Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Defendants to pay $5 million for alleged data breach

Privacy/Cyber Risk & Data Security Courts Data Breach California Class Action Settlement

Privacy, Cyber Risk & Data Security

On April 20, the U.S. District Court for the Southern District of California granted preliminary approval of a proposed class settlement, resolving claims against a medical supplier company after a data breach allegedly compromised personal information of its consumers in its database. According to the order, the plaintiffs’ alleged that between April 2019 and June 2019, hackers gained access to the defendant’s computer systems, which contained personal identifying information and protected health information of tens of thousands of individuals. Under the terms of the settlement, the defendants will pay $5 million, where each class member with a valid claim will receive between $100-$1000 in cash. The settlement also includes $2.3 million in attorneys’ fees and up to $4,000 for each of the class representatives. Additionally, the defendants will “be required to perform specified remedial measures for a minimum of the next two years and ‘perform either improved versions of such recommendations or the new industry standard thereafter for at least three additional years.’” The remedial measures include, among other things, conducting an AICPA and SOC Type 2 audit to be repeated until the defendant passes, engaging an independent third party to perform a HIPAA IT assessment, undergoing at least one cyber incident response test per year starting in 2022, requiring staff trainings about security and privacy at least twice a year, engaging a company to test its phishing and external facing vulnerabilities at least twice a year, and deploying a third-party enterprise SIEM tool with a 400-day look-back on logs.