A $3 million settlement has been proposed by iCare Acquisitions to resolve claims of individuals who were affected by a 2021 data breach. This impacted around 3.3 million members of the 20/20 Hearing Care Network health plan and the 20/20 Eye Care Network. The settlement will benefit individuals who received a data breach notification from either 20/20 Hearing Care Network or 20/20 Eye Care Network following the January 2021 data breach.
Settlement website – 2020EyeCareDataBreach.com
Objection deadline – 04/03/2023
Exclusion deadline – 04/03/2023
Claim Form – https://2020eyecaredatabreach.com/Home/SubmitClaim
Deadline for submitting the claim – 05/01/2023
Final Hearing date – 06/22/2023
Settlement amount – $3M
Potential claim amount – $5,000
Proof of purchase – Documentation of data breach-related expenses
20/20 Eye Care Network and 20/20 Hearing Care Network are health plan networks providing both vision- and hearing-care coverage. These networks are part of iCare Acquisition. Suspicious activity was detected in the AWS cloud storage environment followed by the detection of a security breach in January 2021. As per the forensic investigation, attackers gained unauthorized access to the AWS S3 storage buckets. Their contents were downloaded and then the buckets were deleted. It comprised of sensitive health credentials of health plan members including their names, date of birth, social security number, health insurance information, and member ID numbers.
The nature of the attack was such that the exact individuals who were affected and the extent of information stolen couldn’t be clearly determined. This is why notification letters were remitted to 3,253,822 individuals who were at an increased chance of being affected by the data breach. The notifications were sent out in May 2021 to affected individuals and complementary identity theft protection and credit monitoring services were offered to them. Insider wrongdoing was blamed for the data breach which left the data of different plan members exposed over the internet.
A lawsuit was filed against 2020/ Eye Care Network and iCare Acquisitions in the U.S District Court alleging that the defendant’s failure to implement appropriate cybersecurity measures led to the data breach. The plaintiffs further alleged that 2020/ Eye Care Network and iCare Acquisitions failed to adhere to the HIPAA obligations and the industry-standard cybersecurity best practices. The defendants were also charged for taking a long time in issuing notifications to the affected parties which were sent 3 months following the discovery of the data breach.
Fraudulent online purchases were made using the plaintiff’s credit card shortly after being notified about the data breach. She also experienced a steep increase in voice phishing calls and all her emails were diverted to another address. Although iCare Acquisitions and the 20/20 Eye Care Network didn’t admit to any wrongdoing they have agreed to the proposed settlement for avoiding the uncertainty of trial and ongoing legal costs. A fund of $3000000 will be created for covering the claims of individuals who were affected by the data breach.
Legal fees will be deducted from the settlement amount before honoring the claims of class members which might be paid on a pro-rata basis depending on the number of claims received. Class members can submit claims of up to $2500 for out-of-pocket losses which will include up to 10 hours of lost time at $25 per hour. Individuals can claim up to a maximum of $5000 and an aggregate maximum of $600000 for documented losses suffered because of fraud and identity theft that haven’t been reimbursed to date. The credit monitoring services shall be offered for 36 months and as an alternative, class members can opt for a cash payment of $50. This cash payment might be reduced depending on the number of claims filed.
