Healthcare , Industry Specific , Legislation & Litigation

Orrick Herrington Cyberattack Compromised Clients’ Data, Affected Nearly 638,000 Marianne Kolbasuk McGee (HealthInfoSec) • April 15, 2024    

A global law firm that provides data breach legal services has agreed to an $8 million settlement to resolve a proposed class action lawsuit filed against the firm in the aftermath of its cyberattack last year, which affected some health sector clients and nearly 638,000 individuals.

See Also: Take Inventory of Your Medical Device Security Risks

Orrick Herrington & Sutcliffe’s proposed agreement with plaintiffs, filed last week in a northern California federal court, settles four proposed consolidated class action lawsuits filed against the San Francisco-based law firm last year in the wake of March 2023 hacking incident.

That incident compromised the personal information of several Orrick clients, including vision benefits plan EyeMed and dental insurance plan Delta Dental of California. Initially, Orrick told regulators the breach affected about 153,000 people, but the firm subsequently updated its breach reports, and the last one, released in January, says 637,620 individuals were affected (see: Law Firm Facing Lawsuit in Aftermath of Its Own Big Breach).

Court documents in the litigation against Orrick say the firm frequently engages in the defense of data breach litigation. In such instances, Orrick collects the personal information of its clients’ clients. Some of that information – including names, addresses, birthdates and Social Security numbers – was compromised in the hacking incident (see: Law Firm Hack Affects Victims of an Earlier Breach Again).

Among other claims, the consolidated case alleges the law firm failed to implement adequate and reasonable measures to protect its computer systems, failed to prevent and stop the breach, and failed to detect and notify individuals about the breach in a timely manner – causing “substantial harm and injuries to plaintiff and the class.”

Orrick in December filed in the U.S. District Court for the Northern District of California a notice of a proposed settlement to stay pending litigation involving the hacking incident. But details of the proposed agreement were not filed until April 11 (see: Fallout Mounting From Recent Major Health Data Hacks).

Under the proposed settlement, for which a court hearing is slated for May 17, Orrick has agreed to pay each class member up to $2,500 for documentable out-of-pocket expenses and up to $7,500 for documentable extraordinary losses.

As an alternative, class members can choose a cash payment of $75. California Subclass Members can claim up to $150 for California Consumer Privacy Act claims, subject to pro rata reduction or increase, depending on the number of claims.

Settlement class members also are entitled to seek three years of credit and identity monitoring in addition to the 24 months of complimentary credit and identity monitoring Orrick offered in its breach notice.

Lawsuit plaintiffs may seek service awards up to $2,500 for their time and service in the litigation.

Also under the settlement, Orrick has agreed to make various changes to business practices that relate to data security.

“Orrick has also confirmed that, as a direct result of plaintiffs’ filing of the action, Orrick has already implemented several improvements to its data security,” the settlement document says.

“These enhancements include improving its detection and response tools, enhancing its continuous vulnerability scanning at both the network and application levels, deploying additional endpoint detection and response software, and with the help of an industry-leading cybersecurity vendor, performing additional 24/7 network managed detection and response,” the settlement document says.

Speedy Resolution?

While many similar proposed class action lawsuits against breached entities often drag out for years in courthouses, the proposed resolution of the Orrick data breach litigation – which was filed only about nine months ago – appears to be following developments in some other health data breach cases, legal experts said.

“Orrick’s rapid settlement of the data breach class actions is consistent with recent trends. Last year, Advocate Aurora Health settled data breach class actions ten months after the first lawsuit,” said regulatory attorney Paul Hales of the Hales Law Group, who was not involved in either case.

Advocate Aurora Health last August agreed to pay $12.25 million to settle consolidated civil class action claims that the Illinois-based hospital chain had invaded patient privacy by using tracking codes on its websites and patient portal. Advocate Aurora in October 2022 reported a HIPAA breach affecting 3 million individuals involving its prior use of web trackers (see: Health Entity Says Tracking Code Breach Affects 3 Million).

“Rapid class action settlements reflect business decisions to cut losses quickly,” Hales said. “Data breach settlements also reflect the growing power of class action lawsuits. The plaintiffs’ bar has developed strategies to maintain these lawsuits in federal and state courts,” he said.

“Large and high-visibility organizations struck by data breaches may fear private plaintiffs more than any other enforcer of privacy laws.”

Neither attorneys representing Orrick nor plaintiffs in the consolidated class action litigation immediately responded to Information Security Media Group’s requests for comment on the proposed settlement.