has extraordinary losses between February 1, 2021, and June 5, 2023, they can submit a claim up to $5,000 to be reimbursed for those. The settlement is capped at $450,000, and if that amount is reached, payments will be made proportionately. Additionally, all individuals included in the settlement are eligible for 24 months of credit monitoring services from Pango, starting from the date the settlement was reached.