A class action lawsuit that was filed on behalf of victims of a 2016 data breach at the National Board of Examiners in Optometry (NBEO) has finally resulted in a settlement being reached. The data breach that occurred in the summer of 2016 that sparked the lawsuit was caused by hackers gaining access to the sensitive data of optometrists and students. However, it was not clear which database or system was hacked and how the hackers were able to access the sensitive information.
The investigators of the breach did not find proof that unauthorized people accessed any databases that contained sensitive information. The American Academy of Optometry (AAO), American Optometric Association (AOA), and NBEO all said their investigations did not indicate they were the source of the breach.
For sure, a data breach occurred. Chase Amazon Visa credit cards were received in the mail by several optometrists and students even though they had not applied for them. Many others discovered credit card applications had been made in their names and the applications were still pending.
After the breach, 13 doctors of optometry said the targeted data was still accessible took legal action. The consolidated case was thrown out as the breach could not be connected to NBEO. Accusations of harm were considered too speculative. Nonetheless, the 4th Circuit U.S. Court of Appeals reversed the ruling of the lower court and permitted the continuance of the case, stating that it was both “plausible and likely” that NBEO was the source of the breach and that there had clearly been misuse of personal information.
NBEO is still disputing the allegation that it was the source of the breach; however, it has agreed to settle the case and will set aside $3.25 million to cover claims from the 61,000 breach victims. People that qualify for a percentage of the settlement include those who had their personal data stored in NBEO’s systems from November 15, 2018 as well as those who received a notification that they had named as a class member.
The settlement covers reimbursement for recorded, out-of-pocket costs related to the data breach, including professional/legal expenses, and the cost of credit repair services and other charges sustained after June 1, 2016 in connection with the breach. Claims up to $7,500 will be considered. Claims of up to a maximum of $1,000 per class member may also be requested as reimbursement for the time expended in resolving issues connected to the breach.
All breach victims shall be eligible to receive free three-bureau credit monitoring services for three years and complimentary access to identity theft restoration services. These services will be provided by Identity Guard with insurance coverage of $1,000,000 also provided to cover losses caused by identity theft and fraud.
NBEO also made an agreement to improve its data security controls and will have a third-party security company perform a data security risk assessment and will encrypt personal information. The board also decided not to include Social Security numbers in its database. A preliminary approval of the settlement has been received and the final hearing is set for July 12, 2019.