Cummins Behavioral Health Pays Up to $2.1 Million to Settle the Data Breach Lawsuit

by

Behavioral healthcare provider Cummins Behavioral Health located in Central and Western Indiana, consented to pay $2.1 million to settle a class action lawsuit filed by people impacted by a data breach in 2023.

On March 9, 2023, a threat actor left a ransom note for Cummins Behavioral Health stating that it infiltrated its network and extracted sensitive information. The healthcare provider investigated the incident to confirm if a breach indeed happened. The results indicated Cummins Behavioral Health’s network was subjected to unauthorized access from February 2, 2023 to March 9, 2023. The file analysis proved the theft of some sensitive data including the following protected health information (PHI): names, birth dates, addresses, Social Security numbers, medical insurance data, and payment card details.

The breach report was submitted to the HHS Office for Civil Rights on April 12, 2024, but the placeholder figure of 501 impacted persons was used. Until November 2024, the same figure remains on the OCR breach portal. However, the breach report submitted to the Maine Attorney General indicated that the personal data of 157,688 people was affected. Free credit monitoring services were provided to the impacted individuals.

In August 2023, Cummins Behavioral Health faced a lawsuit that was filed by individuals who claimed to have suffered from the data theft incident. In October, the healthcare provider filed a motion to dismiss the lawsuit because the plaintiff did not claim suffering a direct injury. The claim was only an impending and increased potential risk of fraud, which the accused said didn’t meet the standard of harm that is necessary for the case to stand in court. The filed motion to dismiss did not succeed.

Cummins Behavioral Health did not admit to wrongdoing but decided to settle the lawsuit for $2.1 million. Affected individuals may submit claims for benefits until November 20, 2024. According to the conditions of the settlement, people impacted by the data breach can opt to get one of these benefits:

  • Around $500 for recorded ordinary losses, for instance, out-of-pocket expenditures, credit monitoring services, and costs for credit reports.
  • Around $75 (for 3 hours worth $25 an hour) for lost time expended taking care of the security incident, backed by an attestation.
  • Around $5,000 as a refund for recorded, unreimbursed extraordinary losses, for instance, expenses for identity theft and fraud.
  • $65 cash
  • A no-cost trauma testing from the defendant.

The law agency Cohen & Malad LLP filed the lawsuit on behalf of the plaintiff.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone