The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

SuperCare Proposes $2.25 Million Settlement to Resolve Data Breach Lawsuit

The Californian home care service provider, SuperCare, has proposed a $2.25 million settlement to resolve a class action lawsuit filed in response to a 2021 hacking incident in which the protected health information of 318,379 patients was compromised.

SuperCare detected a network intrusion on July 27, 2021, and the subsequent forensic investigation determined hackers had access to its network from July 23, 2021, to July 27, 2021; however, it took until February 4, 2022, to determine that patient information had been compromised. Files on the compromised parts of the network contained names, addresses, dates of birth, hospital or medical group, patient account numbers, medical record numbers, health insurance information, test results, diagnoses, treatment information, other health-related information, and claims information, and, for some individuals, Social Security numbers and driver’s license numbers. Affected individuals were notified on March 25, 2022, 8 months after the breach was detected.

A lawsuit was filed against SuperCare shortly after the data breach was announced that accused SuperCare of violations of California’s Confidentiality of Medical Information Act, the Federal Trade Commission (FTC) Act, and the Health Insurance Portability and Accountability Act (HIPAA) due to the failure to implement reasonable and appropriate cybersecurity measures to protect against a known risk of cyberattacks and data breaches, and the failure to issue timely notifications about the data breach. Further, when notifications were finally sent, the content of those notifications was lacking key information about the data breach, and no explanation was provided as to why it took so long for the notifications to be issued. The lawsuit also claimed affected individuals were not provided with adequate credit monitoring services or other remedies to reduce the risk of misuse of their sensitive data.

Under the terms of the proposed settlement, two tiers of benefits are being offered. Claims can be submitted for tier 1 benefits which include a cash payment of $100. The second tier allows claims up to a maximum of $2,500 to cover out-of-pocket expenses incurred as a result of the data breach, along with up to 4 hours of lost time at $25 per hour. All class members are entitled to claim one year of three-bureau credit monitoring services, which includes a $1 million identity theft insurance policy.

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

The deadline for exclusion from or objection to the settlement is June 5, 2023. Claims must be submitted by July 5, 2023, and the final approval hearing for the settlement has been scheduled for August 28, 2023.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist