Basic Information

1. Why did I receive this notice?

Med-Data’s records show that your sensitive personal and/or health information was compromised when a Med-Data employee inadvertently uploaded files containing sensitive personal and health information to the public-facing portion of GitHub between December 2018 and September 2019 (the “Data Incident”). You may have received a Notice of Data Incident from Med-Data or one of its Business Associates. The purpose of this Notice is to let you know that the parties have reached a proposed settlement in the class action lawsuit entitled M.S. v. Med-Data, Inc., Case No. 4:22-cv-00187, pending in the United States District Court for the Southern District of Texas. You have legal rights and options that you may act on before the Court decides whether to approve the proposed settlement. Because your rights will be affected by this settlement, it is extremely important that you read this Notice carefully. This Notice summarizes the settlement and your rights under it.

2. What is this lawsuit about?

The Named Plaintiffs allege that Med-Data violated the Washington Consumer Protection Act, Missouri Merchandising Practices Act, and state common law by failing to protect sensitive personal and health information Med-Data received from healthcare providers or by failing to timely notify affected patients after learning their data was compromised in the Data Incident.

3. What is a class action and who is involved?

In a class action lawsuit, one or more people called plaintiffs or “class representatives” sue on behalf of other people who have similar claims. The people together are a “class” or “class members.” The party they sue (in this case Med-Data, Inc.) is called the defendant. If the lawsuit proceeds as a class action, it resolves the issues for everyone in the class—except for those people who choose to exclude themselves from the class.

The Settlement

4. Why is there a settlement?

The Court did not decide in favor of the Plaintiffs or Med-Data. Instead, both sides agreed to a settlement. That way, they avoid the cost of a trial, and the people affected will get compensation. The class representatives and their attorneys think the settlement is best for the Settlement Class.

5. How do I know if I am a part of the Settlement?

You are in the “Settlement Class” if your personal information was included in the data inadvertently uploaded to GitHub by a Med-Data employee.

The Settlement Class does not include any persons who validly request exclusion from the Settlement Class, as described under Question 11. A person who does not exclude themselves is a “Settlement Class Member.”

If you have questions about whether you are a part of the Settlement Class you may call 1-844-930-2009 or visit www.MedDataSettlement.com for more information.

The Settlement Benefits

6. What does the Settlement Agreement provide?

Med-Data has agreed to pay $7,000,000 to pay Settlement Class Members who submit valid claims, any court-approved attorneys’ fees, litigation expenses, service awards, and notice and settlement administration expenses. Any amounts remaining in the settlement fund after all claims have been paid will be used to extend the term of Tier 3 Benefits as defined below. You will not receive any settlement payment unless you submit a Claim Form as described in Question 8.

Settlement Class Members may submit a claim for one of two payment options, are eligible for fraud monitoring without the need to file a claim. Med-Data also agreed to change their business and cybersecurity practices.

Tier 1 Claims

If you spent time on tasks related to the Data Incident or suffered Out-of-Pocket Losses due to the Data incident, you may submit a “Tier 1 Claim” for reimbursement of up to five hours of lost time at $25 per hour and your documented out-of-pocket expenses, up to a total of $5,000. Claims for out-of-pocket losses (other than lost time reimbursement) must include supporting documentation sufficient to verify the loss. Supporting documentation may include, for example, receipts, credit card statements, bank statements, invoices, or any other documentation tending to establish out of pocket loss that is fairly traceable to the Data Incident. You may mark out or redact any transactions that are not relevant to your claim before sending in the documentation.

Out-of-Pocket Losses may include any out-of-pocket expenses incurred as a result of the Data Incident, such as the following: (a) unreimbursed losses relating to fraud, medical or identity theft, (b) professional fees, including attorneys’ fees, accountants’ fees, and fees for credit repair services, (c) costs associated with freezing or unfreezing credit with any credit reporting agency, (d) credit monitoring costs, and (e) miscellaneous expenses such as notary, fax, postage, copying, mileage, and long-distance telephone charges.

Lost time may include time spent on tasks such as (a) changing passwords on potentially impacted accounts; (b) monitoring for or investigating suspicious activity on potentially impacted medical, financial, or other accounts; (c) contacting a medical provider or financial institution to discuss suspicious activity; (d) signing up for identity theft or fraud monitoring services; or (e) researching information about the Data Incident, its impact, or how to protect yourself from harm due to the Data Incident.

