[BreachExchange] Proposed Settlement in Lawsuit Tied to Insider Breach

Destry Winant destry at riskbasedsecurity.com
Fri Jul 27 01:00:59 EDT 2018


https://www.databreachtoday.com/proposed-settlement-in-lawsuit-tied-to-insider-breach-a-11252

A proposed settlement of a class action lawsuit against an Alabama
hospital provides a total of up to $150,000 in relief to more than
1,200 individuals affected by a breach involving a former employee who
was convicted of identity theft that led to federal tax refund fraud.

The 2014 lawsuit alleged negligence and breach of contract by Dothan,
Alabama-based Flowers Hospital because of the theft by a former lab
technician of "thousands of paper records" containing patients'
information.

The settlement now awaits final court approval.

The former employee, Kamarian D. Millender was sentenced in December
2014 to two years in prison after pleading guilty to identity theft
that was tied to the filing of false tax returns.

The lawsuit claimed that from approximately June 2013 until about
February 2014, thousands of paper records of Flowers Hospital patients
were left "unguarded, unprotected, and/or otherwise subject to theft
by Flowers employees and other third parties who otherwise had no
reason to be in possession of such information."

The proposed agreement filed in an Alabama federal court on July 20
provides 1,208 "settlement class members" reimbursement of up to $250
each if they submit "valid claims" for their purchase of credit
monitoring/identity theft protection as a result of the breach.

Settlement class members are also eligible to receive reimbursement
for "up to four hours of documented lost time spent dealing with the
data theft or alleged identity fraud," the cost of credit reports
purchased primarily because of the incident and un-reimbursed interest
related to a delayed tax refund based on a fraudulent tax return filed
after June 2013 and prior to the claims deadline.

Uncommon Terms

Attorney Steven Teppler of the Abbott Law Group, who is not involved
in the case but who has represented plaintiffs in other breach-related
litigation, says it's unusual for a lawsuit settlement to include
reimbursement for time lost dealing with the effects of the breach and
interest for delayed tax refunds. "These payments are appropriate but
unusual," he says.

Court documents also note, however, that under the agreement, "no
payment shall be made for emotional distress, personal/bodily injury
or punitive damages."

Other stipulations are also noted in the proposed settlement. For
instance, "for claims in excess of $250, the settlement administrator
may request, and the claimant must disclose upon request - if known -
all other notices of a breach involving any of their payment card data
or other personal information the claimant has received in the
three-year period preceding the date of the settlement class member's
claim. ... If the claimant has received no such notice, the claimant
must so state."

The settlement agreement also states: "The total amount of relief ...
that can be awarded to any one settlement class member is $5,000. If
the total amount of claims submitted exceeds $150,000, then the claims
will be reduced pro rata as to all claims ... so that the total amount
paid by Flowers does not exceed $150,000."

Why Was Case Settled?

Many breach-related class action lawsuits are dismissed by the courts
as a result of the lack of evidence of harm caused. And settlements
are relatively uncommon.

The plaintiffs' case in the Flowers Hospital incident was likely
strengthen by the fact that a former employee was found guilty of
crimes involving the stolen information.

"Insider threats are very hard to defend against, and often involve
clear harm to victims, such as identity theft," says privacy attorney
Adam Greene of the law firm David Wright Tremaine. "As a result, I
expect that we will see other, similar breaches, lawsuits and
settlements."

When it comes to pursuing data breach lawsuits in cases involving
insiders, plaintiffs can sometimes have an advantage, Greene notes.

"Insider cases are sometimes easier for plaintiffs than cases
involving hackers, since there is often clearer evidence of what was
done with the information," he says. "For example, when an employee
steals Social Security numbers, the resulting harm is often more
immediate and directly tied to the theft compared to when an unknown
hacker steals large amounts of data for unknown reasons."

Teppler predicts that litigation and potential settlements in cases
involving insider breaches "where there's negligent hiring or
supervision is something you will see more of." Factors that need to
be considered, he says, include whether the employer did a background
check of the employee and whether it had security measures in place to
help prevent criminal activity.

Neither Flower Hospital nor attorneys representing class members in
the case immediately responded to Information Security Media Group's
requests for comment.


More information about the BreachExchange mailing list