A revenue cycle management company has agreed to a $7 million settlement in a class action lawsuit that it faced after one of its employees inadvertently uploaded and exposed the personal information of 136,000 individuals on the public-facing portion of GitHub for more than a year.
MedData, which is now part of Elevate Patient Financial Solutions, will cover certain individuals for up to $5,000 in out-of-pocket expenses. Remaining members of the class will receive up to $500. As well, all members of the class are eligible to receive three years of complimentary health data and fraud monitoring on their accounts and $1 million in fraud and medical identity theft coverage, according to a published report.
The information that was uploaded to GitHub included the names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, claims information, dates of service, subscriber IDs, medical procedure codes, provider names, and health insurance policy numbers for several of the company’s clients. The information was removed was the company was alerted to the disclosure, but that was more than a year after it was uploaded. An independent researcher discovered the information and tried to inform the company about it on multiple occasions, but the company allegedly failed to acknowledge the information, even going so far as to block the researcher on LinkedIn, according to a published report.
Along with paying out the settlement, the company is required to implement an enhanced cybersecurity program for the next two years that will include:
- Annual cybersecurity testing and training on data privacy
- Robust monitoring and auditing for data security issues, including firewalls and up-to-date anti-malware programs
- Data encryption and access controls
- Annual penetration testing
- A data deletion policy
- A monitored internal whistleblowing mechanism