Genetic testing company Ambry Genetics has agreed to pay $12.25 million to settle claims that it failed to protect patient information in a data security incident that occured in January 2020, SC Media reported Sept. 14.
The lawsuit stems from an email incident first reported by the vendor in April 2020, where an attacker gained access to an employee email account.
The account contained protected health information of patients including names, medical information, diagnoses and medical service details.
In addition, a small number of patients also had their Social Security numbers breached.
The investigation could not verify whether the hacker accessed or exfiltrated the data, however, the impacted patients quickly filed a lawsuit, alleging that the attack could have been remedied if Ambry was aware of the gaps in its data security and adopted industry best practices.
The patients also allegled that Ambry failed to notify them about the breach as the notice was sent about two months after the 60-day requirement outlined in HIPAA.
The $12.25 million settlement provides financial restitution for the affected patients, while $2.25 million of this fund will go toward covering the costs of the notice plan, administrative expenses and the cost of three years of credit monitoring and identity theft insurance services for affected patients.