Ambry Genetics Shells Out Millions to Settle Data Breach Class Action

Like other medical providers, labs must guard against massive data breaches that can compromise the protected health information (PHI) of hundreds and even thousands of patients. In addition to public embarrassment and response costs, such breaches carry enormous liability risks. The ultimate nightmare is that patients will get together and hit your lab with a class action lawsuit for millions of dollars’ worth of damages. If you think this scenario is far-fetched, consider what just happened to Ambry Genetics.

The Ambry Genetics Class Action

The problems began in January 2020 when hackers got access to an Ambry Genetics employee’s email account, compromising the personal data of up to 230,000 individuals, including names, dates of birth, information about health insurance and utilization of labs, and even some Social Security numbers. As required by Health Insurance Portability and Accountability Act of 1996 (HIPAA) laws, Ambry investigated the breach, reported it to the authorities, and notified affected patients, along with an offer to provide identity theft monitoring services to the victims at its own expense. The Aliso Viejo, California-based genomics lab that provides more than 300 genetic tests also promised to take corrective measures to guard against future attacks.

Regrettably, but not surprisingly, these efforts weren’t enough to placate all of the victims. Rather than go after Ambry individually, a group of 24 victims from 15 different states filed a class action for negligence, invasion of privacy, breach of contract, and state consumer law violations. They claimed that the data breach was the “direct result” of Ambry’s violation of its HIPAA duty to implement “adequate and reasonable” cybersecurity systems and protocols to protect patients’ sensitive personal data. The breach wouldn’t have occurred, according to the complaint, had Ambry “remedied the deficiencies in its data security systems and adopted security measures recommended by experts in the field.”

At first, it seemed that Ambry had gained the upper hand when the US District Court for the Central District of California tossed the complaint for failing “to plausibly allege that their injuries were caused by” Ambry. Specifically, the individual patients weren’t able to trace their harms to any particular action or omission by Ambry. However, it was only a temporary reprieve. The dismissal was “without prejudice,” meaning that the victims were given the opportunity to amend their complaint. And that’s just what they did. In fact, the same pattern played out no fewer than four different times.

The Settlement Agreement

Rather than risk a trial, Ambry agreed to settle the case. While not requiring an admission of guilt, the settlement agreement does require Ambry to pay $12.25 million into a settlement fund to compensate the victims, including:

• $2.25 million dedicated to providing credit monitoring and identity theft protection services to the victims;
• Up to $10,000 per member of the class action lawsuit for out-of-pocket costs; and
• Up to $3,900 per class member (13 hours at $30 per hour) for time spent “attempting to remedy or remedying issues fairly traceable to the data breach.”

That $12.25 million is on top of the between $800,000 and $1.4 million Ambry has already spent in notifying and providing free credit monitoring services to victims of the breach, according to the settlement agreement. In addition, the settlement also requires Ambry to adopt additional data security measures, beef up its data security policies and training, and impose further restrictions on access to the PHI it keeps, among other things.

Bottom Line: By the time it’s all said and done, the data breach, response, litigation, and settlement are likely to cost Ambry over $20 million.

Takeaway & Significance

The Ambry case is fascinating on a number of levels, including its size and fact that it involves a clinical lab. HIPAA data breach class action lawsuits aren’t unusual. But these cases rarely get to trial, let alone result in victory for the victims. The principle stumbling block is the traceability issue. Just because a data breach occurs and a lot of victims are harmed isn’t enough to prove the damages inflicted on the individuals bringing the class action.

Frequently, the end game for victims who file data breach class actions is a lucrative settlement. To be in a position to command such a settlement, the class must be large and the privacy harms severe so that the potential damages are high enough to scare the defendant. Even more significantly, the complaint has to survive the motion to dismiss due to lack of a valid claim that the defendant will inevitably file. All of these conditions were present in the Ambry Genetics case.

Civil Money Penalties for HIPAA Violations

While private lawsuits for money damages are always a risk, the principal source of liability for labs that commit HIPAA violations is the imposition of civil monetary penalties (CMPs). Potential CMP amounts vary depending on the level of offense. The U.S. Department of Health and Human Services (HHS) also adjusts the CMP amounts every year based on inflation and other factors. Here are the current CMPs for HIPAA infractions.

2022 Civil Monetary Penalties Under HIPAA

Level	Minimum CMP	Maximum CMP	Calendar Year Cap
Level 1: Lack of knowledge	$127	$63,973	$1,919,173
Level 2: Reasonable cause + not willful neglect	$1,280	$63,973	$1,919,173
Level 3: Willful neglect (if corrected within 30 days)	$12,974	$63,973	$1,919,173
Level 4: Willful neglect (if not corrected within 30 days)	$63,973	$1,919,173	$1,919,173