The University of Miami recently agreed to a proposed settlement of class action allegations that it failed to adequately safeguard and secure medical records of former patients, thus leading to a 2013 breach of its storage systems. Last year, billing vouchers for over 13,000 patients stored by an off-site storage vendor went missing, exposing the name, date of birth, Social Security number, physician name, facility, insurance company name, medical record number, and procedure diagnostic codes of each affected individual. The plaintiff, one of the former patients, alleged that an unauthorized person accessed, misused, and disclosed the personally identifiable information in these records, and that she had suffered financial harm due to the breach because money was withdrawn from her bank account. Plaintiff further claimed that the university failed to notify affected former patients within 60 days of its discovery of the breach as promised in its “Notice of Privacy Practices,” instead waiting six months to send notification letters. Under the settlement agreement, Miami will conduct various risk assessments, perform remediation of any identified problems, and ensure vendors have adequate security controls in place. The university has agreed to pay $100,000 in individual claims, $90,000 in attorneys’ fees, and $1,500 to the named plaintiff. The parties have asked the federal district court to approve the recently-filed proposed settlement agreement.

Tip: This case serves as a reminder that security incidents can lead to potential class action allegations. To avoid potential suits, companies would be well-served to carefully assess vendors’ data security measures. We will continue to monitor if plaintiffs in other cases use statements regarding the timing of breach notice against a company; and in the meantime, companies may wish to examine any such representations that they make.