A class action against the eye-care provider Nationwide Vision and Vision plan provider Sightcare has been settled for $3.45M.

The lawsuit arose out of a 2021 data breach that compromised the personal information of thousands of its users. The data of current and former patients, customers, staff, members, and covered dependents was compromised between April 20 and May 17, 2021.

A cyberattack by a third-party targeted email and computer systems and put personal information at risk. An investigation into the breach revealed that full names, dates of birth, addresses, social security numbers, taxpayer numbers, driver's license numbers, financial information, medical information, prescriptions, health insurance information, and billing information may have all been obtained in the breach.

The lawsuit alleged the defendants failed to protect patients and staff. The plaintiffs claim consumer protection laws were breached due to negligence. And, according to the complaint, defendants did not have enough safeguards in place to adequately protect sensitive data

Moreover, defendants are accused of failing to provide timely and accurate notices of the breach. Emma Crabtree, "Americans to get $300 payment from $3.45m pot after company 'failed to protect them' – certain customers will get $5,400" the-sun.com (Jul. 13, 2024)

Commentary

Depending on your industry, adherence to information security and data breach notification requirements are included in the Privacy Act of 1974, the Federal Information Security Management Act, the Office of Management and Budget Guidance, the Veterans Affairs Information Security Act, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, and the Fair Credit Reporting Act. Provisions of the Computer Matching and Privacy Protection Act of 1988 and Section 208 of the E-Government Act of 2002 should also be noted. Various federal regulatory bodies or agencies are charged with the enforcement of such rules.

Moreover, legislation has been enacted by all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands that require private entities or government agencies to notify individuals who have been impacted by security breaches that may compromise their personally identifiable information. Breaches of these acts may be brought by the attorneys general of each state, or in some cases, by private action.

And, employers with a hemispheric or global presence should be aware of the requirements and penalties found in Canada's Digital Privacy Act (DPA)/Personal Information Protection and Electronic Documents Act (PIPEDA) and the European Union's General Data Protection Regulation (GDPR).