Fraser Child and Family Center, a Minnesota-based provider of autism, mental health, behavioral health, and disability services, has agreed to pay $750,000 to settle class action litigation arising out of a 2024 data breach.

Between May 30, 2024, and June 02, 2024, an unauthorized third party accessed parts of the healthcare center's IT environment which contained the protected health information of approximately 67,000 individuals. The stolen information included names, addresses, dates of birth, Social Security numbers, and medical information. Affected individuals were notified about the breach in September 2024.

Class actions were filed by four plaintiffs, individually and on behalf of their minor children and similarly-situated individuals. These lawsuits were consolidated into a single lawsuit in the District Court for Hennepin County, Minnesota. The class asserted several claims, including negligence, breach of contract, breach of fiduciary duty, invasion of privacy, unjust enrichment, and failure to provide adequate breach notifications.

Fraser Child and Family Center denied wrongdoing and liability and filed a motion to dismiss. However, all parties began to explore the possibility of early resolution of the litigation, and a settlement was agreed upon that was acceptable to all parties. The settlement agreement has received preliminary approval from the court.

Following the data breach, Fraser Child and Family Center implemented additional safeguards to protect information stored on its network.

A $750,000 settlement fund will be established to cover attorneys' fees and expenses, settlement administration costs, service awards for the plaintiffs, and benefits for the class members.

Source: https://www.hipaajournal.com/fraser-child-family-center-data-breach-settlement/

Commentary

The above data breach highlights the critical need for healthcare organizations to prioritize cyber loss prevention strategies. Of particular interest is the claim made above of "unjust enrichment".

Unjust enrichment occurs when one party benefits at the expense of another in a manner deemed unjust by the law. In the context of cyber breaches, attackers unlawfully gain access to sensitive information, which they can exploit for financial gain, causing harm to the affected individuals and organizations.

To mitigate the risk of unjust enrichment by cyber attackers, healthcare organizations must implement robust cybersecurity measures. This includes regular security assessments, employee training on data protection practices, and the adoption of advanced technologies to detect and respond to threats. Additionally, organizations should establish comprehensive incident response plans to minimize the impact of breaches when they occur.

The final takeaway is that by investing in cybersecurity, an organization not only protects sensitive information but also demonstrates a commitment to safeguarding patient privacy and maintaining trust. By proactively addressing potential vulnerabilities and enhancing their security posture, healthcare organizations can reduce the likelihood of data breaches and the associated risks of unjust enrichment by cyber attackers.