Joyce Hyatt Benton, Manager, Client Services: The health care industry continues to see an increase in medical data breaches. Settlements for these incidents require unique considerations when deciding the best remedies for class members. In addition to exposure of class members’ Personally Identifiable Information (PII), medical data breaches have the additional complexity of breach of Protected Health Information (PHI), including financial information, insurance information, and medical records.

Similar to non-medical data breach settlements, class members can typically file claims to recover out-of-pocket expenses, including documented monetary losses associated with the data incident, and credit monitoring or identity theft protection for a specified period.

Because damages from medical-related incidents are often more difficult to detect and link to a specific financial impact, and may occur over a longer period of time, offering remedies such as pro-rata cash awards are a common way to compensate class members for potential harm due to the exposure.

Beyond pro-rata cash awards, there are a number of enhanced medical and financial account monitoring remedy options available, with real-time alerts, recovery support, and identity theft insurance. Often, these services are an added value for individual class members, offering protection against misuse of the following: 

• Health insurance policy data to file claims;
• Beneficiary data;
• Medical and health records;
• Health care professional National Provider Identifier (NPI) and credentials; and
• Health Savings Account theft.

Epiq works with clients to determine the best solutions available for each unique medical data breach settlement. The earlier in the process these discussions take place, the more efficiently and effectively we can plan the delivery of these solutions.

Edward Dattilo, Senior Project Manager, Client Services: Many medical data breach cases involve damages to the class that are more sensitive in nature, so being conscious about what personal medical information may have been breached is a top priority.

Data stewardship and data governance are especially important in these matters. Class lists contain some level of Personally Identifiable Information (PII) or Protected Health Information (PHI), and as administrators, we’re trusted to protect and manage this data in a secure way.

Epiq’s data governance policies ensure that class data remains protected and private. In addition to providing a secure file transfer to safely deliver the data, Epiq offers our top-of-the-line proprietary system of record, Ranger, which utilizes an encryption algorithm to securely store and manage class member data to comply with HIPAA regulations. 

Another consideration is the importance of providing the class with details of what PII or PHI may have been impacted by a data breach, because many individuals are naturally concerned when hearing their personal medical data may have been compromised.

It can sometimes be a challenge to strike the right balance between keeping data private and providing relevant details about the breach to the class. However, it is achievable by working with our clients to address this early in the settlement process.

For example, choosing a direct notice method that ensures class member information is private during transport and delivery, and including a summary of what information may have been impacted within the notice can make a big difference downstream. This answers common questions for many individuals and, therefore, limits the costs associated with increased correspondence administrators receive when individuals inquire about what data may have been compromised in the breach.

Carefully crafted noticing documents will provide clarity and reassurance for class members.

Adam Raas, Director of Operations, Print and Mail: When assessing options for sending direct noticing for health care data breach projects, it is important to review what class member live data will be included on the notice. 

For medical data breach noticing, the recommended options are either: 1) sending a double postcard notice, which has four panels (sides), including two interior panels, or 2) enclosing each standard sized paper notice inside of an envelope. This decision is largely based on the amount of information being sent to class members and the associated budget for the case.

Epiq’s team of United States Postal Service (USPS) certified Mail Design professionals reviews each selected mail piece type to ensure USPS standards are adhered to, and no sensitive, Personally Identifiable Information (PII) and Protected Health Information (PHI) is revealed, beyond class member name and address to send the mail piece.

When using a postcard notice, sensitive information is placed on the inside of the postcard and the postcard is sealed with glue dots, or a security tab is affixed, so the information stays private. When sending notices or claim forms inserted into envelopes, mailer sheets are used to ensure that no information outside of the name and address is present on the mail piece, and the envelopes have security tinting to prevent content being visible through the envelope.

As notices are produced and data moves from the digital to physical space, Epiq’s physical security ensures no unauthorized access to the print and mail areas of our facility. This includes secure entry, 24/7 camera monitoring, and vigorous background checks of all employees. After printing, sensitive material is held in secure storage within our secure facility, which provides an extra layer of protection to physical print pieces. All mail is delivered directly to the USPS by trucks driven by Epiq employees and handed directly to USPS employees.

Our mail piece design and physical security measures ensure class members’ data is safe and secure throughout the mailing process.

Stacy Sargent, Legal Notice Manager, Epiq Legal Noticing: Both plaintiff and defense attorneys should be aware of several key factors when handling medical data breach cases, particularly concerning HIPAA compliance and how it impacts certain aspects of court filings, such as opt-out reports.

First, when providing opt-out reports to the court, it’s important to understand if there are any HIPPA regulations covering the information of the impacted class members, and then how to file this information with the court. In our experience, reports with class member information, such as opt-out reports, often need to be filed under seal to protect class members’ identities.

Second, a masked return address may be necessary for the physical mail piece. A return address that in some way identifies the harm the class member suffered could be damaging and should be avoided. Instead, using a return address to the notice administrator that does not identify the case name, defendant(s), or medical data breach at issue is advised.  

Third, the notices that are sent out to class members need to be clear, concise, and easily understood – in plain language. It’s important to avoid technical jargon and legal terms that may confuse the class members.

A medical data breach notice should provide specific details about the breach, including what type of Personally Identifiable Information (PII) and/or Protected Health Information (PHI) was compromised and how it was used (if known), the potential risks for class members as a result of the data breach incident, and what steps are being taken to mitigate the harm.

Given the ongoing nature, potential repercussions, and highly sensitive nature of medical information often involved in a medical data breach, notice language should be conveyed in a tone that is both sensitive to the situation and informative of class members’ legal rights.