The Malden, Massachusetts-based Mystic Valley Elder Services has agreed to pay $520,000 to settle a consolidated class action lawsuit stemming from an April 5, 2024, data breach. Unauthorized individuals gained access to the network of Mystic Valley Elder Services and potentially obtained the names, dates of birth, passport numbers, financial account numbers, payment card numbers, online credentials, taxpayer identification numbers, Social Security numbers, driver’s license numbers, health insurance information, and medical information of more than 89,600 individuals.
Five class action complaints were filed in response to the data breach, which were consolidated in the Middlesex County Superior Court in Massachusetts. The consolidated class action lawsuit – In re Mystic Valley Elder Services Inc. – alleged that the data breach occurred as a result of cybersecurity failures, Mystic Valley Elder Services failed to detect the unauthorized activity in a timely manner, and did not send timely notifications to the affected individuals, who did not learn about the data breach until 6 months later.
The lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, unjust enrichment, and violations of the Massachusetts Consumer Protection Act. The lawsuit sought injunctive relief, including an order from the court prohibiting the transmission of sensitive data via unencrypted email, storing protected health information in email accounts, and requiring a host of security measures to be implemented to ensure the privacy and security of patient data. Mystic Valley Elder Services denies all liability and wrongdoing…