Eye Physicians of Central Florida has agreed to settle a class action lawsuit related to a 2023 data breach that exposed the information of 31,189 patients. The healthcare provider identified the breach on November 5, 2023, after noticing suspicious activity in the organization’s computer network, and subsequent investigation confirmed unauthorized access by a third party.
Scope of the Breach
The breach involved systems containing extensive categories of patient information. The compromised data included names, birth dates, addresses, provider names, medical diagnosis and treatment details, patient ID numbers, dates of service, procedure codes, treatment cost information, financial account information, state ID, medical insurance information, and prescription details. Eye Physicians of Central Florida reported the incident to the Department of Health and Human Services’ Office for Civil Rights.
Litigation Background
The Connell v. Eye Physicians of Central Florida, P.L.C. class action lawsuit was filed in the Circuit Court for Orange County, Florida. Plaintiff Alisa Connell brought the case individually and on behalf of patients whose data was exposed. Eye Physicians of Central Florida sought dismissal of the lawsuit and achieved partial success, but the case continued after the plaintiff filed an amended complaint alleging negligence and breach of fiduciary duty. The litigation proceeded for 18 months before the parties entered private mediation, which resulted in a settlement agreement.
Eye Physicians of Central Florida denies wrongdoing and liability, and continues to reject all claims and allegations made in the lawsuit. The settlement was reached without admission of fault.
Settlement Terms
The settlement provides defined benefits for affected patients. Class members are eligible for two years of credit monitoring and identity theft protection services, which include a $1 million identity theft insurance policy. In addition, class members may submit claims for reimbursement of documented, unreimbursed losses linked to the breach. Compensation is available for attested lost time of up to three hours at $25 per hour. Reimbursement claims are capped at $2,000 per class member for ordinary losses and $7,500 for extraordinary losses. The settlement does not provide an alternative cash payment option.
Compliance Implications
The case highlights the litigation risks associated with unauthorized access to protected health information (PHI). The exposure of medical, financial, and insurance data shows the need for compliance with the HIPAA Security Rule and the HIPAA Privacy Rule. Covered Entities and Business Associates must implement safeguards to prevent unauthorized access and mitigate potential liability. The settlement terms illustrate the types of remediation measures that may be required when patient data is compromised.
