EHealth Inc. has agreed to enter into a settlement that could resolve two class-action lawsuits filed against the company in connection with a January 2017 data security incident.
According to a quarterly regulatory filing made Aug. 7, eHealth in July entered into a binding settlement term sheet with the plaintiffs under which the company would receive a release of all claims that were or could have been alleged related to the unauthorized disclosure at issue in each case. In exchange for the release, eHealth agreed to pay up to $2,500 to each impacted individual for reasonable, documented out-of-pocket losses or expenses related to the incident, up to an aggregate cap of $250,000. Additionally, eHealth agreed to offer three years of identity theft protection to individuals who did not sign up for identity theft protection that the company offered at the time of the incident. The company also agreed not to oppose a request by class counsel for attorney's fees, costs and class representative enhancements of up to $245,000 in the aggregate.
Under a class-action lawsuit filed in January, a complaint alleged that eHealth failed to take necessary precautions required to protect from unauthorized disclosure personally identifiable information contained on the 2016 Form W-2s for its current and former employees at the time. Subsequently, an additional lawsuit was filed against eHealth in April in the Superior Court of the State of California, County of Santa Clara, relating to the same circumstances, the company said in the Aug. 7 filing.
The agreement obligates the company to enter into a joint stipulation for settlement of class action to be agreed upon by the parties. The terms of the settlement are subject to a hearing and court approval.
As of June 30, eHealth recorded an accrual for estimated potential damages related to the data security incident in its consolidated financial statements.