$6.49 Million Settlement for 600,000 Prisoners in Massive CorrectCare Data Breach Class Action
by Chuck Sharman
The U.S. District Court for the Eastern District of Kentucky granted final approval on September 17, 2024, to a $6.49 million settlement of a class-action complaint filed on behalf of almost 600,000 prisoners in four states whose personal information was exposed in a 2022 data breach suffered by Lexington-based CorrectCare Integrated Health LCC.
CorrectCare provided medical claims processing services to prisons and jails in California, Georgia, Louisiana and South Carolina in July 2022, when it reported a “misconfigured” web server had exposed 635,321 files containing the personal identifying information and personal healthcare information of prisoners and detainees. It was later determined that the information came from 572,453 victims who were imprisoned or detained in affected lockups.
Lead Plaintiff Virginia Hiley filed suit in December 2022, accusing CorrectCare of negligence, negligence per se, breach of implied contract, breach of fiduciary duty, invasion of privacy and unjust enrichment. Her suit and several others filed over the data breach were consolidated in May 2023, adding claims under consumer privacy laws specific to the states involved. An additional claim filed in the Northern District of Georgia was transferred to the Eastern District of Kentucky and consolidated with the Hiley suit in July 2023.
Following successful mediation, the parties reach a settlement agreement. However, at a hearing on April 29, 2024, the district court refused to grant its approval, noting that there was no limit for out-of-pocket costs that could be claimed and recovered by those class members who opted to seek payments beyond the standard $10,000 cap—potentially leaving nothing for the rest. See: In re Correctcare Data Breach Litig., 2024 U.S. Dist. LEXIS 81492 (E.D. Ky.).
The revised agreement that won the district court’s approval capped total out-of-pocket expenses to an amount equal to one-half of the settlement fund. About 100,000 claims were filed before the September 2024 deadline, representing 17% of the class—“a very favorable claims rate for a data breach class action,” the district court said, citing In re Wawa, Inc. Data Security Litigation, 2024 U.S. Dist. LEXIS 65200 (E.D. Pa.).
Under the agreement’s terms, class members could each file a claim for up to $10,000 in out-of-pocket expenses “reasonably traceable” to the data breach, including bank fees, phone and data charges, as well as miscellaneous expenses such as postage, notary, fax, copying, mileage, and/or gasoline for local travel; fees paid for credit reports and credit monitoring or other identity theft insurance; and any actual fraud that occurred.
Alternatively, class members could file a claim for their actual out-of-pocket expenses if the total exceeded $10,000. They could also opt out of the agreement and pursue their claims individually. Class members in California were entitled to an additional payment that satisfied that state’s Consumer Privacy Act, though the amount was not specified in the agreement.
Before distribution to class members making claims, deductions were made from the settlement fund to pay a $2,500 service award to each of the Class Representatives: Hiley, Christopher Knight, Kyle Marks, Marlena Yates and “A.G.”
Additional deductions paid $12,313.92 in costs and $2,163,333.33 in fees to class counsel, provided by attorneys Lynn A. Toops of Cohen & Malad, LLP in Indianapolis; Gary M. Klinger of Milberg Coleman Bryson Phillips Grossman, PLLC in Chicago; Benjamin F. Johns of Shub & Johns LLC in West Conshohocken, Penn.; and J. Gerard Stranch IV of Stranch, Jennings & Garvey, PLLC in Nashville. Further deductions not itemized in the agreement paid expenses of the Settlement Administrator, Kroll Settlement Administration LLC. See: In re Correctcare Data Breach Litig., 2024 U.S. Dist. LEXIS 166754 (E.D. Ky.).
Privacy attorney Kirk Nahra of WilmerHale in Washington, D.C., who was not involved in the class action, told Bank Info Security that this was “a case with a different set of variables than we often see—a particularly vulnerable population that may not have realistic access to many of the typical means of protection in the event of a security breach.” But as noted by another attorney not involved in the case, Paul Hales of Hales Law Group in Ladue, Missouri, the settlement gives class members “lower benefits than data breach victims typically receive, probably because of issues related to their status” as prisoners and detainees.
Additional source: Bank Info Security
As a digital subscriber to Prison Legal News, you can access full text and downloads for this and other premium content.
Already a subscriber? Login