$3.06 million verdict; Ransomware attacks lead to judgments for doctors, patients

Action: Verdict

Date: June 27, 2024

Date of incident: March 1, 2021

Nature of claim: Breach of contract

Injuries alleged: Inability of doctors to access patient charts at certain times and inability to transfer data to new providers

Amount: $1.46 million fund for physician class and $2.6 million settlement fund for patient class

Special or other damages: Credits to ECL Group customers for future services (a value up to $5.5 million); cessation of collection efforts by ECL for unpaid invoices during periods with service interruptions; the ability of plaintiffs to terminate their contracts with ECL early and without penalty with cooperation by ECL to obtain data and transition to a new provider; the assignment of two insurance policies to the physician class; and legal release avoiding liability for any data breach claims brought by patients of the physician practices

Case names and nos.: Alliance Ophthalmology PLLC et al. v. ECL Group LLC, case number 1:22-cv-00296, and Farley v. Eye Care Leaders Holdings, LLC, case number 1:22-cv-00468

Court: U.S. District Court, Middle District of North Carolina

Tried before: Judge

Judge: Catherine C. Eagles

Attorneys: Russ Ferguson, Matthew F. Tilley and Patrick G. Spaugh, of Womble Bond Dickinson, Charlotte (ophthalmology practice class plaintiffs); Gary M. Klinger, of Milberg Coleman Bryson Phillips Grossman, Chicago, Jean Sutton Martin of Morgan & Morgan Complex Litigation Group, Tampa, Florida, and Gary E. Mason of Mason LLP, Washington, DC (patient class plaintiffs)

The physician plaintiffs sued after ransomware attacks in 2021 impacted their practices’ patient recordkeeping and billing services provided by ECL Group. The lawsuit alleged that ECL failed to keep patient data secure, to provide contractually required discounts while ECL’s services were unavailable, and that ECL made misrepresentations about the ransomware attack and engaged in unfair and deceptive trade practices. Alongside the physicians’ claims, a patient class brought a claim, alleging its members’ data was exposed.

Before the settlement was finalized, ECL filed for bankruptcy and put itself up for sale. The buyer of ECL attempted to avoid honoring the physician class’ rights under the settlement, including the ability to receive contractual credits and to terminate their contracts with ECL. “Without this work (in bankruptcy court), the class probably would have lost substantial benefits from the settlement,” federal District Judge Catherine C. Eagles wrote, calling the settlement “by far the most complex class action settlement I have seen.”