Netgain Technology Pays $1.9M in Data Breach Settlement

A financially strapped cloud services vendor that experienced a 2020 ransomware attack affecting dozens of healthcare sector clients and hundreds of thousands of patients has agreed to a $1.9 million settlement in proposed class action litigation involving the data theft case.

See Also: Top 10 Technical Predictions for 2025

Court papers indicate the company has exhausted it cyber insurance after four years of litigation and other expenses related to the attack.

Under the preliminary settlement, Minnesota-based Netgain Technology has agreed to pay eligible class members up to $5,000 for documented out-of-pocket expenses fairly traceable to the data breach, including reimbursement of $25 per hour – capped at three hours – spent addressing issues related to the incident.

As an alternative, class members can opt to receive a pro-rated cash payment based on what’s left of the $1.9 million settlement fund after those other settlement payments and other expenses are made. That includes $1,500 service payments to each representative plaintiff and also attorney fees. The plaintiff and class member attorneys are seeking a third of the settlement fund – or about $633,000 – as payment for their services.

The settlement appears to be on the smaller range than many for this size breach, but legal experts say the case illustrates the heavy toll that class action claims are having on defendants.

“This sad case highlights the state of health data breaches,” regulatory attorney Paul Hales of the Hales Law Group said, who is not involved in the Netgain litigation.

Netgain is “an underfunded defendant,” Hales said. “Its insurance coverage is exhausted, and its liabilities exceed its liquid assets,” he contends. “Consequently, the proposed monetary recovery is disproportionate to the harm suffered by hundreds of thousands of affected people and Netgain’s clients. Even the attorney’s fees are low for a case of this complexity. The only winner is the settlement administrator,” he said.

The proposed settlement document notes that financial conditions of the company is a consideration in the agreement.

Beefing Up Security

In addition to the financial settlement, Netgain agreed to implement a long list of measures to improve its data security practices, including upgrading its edge firewalls to protect the environment from external sources and limiting traffic to only allowed ports and services, enabling geo-blocking for Azure clients and requiring external access to the hosted environment to go through secure gateways.

Netgain agreed to also ensure its underlying network “is configured in a secure, scalable manner with dedicated subnets, VLANs and VRFs per client.”

Also, Netgain has agreed to deploy core firewall technology in a blocklist methodology to block undesired traffic and ensure that DNS filtering and monitoring is deployed across the hosted environment.

The company will deploy SentinelOne “or similar platform across Netgain’s entire data environment along with 24/7 monitoring service,” the settlement document said.

Netgain also agreed to ensure that discrete domains and administrative accounts are established across client environments and to “confirm that multifactor authentication is utilized in all hosting environments and monitoring and notification for all suspicious application activity.”

Also, Netgain will ensure that backup services offer data protection in the event of system corruption with Azure Site Recovery.

Under the settlement, Netgain for a period of three years will also provide an annual report attesting to the company’s compliance with the injunctive measures to the class counsel.

Complaint Allegations

The complaint, filed in a Minnesota federal court in 2021, alleged negligence and an assortment of other claims against Netgain in the incident in which “unauthorized individuals” gained access to Netgain’s computer systems and exfiltrated plaintiff and class members’ information between September and November 2020.

The lawsuit also alleged that Netgain claimed to have paid an undisclosed amount to the cybercriminal in exchange for assurances that the threat actors would delete all copies of the stolen data and not publish, sell, or otherwise disclose the data.

The proposed settlement agreement lists more than two dozen Netgain healthcare sector clients that issued breach notices involving the hacking incident. The complaint alleges the sensitive information of “hundreds of thousands” of individuals were affected by the hack (see: Breach Victims Piling Up in Wake of Cloud Vendor Attack).

Breach notification letters sent by Netgain healthcare sector clients to affected patients said a variety of information was potentially compromised in the data theft. That includes names, dates of birth, bank account and routing numbers, Social Security numbers, driver’s license numbers, medical records, health insurance policy numbers and employee health information.

An attorney representing Netgain in the litigation did not immediately respond to Information Security Media Group’s request for comment on the lawsuit allegations and proposed settlement.

Third-Party Risk

Netgain is among a long, growing list of third-party services providers and other HIPAA business associates that have reported major breaches in recent years and have subsequently faced lengthy and expensive class action litigation.

“Business associates, such as Netgain, are prime targets for criminal attacks because a successful breach can yield data on hundreds of thousands of people,” Hales said. “Lawyers are prepared to act swiftly in response to reported health data breaches, and class-action litigation is growing rapidly,” he said.

Cyber insurance can offer protection for other entities to prepare for these kinds of situations, but it must be carefully sourced, he said.

“The best protection is basic HIPAA compliance. A BA can identify privacy and security risks and mitigate them,” he said. However, published investigations and enforcement actions by federal regulators indicate low HIPAA compliance levels, particularly in areas such as risk analysis and risk management, he said.

Ironically, even law firms that service healthcare sector organizations are not immune from these breach-related lawsuit trends.

Last November, a California federal court finalized an $8 million settlement in a consolidated proposed class action lawsuit against law firm Orrick, Herrington & Sutcliffe involving a hacking incident that affected several healthcare sector and other clients and more than 638,000 individuals (see: Court Finalizes $8M Settlement in Orrick Data Breach Case).