Proposed Settlement in Lawsuit Tied to Insider BreachAre Class Action Suits Stemming From Insider Breaches Easier for Plaintiffs to Win?
A proposed settlement of a class action lawsuit against an Alabama hospital provides a total of up to $150,000 in relief to more than 1,200 individuals affected by a breach involving a former employee who was convicted of identity theft that led to federal tax refund fraud.
See Also: The Global State of Online Digital Trust
The 2014 lawsuit alleged negligence and breach of contract by Dothan, Alabama-based Flowers Hospital because of the theft by a former lab technician of "thousands of paper records" containing patients' information.
The settlement now awaits final court approval.
The lawsuit claimed that from approximately June 2013 until about February 2014, thousands of paper records of Flowers Hospital patients were left "unguarded, unprotected, and/or otherwise subject to theft by Flowers employees and other third parties who otherwise had no reason to be in possession of such information."
The proposed agreement filed in an Alabama federal court on July 20 provides 1,208 "settlement class members" reimbursement of up to $250 each if they submit "valid claims" for their purchase of credit monitoring/identity theft protection as a result of the breach.
Settlement class members are also eligible to receive reimbursement for "up to four hours of documented lost time spent dealing with the data theft or alleged identity fraud," the cost of credit reports purchased primarily because of the incident and un-reimbursed interest related to a delayed tax refund based on a fraudulent tax return filed after June 2013 and prior to the claims deadline.
Attorney Steven Teppler of the Abbott Law Group, who is not involved in the case but who has represented plaintiffs in other breach-related litigation, says it's unusual for a lawsuit settlement to include reimbursement for time lost dealing with the effects of the breach and interest for delayed tax refunds. "These payments are appropriate but unusual," he says.
Court documents also note, however, that under the agreement, "no payment shall be made for emotional distress, personal/bodily injury or punitive damages."
Other stipulations are also noted in the proposed settlement. For instance, "for claims in excess of $250, the settlement administrator may request, and the claimant must disclose upon request - if known - all other notices of a breach involving any of their payment card data or other personal information the claimant has received in the three-year period preceding the date of the settlement class member's claim. ... If the claimant has received no such notice, the claimant must so state."
The settlement agreement also states: "The total amount of relief ... that can be awarded to any one settlement class member is $5,000. If the total amount of claims submitted exceeds $150,000, then the claims will be reduced pro rata as to all claims ... so that the total amount paid by Flowers does not exceed $150,000."
Why Was Case Settled?
Many breach-related class action lawsuits are dismissed by the courts as a result of the lack of evidence of harm caused. And settlements are relatively uncommon.
The plaintiffs' case in the Flowers Hospital incident was likely strengthen by the fact that a former employee was found guilty of crimes involving the stolen information.
"Insider threats are very hard to defend against, and often involve clear harm to victims, such as identity theft."
—Adam Greene, Davis Wright Tremaine
"Insider threats are very hard to defend against, and often involve clear harm to victims, such as identity theft," says privacy attorney Adam Greene of the law firm David Wright Tremaine. "As a result, I expect that we will see other, similar breaches, lawsuits and settlements."
When it comes to pursuing data breach lawsuits in cases involving insiders, plaintiffs can sometimes have an advantage, Greene notes.
"Insider cases are sometimes easier for plaintiffs than cases involving hackers, since there is often clearer evidence of what was done with the information," he says. "For example, when an employee steals Social Security numbers, the resulting harm is often more immediate and directly tied to the theft compared to when an unknown hacker steals large amounts of data for unknown reasons."
Teppler predicts that litigation and potential settlements in cases involving insider breaches "where there's negligent hiring or supervision is something you will see more of." Factors that need to be considered, he says, include whether the employer did a background check of the employee and whether it had security measures in place to help prevent criminal activity.
Neither Flower Hospital nor attorneys representing class members in the case immediately responded to Information Security Media Group's requests for comment.