The above lists of reimbursable lost time and documented out-of-pocket losses are not meant to be exhaustive and are provided only as examples. You may make claims for any lost time and out of pocket expenses that you believe are reasonably related to the Data Incident or to mitigating the effects of the Data Incident.

Tier 2 Claims

In the alternative, you took any action at all in response to the Data Incident, even if de minimis, you may submit a “Tier 2 Claim” for an alternative cash payment of up to $500. The actual amount of the alternative cash payment will depend on the amounts remaining in the Settlement Fund after all Tier 1 Claims have been paid.

Tier 3 Benefits – Fraud Monitoring

Settlement Class Members are also eligible to access 36 months of Medical Shield Premium, which is a health data and fraud monitoring service with $1,000,000 in identity theft insurance coverage provided by Pango, without the need to file a claim. If the Settlement is approved and becomes final, the settlement administrator will send an activation code to each Settlement Class Member that can be redeemed on Pango’s website.

Payment Priority

The Settlement Fund will be used to pay for the settlement in the following order: (1) Tier 3 benefits of 36 months of Medical Shield Premium; (2) reimbursement for valid “Tier 1” claims for Out-of-Pocket Losses and/or lost time; (3) notice and administration costs; (4) court-approved attorneys’ fees and costs; (5) court approved service awards; and (6) Tier 2 claims for alternative cash payments.

Non-Monetary Relief

The Settlement also provides for non-monetary relief that requires Med-Data to implement and maintain several changes to its business and cybersecurity practices, including: (1) annual cybersecurity testing and training on data privacy; (2) appropriate cybersecurity spending and regular updates to internal security policies and procedures; (3) robust monitoring and auditing for data security issues, including firewalls and up-to-date anti-malware programs on all services; (4) encryption of PII and HI data access controls; (5) annual systems penetration testing and training; (6) a monitored internal whistleblowing mechanism; and (7) maintenance of a legally-compliant data deletion policy. In addition, Med-Data will retrieve any exposed class member data still in existence. A complete description of the Settlement’s non-monetary relief is included in the Settlement Agreement.

7. What are the tax implications of accepting a settlement payment?

The tax implications may vary based on your income, the amount you receive and other factors, so you should consult a tax professional to assess the specific tax implications of any payment you may receive. Class Counsel, Med-Data, and the Settlement Administrator cannot advise you with respect to your tax obligations.

How You Get a Payment – Submitting a Claim Form

8. How do I make a claim?

To qualify for a settlement payment, you must submit a Claim Form by May 21, 2024. You may submit a Claim Form online by going to the Settlement Website at www.MedDataSettlement.com and following the instructions. You may also download a paper Claim Form on the Settlement Website or call the Settlement Administrator at 1-844-930-2009 to request a paper Claim Form, and submit the Claim Form by mail. Claim Forms sent by mail must be postmarked by May 21, 2024 and mailed to:

Med-Data Settlement Administrator
P.O. Box 341
Baton Rouge, LA 70821

If you have questions about the claim submission process you may call the Settlement Administrator at 1-844-930-2009 or visit www.MedDataSettlement.com for more information.

9. When will I get my payment?

The Court will hold a hearing on September 11, 2024, at 3 p.m. Central time, to decide whether to approve the settlement, as described in Question 19. If no appeals are timely filed after the Court enters the Final Approval Order, then the Order and settlement will become final. Settlement payments will be sent to Settlement Class Members who submitted valid claims approximately 30 days from the Settlement’s Effective Date (roughly 65 days after the Settlement is approved). The checks will only be valid for 120 days from the date of issuance, after which you will not be able to cash or deposit them. However, if an appeal is filed, payments will not be sent until after the appeal is finally resolved, which could take more than one year.

10. What am I giving up to stay in the Settlement Class?

Unless you request to exclude yourself, you are staying in the Settlement Class and you will be a Settlement Class Member. If the Court approves the settlement and becomes final, you and other Settlement Class Members can’t sue, continue to sue, or be part of any other lawsuit against the “Released Parties” regarding the Data Incident.

