Settlement Agreed to Resolve Comprehensive Health Services Data Breach Lawsuit
Acuity International (formerly known as Comprehensive Health Services, LLC / CHS, LLC), a provider of medical management support services, has agreed to a settlement to resolve a class action lawsuit that was filed in response to a 2020 cyberattack and data breach that impacted 106,910 individuals.
Suspicious activity was detected within the systems of Comprehensive Health Services on September 30, 2020, following the discovery of fraudulent wire transfers; however, it took until November 3, 2022, to determine that personal and protected health information had been compromised in the incident, including names, dates of birth, and Social Security numbers. Affected individuals were notified about the breach on January 20, 2022, and February 14, 2022.
On April 4, 2022, a lawsuit – Arbuthnot v. CHS, LLC – was filed in the US District Court for the Middle District of Florida in response to the breach that alleged a failure to protect sensitive data against unauthorized access, violations of the HIPAA Security Rule, and unreasonable delay of more than 16 months to inform individuals that their personal and protected health information had been compromised. As a result of the alleged negligence, plaintiff Shannon Arbuthnot and the class members claim they suffered harm and incurred out-of-pocket expenses dealing with the breach and protecting themselves against misuse of their information.
A settlement was proposed in February 2023 to resolve the lawsuit that has now been finalized, pending final approval by a judge. Acuity maintains there was no wrongdoing and proposed the settlement to avoid the cost, disruption, and distraction of further litigation. The settlement has been approved by Acuity, the class representative, and their legal teams, and is believed to be fair, reasonable, and adequate.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Under the terms of the settlement, individuals who were notified that they had been impacted by the data breach can submit a claim for compensation for ordinary out-of-pocket losses and lost time up to a maximum of $500 per class member, which can include up to 3 hours of lost time at $20 per hour. The claim can include documented losses due to bank fees, phone charges, data charges, postage, costs of credit reports, and any credit monitoring or identity theft protection services purchased between September 30, 2020, and the date of the settlement.
Individuals who were victims of documented identity theft that is reasonably traceable to the data breach are entitled to submit a claim for compensation for extraordinary losses up to a maximum of $3,500 per class member. Extraordinary losses include actual, documented, and unreimbursed monetary losses incurred between September 30, 2020, and the date of the settlement that were more likely than not due to the data breach. In addition, Acuity will cover the cost of two years of credit monitoring services for all class members.
In addition to reimbursing class members for expenses and losses, Acuity has agreed to make security improvements to reduce the risk of future data breaches, many of which have already been implemented. The deadline for exclusion from or objection to the settlement is July 5, 2023, the deadline for submitting a claim is August 3, 2023, and the final approval hearing has been scheduled for August 11, 2023.
The plaintiff was represented by Jon Kardassakis of Lewis Brisbois Bisgaard & Smith, LLP, and the class was represented by John A Yanchunis of Morgan & Morgan and David K Lietz of Milberg Coleman Bryson Phillips Grossman PLLC.