Calibrated Healthcare settles class action data breach lawsuit

Calibrated Healthcare has agreed to settle a class action lawsuit over a February 2024 data breach with compensation up to $5,000 for affected individuals.

MRAdmin
By
2 Min Read

Calibrated Healthcare Systems LLC and Calibrated Healthcare LLC have agreed to settle a class action lawsuit stemming from a February 2024 data breach. Under the proposed settlement, affected individuals may claim up to $5,000 for documented losses, up to $175 for lost time, a cash payment, and free medical monitoring services.

Breach background

The breach, disclosed in April 2024, exposed the protected health information (PHI) and personally identifiable information of patients and employees of the healthcare services company. Calibrated Healthcare provides revenue cycle management, medical billing, and practice management solutions to healthcare providers across the United States — meaning the breach had downstream implications for multiple provider organizations whose patient data was handled by the company as a business associate.

The class action alleged that Calibrated Healthcare failed to implement adequate cybersecurity measures to protect sensitive data, allowing an unauthorized actor to access its systems and exfiltrate nearly a terabyte of data containing names, Social Security numbers, medical records, insurance information, and financial data.

Settlement terms

The settlement provides a multi-tier compensation structure for affected individuals:

  • Up to $5,000 reimbursement for documented out-of-pocket losses attributable to the breach
  • Up to $175 for lost time spent dealing with the breach (up to 5 hours at $35/hour)
  • A pro-rata cash payment from the settlement fund
  • Free credit monitoring and identity theft protection services
  • Medical monitoring services for those whose health information was exposed

Healthcare relevance

This settlement highlights the growing liability exposure for healthcare business associates — third-party vendors that process PHI on behalf of covered entities. The CVE-2023-46604 Apache ActiveMQ vulnerability, which was actively exploited in numerous healthcare breaches in early 2024, may have played a role in the initial compromise vector. Healthcare organizations should review their business associate agreements to ensure downstream vendors maintain adequate breach response and liability coverage.

Share This Article
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *