ECL Group Hit with Breach-of-Contract Class Action in Wake of 2021 Ransomware Attacks [UPDATE]
by Erin Shaak
Last Updated on January 11, 2024
Alliance Ophthalmology, PLLC et al. v. ECL Group, LLC
Filed: April 15, 2022 ◆§ 1:22-cv-00296
A lawsuit claims ECL Group failing to provide contracted-for services amid several data breaches while continuing to bill clients “as if nothing had happened.”
North Carolina
January 11, 2023 – ECL Data Breach Lawsuit Settlement Website Live
The official settlement website for the lawsuit detailed on this page is live and can be found at ECLSettlement.com.
Don’t miss out on settlement news like this. Sign up for ClassAction.org’s free weekly newsletter here.
Members of the patient class can file a claim by heading to this page. Members of the physician class can file a claim by heading to this page. To start, enter the unique ID located in your email or postcard notice of the settlement.
If you lost or did not receive a notice, contact the settlement administrator to obtain your unique ID.
Those in the patient settlement class who submit a claim to receive reimbursement for out-of-pocket losses must provide supporting documentation, such as receipts or account statements. Patient class members can also file a claim for a pro-rated share of the settlement fund, the amount of which will depend on how many valid claims are submitted.
Claims must be submitted online or by mail by March 14, 2024.
Payment will be distributed if and when the deal receives final approval from the court and pending the resolution of any appeals. A fairness hearing for this settlement is set to take place on February 13, 2024.
Members of the physician class who file a claim to receive billing credits should have access to these credits within a year after the settlement administrator finds the claim to be valid, the site states. For more information about how the billing credits work, head to this page.
Details of the settlement can be found in the update below.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
December 19, 2023 – Eye Care Leaders Data Breach Lawsuits Settled for Over $4 Million
The proposed class action detailed on this page and several related lawsuits have been settled with a deal that, if approved, would provide patients and physicians impacted by the 2019-2021 Eye Care Leaders data breaches millions in damages.
Don’t miss out on settlement news like this. Sign up for ClassAction.org’s free weekly newsletter here.
The settlement aims to cover certain groups of patients and ophthalmology practices impacted by the Eye Care Leaders ransomware service outages.
The “patient class” includes all United States residents whose personal or health information was compromised during one or more of the ransomware attacks experienced by the defendants from 2019 to 2021, including anyone who received notice about the data breaches.
The “physician class” includes all individuals and entities who contracted with one or more of the defendants for electronic medical record services using the iMedicWare software, myCare Integrity software or MVE software and experienced outages for any period of time since January 1, 2019 due to ransomware attacks or any other reasons. The proposed physician class also includes all persons and entities who contracted with one or more of the defendants and received services from Alta Billing and Alta Billing Holdings for revenue cycle management services and who have received delinquent revenue cycle services for any period of time since January 1, 2019, and/or whose transaction information was possibly compromised from ransomware attacks or any other reasons.
The proposed deal, which the parties submitted to the court on July 28, 2023, provides for the creation of a $2,616,783 settlement fund for the patient class and a $1,460,449.50 settlement fund for the physician class. These dollar amounts, court documents state, comprise the entirety of the insurance funds available to the defendants.
Those in the patient class who submit a timely, valid claim can receive up to $5,000 for out-of-pocket expenses, and the funds allotted to the physician class will be distributed equally among those who file claims.
Per court documents, because the patient settlement class has potential legal claims against the physician settlement class, the former has agreed to release its claims against the latter in exchange for the physician group “accepting a smaller settlement fund.”
In addition, the defendants have agreed to assign their rights under two insurance policies to the physician class. If any insurance money is obtained under those policies, 67 percent of the funds will be contributed to the physician settlement fund to be distributed equally to valid claimants. Further, the settlement will provide account credits, with a potential value of more than $5.7 million, to users of the myCare Integrity, iMedicWare and MVE software who did not previously receive a credit of equal or greater value and who held a license with the defendants as of April or May 2023.
Lastly, the defendants, as part of the proposed settlement, have agreed to stop all collection efforts related to any unpaid invoices for months in which there was a service outage, and parties in the physician class may cancel their contracts with the defendants without penalty.
Court documents state that the defendants’ debt liabilities “dwarf their assets,” which are “locked up by state court orders,” and that the companies’ insurance funds are diminishing, meaning there exist “limited funds to satisfy any judgment” reached through a trial. The parties told the court in their request for preliminary settlement approval that the proposed deal “is in the best interest of all members of the settlement classes.”
A significant factor overhanging the settlement negotiations was Greg E. Lindberg, as the defendants, court documents share, are among several companies that were allegedly funded with assets that belonged to insurance companies he once owned and operated. Those insurance companies are now subject to rehabilitation proceedings in North Carolina state court, and as a result of orders stemming from those proceedings, the defendants must use all available resources to repay the insurance companies roughly $1.275 billion.
“This effectively means that the only assets available to pay the settlement class’s claims are the proceeds of several insurance policies purchased by Defendants, which are subject to wasting clauses and would likely be exhausted by continued litigation,” court records share. “Settling this matter now will thus maximize the remaining coverage available to pay the class members’ claims.”
In 2020, Lindberg was convicted of conspiracy to commit honest services wire fraud and bribery concerning programs receiving federal funds and was sentenced to 87 months in prison, settlement documents relay. The case remains pending as the Fourth Circuit Court of Appeals overturned his conviction in 2022.
In February of this year, Lindberg was charged with conspiracy to commit crimes in connection with insurance businesses, wire fraud and investment advisor fraud, as well as four counts of false insurance business statements presented to regulators, other counts related to insurance business solvency statements and one count of money laundering conspiracy, court documents add. That case is stayed pending the resolution of the 2020 case.
ClassAction.org will update this page with any developments on the proposed settlement, including if and when an official settlement website goes live.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
ECL Group, LLC faces a proposed class action that claims the company has breached its agreements with healthcare providers by failing to provide contracted-for services amid several data breaches while continuing to bill clients “as if nothing had happened.”
According to the 25-page lawsuit, the practice management support services company has breached its contracts with licensees by failing to restore access to its billing, recordkeeping and other practice management services in the wake of ransomware attacks in March and August 2021.
Moreover, ECL allegedly concealed the breaches from its clients for weeks or months and misrepresented why and for how long its services would be inaccessible. Adding insult to injury, the defendant then billed clients for “services that were never provided,” according to the suit.
The case, filed by three Texas-based ophthalmology practices, claims those who use ECL’s iMedicWare and myCare Integrity software have had their practices endure the “crippling effect” of the data breaches while remaining in the dark as to what was going on.
“Instead of working diligently to restore service, keeping its clients apprised of such efforts, and mitigating any damages, ECL did the opposite,” the complaint scathes. “ECL misrepresented to its clients what truly happened, continually promised service would be restored when it was not (to encourage physicians not to move to new service providers), and invoiced its clients for services that were never provided.”
According to the complaint, ECL contracts with healthcare providers to provide revenue cycle management and maintenance of electronic medical records. The case says that despite various representations in its contracts concerning the company’s ability to restore service to clients during outages, maintain the security of patients’ information and promptly inform licensees of any unauthorized access to their data, the defendant failed to do so.
The lawsuit more specifically states that when ECL experienced a ransomware attack in March 2021, the resulting outage “caused severe disruption” to licensees’ practices by blocking their access to patient data. Per the case, clients could not access ECL’s iMedicWare software for four to seven days while ECL attempted to “hide what happened” in order to avoid having to pay fee concessions to clients as specified in its contracts.
Though the defendant initially characterized the outage as a “technical issue,” ECL eventually disclosed on March 26, 2021 that it had experienced a data breach, the case says.
The suit alleges that even though ECL failed to provide access to its iMedicWare service for at least 95 percent of that month, the defendant still billed clients for the entire monthly service fee, in violation of its contracts.
The case goes on to state that ECL experienced another ransomware attack in August 2021 that impacted its myCare Integrity software. Per the suit, the attack was orchestrated by a former employee who used prior credentials to “wreak[] havoc” on the defendant’s systems. The lawsuit says ECL once again hid from clients that it had experienced a data breach and, even after disclosing the attack, misrepresented how long it would take to restore access to myCare Integrity.
“ECL effectively hid from licensees that the widespread outages it was experiencing would last for weeks on end,” the complaint states, alleging that practices were forced to expend significant time and resources ensuring that patients’ data would be kept safe.
Per the case, licensees were locked out of ECL’s services “for months on end” due to the breach and ultimately lost patients as a result.
Moreover, when one of the plaintiff practices attempted to transition to a different electronic medical record software, ECL could not export the provider’s data despite being required to do so at no cost, as provided in its contract.
The lawsuit lastly claims that ECL failed to provide its contracted-for revenue cycle management services due to “repeated problems” with third-party vendor Alta Medical Management. According to the suit, Alta consistently made billing errors and “simply failed to properly perform revenue cycle services and billing practices” that ECL had agreed to provide per its contracts.
The suit notes that Greg E. Lindberg, ECL’s sole manager, was convicted last year of conspiracy to commit honest services wire fraud and bribery concerning programs receiving federal funds and was sentenced to 87 months in prison.
The case looks to cover all persons or entities who contracted with ECL for electronic medical records management services using the iMedicWare software or myCare Integrity software and suffered outages for any period of time since January 1, 2020 due to ransomware attacks “or any other reasons.”
The suit also proposes to cover anyone who contracted with ECL for revenue cycle management services and received “delinquent” revenue cycle services for any period of time since January 1, 2020.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
How Do I Join a Class Action Lawsuit?
Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?
Read more here: How Do I Join a Class Action Lawsuit?
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.