The Settlement Agreement (available at www.MedDataSettlement.com) describes the claims you are releasing and against whom you are releasing claims, so read it carefully. To summarize, the release includes claims against Med-Data or the healthcare entities through which Med-Data obtained the compromised data (the “Released Parties”) that arise out of or relate to the Data Incident.

Excluding Yourself From The Settlement

If you don’t want to receive the benefits of this settlement or if you want to keep the right to sue or continue to sue Med-Data or its Business Associates regarding the Data Incident, then you must take steps to remove yourself from the Settlement Class. This is called excluding yourself – or is sometimes referred to as “opting out” of the Settlement Class.

11. How do I exclude myself from the settlement?

To “opt out” or exclude yourself from the settlement you must send the request in writing to the Settlement Administrator using the opt-out form available on the Settlement Website (www.MedDataSettlement.com) or from the Settlement Administrator upon request. You must include your name and address in the letter. You can mail your exclusion request, which must be postmarked no later than April 26, 2024, to the following address:

Med-Data Settlement Administrator
P.O. Box 341
Baton Rouge, LA 70821

Requests for exclusion mailed after April 26,2024 will not be effective and will not result in your being excluded from the Settlement Class.

If you ask to be excluded, you will not get any payment, and you cannot object to the settlement. You will not be legally bound by anything that happens in this lawsuit.

12. Why would I ask to be excluded?

If you already have, or want to bring, your own lawsuit against the Released Parties regarding the Data Incident and want to continue with the lawsuit, you need to ask to be excluded from the Settlement Class. If you exclude yourself from the Settlement Class you won’t get any money from the Settlement. However, you may be able to sue or continue to sue the Released Parties regarding the Data Incident on your own. If you exclude yourself, you will not be legally bound by the Court’s judgments in this class action.

13. If I exclude myself, can I get anything from this settlement?

No. You will not receive any payment from the settlement if you exclude yourself.

The Lawyers Representing You

14. Do I have a lawyer in this lawsuit?

The Court decided that the law firms of Terrell Marshall Law Group, Morgan & Morgan, McShane & Brady, Federman & Sherwood, and Heenan & Cook, are qualified to represent you and all Settlement Class Members. These law firms are referred to as “Class Counsel.” You will not receive a bill from these lawyers, who have asked the Court to be paid a percentage of the Settlement Fund. If you want to be represented by your own lawyer, you may hire one at your own expense. The names and addresses of Class Counsel are:

Beth E. Terrell
Ryan Tack-Hooper
Terrell Marshall Law Group PLLC
936 N 34th Street, Suite 300
Seattle, Washington 98103

Jean Martin
Morgan & Morgan, P.A.
201 Franklin Street, 7th Floor
Tampa, FL 33602

Maureen Brady
McShane & Brady, LLC
1656 Washington St., Suite 120
Kansan City, MO 64108

John Heenan
Heenan & Cook, PLLC
1631 Zimmerman Trail, Suite 1
Billings, Montana 59102

William B. Federman
Federman & Sherwood
10205 N. Pennsylvania Ave.
Oklahoma City, OK 73120

 
15. Should I get my own lawyer?

You do not need to hire your own lawyer because Class Counsel are working on your behalf. But, if you want to hire your own lawyer, you will have to pay that lawyer. For example, you can ask a lawyer to appear in Court for you if you want someone other than Class Counsel to speak for you.

16. How will the lawyers be paid?

Class Counsel will ask the Court to approve payment of attorneys’ fees in the amount of $2,333,333.33, which is one-third of the $7,000,000 Settlement Fund, plus litigation costs of approximately $200,000. This payment compensates Class Counsel for investigating the facts, litigating the case, and negotiating the settlement. Class Counsel will also request $5,000 service awards for each of the four Named Plaintiffs, M.S., D.H., Nicole Tokarski, and C.C, to compensate them for their time and effort during the litigation. Class Counsel’s complete request for fees, costs, and the service award to the Class Representative will be posted on the settlement website, www.MedDataSettlement.com. The Court may award less than these amounts.

Objecting to the Settlement

17. How do I object to the settlement?

If you are a Settlement Class Member and you do not exclude yourself from the Settlement Class, you can ask the Court to deny approval by filing an objection. You can’t ask the Court to order a different settlement; the Court can only approve or reject the settlement. If the Court denies approval, no settlement payments will be sent out, and the lawsuit will continue.

