CorrectCare Integrated Health LLC (CorrectCare) settled a class action lawsuit associated with a 2022 data breach impacting approximately 600,000 individuals. The court gave the final approval for the settlement that cost CorrectCare $6.49 million.
Third-party administrator CorrectCare based in Kentucky helps correctional facility inmates access healthcare providers and handles medical claim payments. In July 2022, CorrectCare discovered a web server misconfiguration that had left two file directories publicly accessible on the Internet without requiring authentication. As a result, sensitive data was exposed online from January 22, 2022 until July 7, 2022. The compromised information included names, birth dates, inmate numbers, and limited health details such as CPT codes, diagnosis codes, treatment dates, providers, and, in some cases, Social Security numbers. The affected individuals received treatment from January 1, 2012 to July 7, 2022.
In December 2022, Shub & Johns law firm filed a class action lawsuit in the U.S. District Court for the Eastern District of Kentucky. On March 23, 2024, an amended complaint was filed with co-lead counsel Benjamin F. Johns, an S&J partner. Despite CorrectCare’s motion to dismiss the case, the lawsuit proceeded until the plaintiffs and CorrectCare reached a tentative settlement. Preliminary approval for the settlement was granted in April 2024, and the claims submission deadline was set for August 27, 2024. On September 17, 2024, Chief Judge Danny C. Reeves granted final approval for the settlement worth $6.49 million.
Over 100,000 claims were submitted, representing about 17% of the class. Some people failed to file a claim on the original deadline but class counsel gave an extension for filing claims. Class counsel noted that many persons involved in the lawsuit would not have pursued legal action by themselves. Without the class action, the breach victims might not have been paid for the breach. 33% of the $6.49 M settlement will cover the legal fees. $12,313 will be for the litigation expenses, and five named plaintiffs will each get a $2,500 service award.
Though CorrectCare had settled the lawsuit, it is a must for the company to look into providing HIPAA training for employees to help avoid future data breaches.