Great Expressions Dental Centers decided to resolve a class action lawsuit arising from a 2023 data breach that affected the personal data and protected health information (PHI) of 1,925,397 people.
Great Expressions Dental Centers based in Bloomfield Hills, MI, which manages 246 dental practices in 9 U.S. states, encountered a cyberattack last February 2023 that impacted its IT systems. The hackers accessed its systems 6 days from February 17 to February 22, 2024, and exfiltrated patient data files. Those files included data like names, dates of birth, contact details, driver’s license numbers, Social Security numbers, financial account data, credit/debit card numbers, billing data, medical insurance details, prescription data, diagnoses, treatment details, x-ray photos, and medical and dental backgrounds. Great Expressions Dental Centers mailed notification letters to the impacted individuals at the beginning of May 2023.
Many lawsuits have been filed because of the data breach. These lawsuits were combined into one class action – In re Great Expressions Data Security Incident Litigation – filed in the U.S. District Court for the Eastern District of Michigan. The plaintiffs claimed Great Expressions Dental Centers did not apply reasonable and proper cybersecurity procedures to safeguard the sensitive information stored on its system. Insufficient HIPAA training and protection meant hackers could access its internal system and steal patient information.
Great Expressions Dental Centers did not admit any wrongdoing but decided to resolve the lawsuit to end the litigation and prevent the uncertainty of trial. Based on the conditions of the settlement, the dental center will create a $2.7 million fund to pay the plaintiffs’ and class members’ claims, attorneys’ rates, and legal expenses. People who got a notification letter from Great Expressions Dental Centers are eligible to claim the benefits. The nature of those benefits is dependent on whether people had exposed their Social Security numbers (SSNs) during the cyberattack. The SSN subclass is eligible to get paid up to $500 cash aside from submitting a claim for ordinary and extraordinary expenses. The maximum cash payments are fixed at $300,000 and claimants will receive payments pro rata in case that total is hit.
For the SSN subclass, claims could be filed for as much as $500 for ordinary expenses sustained from February 17, 2023, to the claims due date. Ordinary costs may consist of around 2 hours of lost time valued at $20 an hour. Claims may be filed for extraordinary expenses up to $5,000, which consist of unreimbursed expenditures reasonably trackable to the data breach that is not included under ordinary expenditures. Claims for reimbursement of losses must have proper documentation. The non-SSN subclass could file a claim for around 2 hours of lost time valued at $20 an hour.
The court has given the settlement its initial approval. The schedule of the final fairness hearing will be on December 12, 2024. Filing an exclusion from an objection to the settlement is no longer possible. But claims submission is until November 8, 2024. The legal representatives of the Class were Joseph M. Lyon of the Lyon Firm and Patrick A. Barthle II of the Morgan & Morgan Complex Litigation Group.