Any objection to the proposed settlement must be in writing and include your name, address, telephone number, the name of the case, and the reason(s) for your objection, and meet the criteria described in the Settlement Agreement. You must mail a copy of the objection to the following addresses postmarked no later than April 26, 2024 and file it with the Court:

Settlement Administrator Class Counsel Defense Counsel
Med-Data Settlement Administrator
P.O. Box 341
Baton Rouge, LA 70821

William B. Federman
Federman & Sherwood
10205 N. Pennsylvania Ave.
Oklahoma City, OK 73120

Lynn M. Engel
1218 Third Avenue, Suite 2100
Seattle, WA 98101


Ralph H. Palumbo
Palumbo Law
140 Lakeside Ave., Suite A – Box 506
Seattle, WA 98122

18. What is the difference between objecting and excluding myself from the settlement?

Objecting simply means telling the Court that you don’t like something about the settlement. You can object only if you stay in the Settlement Class. Excluding yourself from the Settlement Class is telling the Court that you don’t want to be part of the Settlement Class. If you exclude yourself, you have no basis to object because the case no longer affects you.

The Court’s Fairness Hearing

19. When and where will the Court hold a hearing on the fairness of the settlement?

The Court will hold the Final Approval Hearing on September 11, 2024 at 3:00 p.m. Central Time, before the Honorable Charles Eskridge of the United States District Court for the Southern District of Texas, 515 Rusk Street, Houston, Texas 77002, Courtroom 9F. The purpose of the hearing is for the Court to determine whether the Settlement is fair, reasonable, adequate, and in the best interest of the Settlement Class. At the hearing, the Court will hear any objections and arguments concerning the fairness of the proposed settlement, including those related to the amount requested by Class Counsel for attorneys’ fees and expenses and the service awards to the Named Plaintiffs. After the hearing, the Court will decide whether to approve the settlement. We do not know how long these decisions will take.

The date and time of the Final Approval Hearing are subject to change by Court Order. Any changes will be posted at the settlement website, www.MedDataSettlement.com. You can also monitor case activity and for changes to the dates and time of the fairness hearing by accessing the Court docket in this case through the Court’s Public Access to Court Electronic Records (PACER) system at https://ecf.txsd.uscourts.gov, or by visiting the office of the Clerk of the Court for the United States District Court for the Southern District of Texas, Houston Division, 515 Rusk Avenue, Houston, Texas 77002, between 9:00 a.m. and 4:00 p.m., Monday through Friday, excluding Court holidays.

20. Do I have to come to the hearing?

No. Class Counsel will answer any questions the Court may have. You are welcome to come to the hearing at your own expense. If you send an objection you don’t have to come to Court to talk about it, as long as your written objection was filed or mailed on time, and meets the other criteria described in the Settlement Agreement, the Court will consider it. You may also pay a lawyer to attend, but you don’t have to.

21. May I speak at the hearing?

If you do not exclude yourself from the Settlement Class, you may ask the Court for permission to speak at the hearing concerning any part of the proposed Settlement Agreement. If you submit an objection (see Question 18 above) and intend to appear at the hearing, you must state your intention to do so in your objection. You cannot speak at the hearing if you exclude yourself or if you fail to state your intention to do so in your objection.

If You Do Nothing

22. What happens if I do nothing at all?

If you do nothing, you will be a member of the Settlement Class and you will not receive payment from the settlement. You will also be bound by the terms of the settlement, including the Release described in Question 10, above.

Getting More Information

23. Are there more details about the settlement?

This page summarizes the proposed settlement. More details are in the Settlement Agreement. You may review and download or print a copy of the Settlement Agreement via the settlement website at www.MedDataSettlement.com. You can also get a copy of the Settlement Agreement by writing to Med-Data Settlement Administrator at P.O. Box 341, Baton Rouge, LA 70821.

24. How do I get more information?

You can call 1-844-930-2009 toll free; write to Med-Data Settlement Administrator at P.O. Box 341, Baton Rouge, LA 70821; or visit the settlement website at www.MedDataSettlement.com where you will find answers to common questions about the settlement, the Settlement Agreement, Plaintiff’s Complaint, Class Counsel’s motion for an award of attorneys’ fees and costs, and other information.

Please Do Not Contact the Court, the Judge, or Med-Data with Questions about the Settlement.