Morley Companies Inc. has agreed to a $4.3 million payment to settle a class-action lawsuit following a data breach that compromised sensitive information from its clients and customers.

The Michigan-based company operates by providing business process outsourcing to its contracted companies. Many industries including the health sector receive services from Morley Companies Inc. including customer help desk, sales, and marketing support, meetings, and other services.

As part of its business dealings, the company collects sensitive information from both clients and customers including names, Social Security numbers, addresses, dates of birth, driver's license information, and information pertaining to their medical and health background.

On August 1, 2021, Morley discovered that ransomware-type malware restricted them from accessing some data. The company has not disclosed exactly how the attack took place and how threat actors were able to breach its cyber security defenses.

Despite discovering the breach in August 2021, the company took nearly five months to report the attack. When they did notify the public, about 700,000 individuals received letters alerting them that their data was potentially compromised in the breach.

As a result of the attack and the delayed notification, the company was the subject of at least 15 lawsuits from individuals whose information was compromised. These lawsuits deemed that Morley was negligent in its cybersecurity practices.

Despite agreeing to the $4.3 million-dollar settlement, the company has denied any wrongdoing. Still, it agreed to the settlement to avoid the growing cost of ongoing litigation according to company executives.

As part of the settlement, class members may be able to recover reimbursements of up to $2,500 of documented out-of-pocket expenses that resulted from the data breach. Such out-of-pocket expenses can include the following:

• Losses related to fraud or identity theft
• Personal fees that were paid out to attorneys and credit reporting agencies
• Personal fees paid out for credit monitoring services from August 1st, 2021
• Losses related to freezing and unfreezing credit
• Other losses associated with the data breach

The settlement will also allow eligible class members to receive three years of credit monitoring and enroll in a credit monitoring service. As part of the settlement, if any additional funds remain after reimbursement of an additional cost, eligible class members may receive extended credit monitoring.

This tentative settlement agreement will be the largest healthcare data breach settlement in December 2022, but not the first of its kind in recent months. The final hearing that will approve the settlement is set for April 2023.