Datavant Reaches $900K Settlement in Data Breach Lawsuit – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

Datavant to Pay $900K to Settle Data Breach Lawsuit

Health data giant Datavant Group has agreed to a $900,000 settlement to resolve a class-action lawsuit concerning a data breach that exposed the protected health information (PHI) of thousands of patients. The deal is a compromise where the company admits no wrongdoing.

The Datavant Group logo displayed in an article about its $900,000 data breach settlement.

What Happened

Datavant Group, a major player in health technology and data analytics, has opened its wallet to end a nagging class-action lawsuit. The company agreed to a $900,000 settlement fund with plaintiffs in a case filed over a data breach that allegedly led to the leak of sensitive health data for thousands of patients. This move is seen as an attempt to avoid a long and potentially more costly legal battle. Although the agreement still needs final court approval, the fact that the parties have shaken hands in principle indicates that the incident is moving toward a close for the victims.

So, how did we get here? It all started with a security vulnerability identified in Datavant's systems. The plaintiffs alleged that the company failed to implement reasonable cybersecurity measures to prevent cyberattackers from infiltrating their network and accessing highly personal protected health information (PHI). Such lawsuits typically include allegations of negligence, breach of contract, and unjust enrichment. According to the plaintiffs, Datavant failed in its duty to the people whose data it was obligated to protect. The company, however, denies these allegations. In their statement, they noted their belief that their security systems were adequate but chose this settlement to avoid the time and expense of litigation. This is a common legal stance in these types of cases; companies prefer to close the matter without admitting guilt. This $900,000 fund will be used to reimburse individuals for out-of-pocket expenses incurred as a direct result of the breach and to compensate them for time spent dealing with the fallout. So, if you had to buy a credit monitoring service or spend hours on the phone with your bank because of this, you might be able to get a piece of that fund.

Data Compromised

What were the cyberattackers after? In short, our most private information. According to court filings, the stolen data includes a wide range of personal and medical information protected under HIPAA (the Health Insurance Portability and Accountability Act). This is far more than a simple email leak. Let's take a look at just how sensitive the list is:

Has your email been leaked? Check for free — results in seconds.

Check Now →
  • Full Names and Addresses: The cornerstones of your identity.
  • Dates of Birth: Another key piece of information frequently used in identity theft.
  • Social Security Numbers (SSNs): Perhaps the most critical data point. Once your SSN is compromised, credit cards can be opened in your name, and fraudulent tax returns can be filed.
  • Medical Record Numbers: Your unique identifier within the healthcare system.
  • Health Insurance Information: Including policy numbers and group information. With this, fraudsters can make false claims for medical services under your insurance.
  • Diagnosis and Treatment Information: This is perhaps the most private part. Extremely personal data like diseases you've had, treatments you've received, and medications you use. The exposure of this type of information can have devastating consequences, not just financially, but for your personal and professional life as well.

The combination of this data is a treasure trove for cybercriminals. This is what's known as "medical identity theft." Someone could use your information to receive medical services in your name, get prescriptions, and all of it would go on your record. This situation could jeopardize your future medical care; for example, it could lead to your blood type or allergies being incorrectly recorded. That's why this breach carries deep and lasting risks that can't be fixed with a simple password change.

How the Attack Happened

Datavant has been quite tight-lipped about the technical details of the attack. Court documents and public statements do not provide a clear explanation of exactly how the cyberattackers breached their network. This is often part of a strategy to protect ongoing security enhancements or the company's reputation. However, based on our experience in the cybersecurity world and similar cases, we can evaluate some likely scenarios.

One of the most common scenarios is a phishing attack. An employee clicking on a link in a legitimate-looking fake email or opening an attachment can provide attackers with their initial point of entry into the network. After this first step, attackers move laterally within the network to gain more privileges and access to data. Companies in the healthcare sector can be particularly vulnerable to these types of social engineering attacks due to their busy workflows.

Another strong possibility is an unpatched vulnerability. Security flaws discovered in software or servers used by companies leave an open door for attackers. If Datavant failed to promptly patch a known vulnerability in a third-party software or its own systems, attackers could have exploited it. We shouldn't forget how vulnerabilities in file transfer software like MOVEit have led to massive breaches in recent years. Companies like Datavant, which process large amounts of data, use such transfer tools extensively.

