True Health New Mexico has agreed to a class action settlement to resolve claims that the health insurance provider failed to protect patient data from an October 2021 data breach.
As reported by Top Class Actions, plaintiffs in several lawsuits claimed True Health New Mexico failed to protect their sensitive information from a ransomware attack that affected nearly 63,000 patients. The settlement applies to the following lawsuits:
McCullough, et al. v. True Health New Mexico Inc., Case No. D-202-CV-2021-06816, in the 2nd District Court of the State of New Mexico
Clement, et al. v. True Health New Mexico Inc., Case No. D-101-CV-2022-00129, in the 2nd District Court of the State of New Mexico
Shanks, et al. v. True Health New Mexico Inc., Case No. D-202-CV-2022-00449, in the 2nd District Court of the State of New Mexico
The official settlement website is THNMSettlement.com
As DataBreaches has been doing with other settlements, we looked to see if the settlement includes any provisions for improving data security. In this settlement, we found a more detailed commitment than usual:
21. Equitable Relief: True Health agrees to implement and maintain the following for at least one year from the Effective Date:
a. Security Policy: True Health agrees to maintain a written information security policy and further agrees to require True Health employees to electronically acknowledge receipt and review of True Health’s written information security policy.
b. Training: True Health will conduct cybersecurity training that contains annual mandatory classes, new hire orientation, and periodic training updates to necessary staff as new information security issues and trends arise.
c. Password policy: True Health will maintain a written password policy that requires appropriate password complexity commensurate to sensitivity level to the system.
d. True Health will require Multi-Factor Authentication (MFA) for remote access to e-mail.
e. True Health will implement endpoint security measures, which include endpoint detection and a response solution.
f. In the event True Health discontinues operations, True Health will have no obligation to continue these equitable measures described in Paragraph 21.
True Health New Mexico discontinued its healthcare plans in New Mexico at the end of 2022.
DataBreaches never saw any data from this incident on any leak site or any group claiming responsibility for the attack.
HHS’s investigation into this incident is still open.