Keenan & Associates is a benefits consulting and insurance brokerage provider in California, providing services to several sectors, including healthcare entities and educational facilities. Between August 21, 2023 and August 27, 2023, an unauthorized user accessed information relating to certain of Keenan’s customers, including names, dates of birth, Social Security numbers, passport numbers, driver’s license numbers, health insurance information, and medical information, such as general health information. In December 2023, College of the Canyons reported that 2,400 of its employees were affected by a ransomware incident. In January of 2024, Keenan & Associates notified the Maine Attorney General’s Office that 1,509,616 people were affected by the incident, a number that they subsequently increased to 1,573,844.
Keenan’s notification letters did not specifically mention “ransomware” or “encryption” and made no mention of whether there was ever any extortion demand, and if so, how they responded.
Over 20 separate class action cases related to the data breach were filed in state and federal courts in California in the following meonths.
A settlement has now been announced, with Keenan & Associates denying any wrongdoing or liability, as is usually the case in settlements. Information about the case and settlement can be found on the official settlement website at https://www.keenanbreachsettlement.com/.
Under the terms of the settlement, Keenan or its insurers will pay no more than $14 million, which includes claimants, administrative costs, attorney fees, etc. The settlement will provide Class Members with the opportunity to select and make a claim for three years (i.e., 36 months) of Credit Monitoring and Insurance Services (i.e., CMIS) and either a pro-rata Cash Fund Payment in amounts to be determined in accordance with the terms of the Settlement; or Cash Payments of up to $10,000 per Class Member for reimbursement of certain Documented Losses (“Documented Loss Payment”).
As always, DataBreaches looked at the terms of the settlement to see if it specified anything about improving cybersecurity or infosecurity. Under Settlement Benefits, we found:
4.1. Prospective and Injunctive Relief. Without admitting any liability, Keenan agrees, as a material term of this Settlement, to implement and maintain certain cyber security, data and privacy protocols, and deploy additional security measures for a period of 2 years from entry of the Final Approval Order. Keenan has provided a declaration detailing such measures to Class Counsel prior to the execution of this Agreement.
Heath et al. v. Keenan & Associates
Filed: February 2, 2024
Case No. 24STCV03018