Finally, misconfigured cloud servers are also a common problem. Leaving data in a public cloud storage area without encryption or password protection can allow it to be accessed with a simple internet scan. While this isn't a direct "hack," it is a disclosure of data due to negligence and carries equally serious legal consequences. Datavant's reluctance to explain exactly how the event occurred suggests that any of these scenarios, or a combination of them, could be plausible.

Who Is Affected

The victims of this data breach are not people who are direct customers of Datavant. This is a very important point. Datavant is a B2B (business-to-business) company that provides data management and analytics services to hospitals, clinics, insurance companies, and other healthcare organizations. So, you've probably never heard the name Datavant before, but your doctor's office or insurance company was using their services to process your data.

Therefore, those affected are the patients of these healthcare organizations that used Datavant's services. This situation is a perfect example of what is known in cybersecurity as a "supply chain risk." You entrust your data to your trusted hospital, but that hospital works with another company to process that data. If that third-party company suffers a breach, your data is also at risk. That's why the class for this lawsuit is composed of patients who received services from healthcare providers that were Datavant customers during a specific period. If you received a notice by mail or email about this lawsuit, you are likely part of this group. The settlement documents clearly define who is eligible to benefit from the case, and it generally includes individuals whose data was on Datavant's systems at the time of the breach.

What You Can Do

If you think you've been affected by this data breach or have received a notification, there are concrete steps you can take instead of just waiting. Here's what you should do, beyond the cliché "change your password" advice, that is specific to this situation:

  1. Check the Settlement Website: Class-action settlements usually have their own official websites. Through this site, you can check if you are included in the class and access the necessary forms to file a claim. You can find this site by searching for something like "Datavant class action settlement."
  2. File a Claim (Fill out a Claim Form): To get a share of the settlement fund, you need to fill out a claim form before the deadline. This form may ask you to document your expenses due to the breach. For example, you can claim reimbursement for fees paid to freeze your credit reports, money paid to lawyers or consultants to resolve identity theft, or for the time you lost dealing with these issues (usually at a specific hourly rate). Keep your documents (invoices, receipts).
  3. Review Your Medical Records and Insurance Statements: This is the most critical step. Carefully review the "Explanation of Benefits" (EOB) documents from your insurance company. Are there any treatments you didn't receive, doctors you didn't visit, or medications that weren't prescribed to you? If you see any suspicious entries in your own medical records, contact your healthcare provider and insurance company immediately. Medical identity theft is a difficult problem to fix.
  4. Place a Security Freeze on Your Credit Reports: This is a stronger measure than a fraud alert. You can contact the three major credit bureaus (Equifax, Experian, TransUnion) to place a freeze on your reports. This makes it nearly impossible for someone to open a new credit account in your name without your permission. This process is usually free, and you can temporarily lift it when you need to.

What the Company Is Saying

Datavant Group has maintained a consistent stance throughout the lawsuit and in the settlement announcement. The company vehemently denies any allegations of wrongdoing or negligence. This is a standard procedure in class-action settlements, known as a "no admission of guilt" clause. With this clause, companies can end the lawsuit while preventing the settlement from being used as evidence against them in any potential future cases.

A company spokesperson stated, "Data security and the privacy of our customers are our highest priorities. We believe our systems have always been robust and in line with industry standards. However, considering the distractions and costs that continued litigation would entail, we have decided that reaching a settlement with the plaintiffs is the most constructive path forward for all parties. This settlement does not constitute an admission of any fault." They also added that they have made additional investments to further strengthen their cybersecurity infrastructure and have tightened their audit processes since the incident. Such statements are carefully crafted to both protect their legal position and to send a message to current and potential clients that they take security seriously.

Source

https://www.hipaajournal.com/datavant-group-class-action-data-breach-settlement/

Share This Article
X LinkedIn WhatsApp
← Previous Post Private Intelligence Firm Leaks 48 Million Records Next Post → How the Data of One Million People Was Exposed

Weekly Newsletter

Curated data breach news delivered to your inbox every week.