NBEO settles class action in alleged data breach, $3.25 million to affected parties

The National Board of Examiners in Optometry (NBEO) will allot $3.25 million in a cash settlement fund to compensate some 61,000 victims of an alleged data breach that gripped the profession in 2016.

In a court ruling posted March 7, Chief U.S. District Judge James K. Bredar of Maryland gave preliminary approval to the class action settlement that not only establishes a means of financial reimbursement and credit monitoring services for affected individuals, but also outlines steps NBEO will take to significantly upgrade its data security practices.

The class action settlement comes nearly three years after large numbers of optometry students and doctors of optometry nationwide began reporting identity theft, particularly stolen Social Security numbers (SSNs) and other personal information used to apply for Chase Amazon Visa credit cards. Following the breach, thirteen doctors of optometry filed three separate actions against NBEO—since consolidated into the current case—claiming the targeted information was available and maintained by the testing organization as a requirement for certifying exams and credentialing. However, the NBEO still disputes it was the source of the breach.

Per the preliminary settlement agreement, the court agreed to deem eligible anyone whose personal information was stored in NEBO's systems as of Nov. 15, 2018, or anyone receiving a legal notice stating they are a class member. The $3.25 million settlement fund will be used to provide benefits for:

• Reimbursement for documented, traceable out-of-pocket losses. Class members can submit a claim for reimbursement up to a maximum $7,500 for losses fairly traceable to the alleged data breach; professional fees, such as attorneys' fees or credit repair services; miscellaneous notary, fax, postage or mileage charges; credit monitoring or identity theft protection services incurred after June 1, 2016; and costs associated with freezing or unfreezing credit with any credit reporting agencies.
• Reimbursement for attested time. Class members can submit a claim for reimbursement up to a maximum $1,000 for time spent remedying issues related to the alleged breach. You may receive reimbursement for up to 20 hours at $25/hour with an attestation and brief description of the actions taken due to the breach and time associated with each action. Claims up to 40 hours require additional documentation, as noted in the settlement notice.
• Free, three-bureau credit monitoring services. Class members may submit a claim to enroll in three years of no-cost, credit monitoring services through Identity Guard. The benefit includes up to $1 million in reimbursement insurance covering losses due to identity theft or fraud, authentication alerts, Dark Web monitoring and other threat alerts.
• Free identity restoration services. Class members will receive free access to identity restoration services through Identity Guard to assist with placing fraud alerts at credit bureaus, disputing inaccurate information on credit reports, scheduling calls with creditors and other service providers, and working with law enforcement and government agencies to dispute fraudulent information.

The NBEO also agreed to pay additional administrative costs, fees and service awards related to the settlement that will be drawn from the $3.25 million fund, in addition to taking substantive changes to overhaul its data security. Specifically, the NBEO will retain an independent security firm to conduct a written risk assessment of the board's data security, encrypt exam-takers' personal information, and discontinue storage of nine-digit SSNs in its electronic databases, per a legal notice.

Although Judge Bredar gave preliminary approval to the settlement, a final approval hearing is scheduled for July 12, 2019, after the claims process has run, and settlement benefits may begin once the court enters a final judgement. In the meantime, notices of settlement will be sent to up to 61,000 people believed affected by the alleged data breach with detailed instructions and information about the settlement and how to submit a claim.

The claims process will be managed by third-party settlement administrator, Heffler Claims Group. The settlement notice will include information about how affected individuals may contact the administrator with any questions they may have regarding the process. You must submit your Claim Form on-line no later than Monday, July 8, 2019, or mail your completed paper Claim Form so that it is postmarked no later than Monday, July 8, 2019.

AOA advocates for doctors, students throughout

In August 2016, word began circulating of fraudulent credit applications or other credit and financial damages associated with stolen personal information uniquely targeting optometry students and doctors of optometry. The AOA immediately conducted its own internal investigation, finding no breach of its own databases, and began directing affected parties to take appropriate steps to mitigate damages. As the situation progressed, it became clear that SSNs were the targeted personal information, prompting then-AOA President Andrea P. Thau, O.D., to call on NBEO to provide reassurances on its data security.

Lacking a formal reply, AOA's Board of Trustees took additional action in October 2016 and lobbied for optometric organizations and testing agencies to eliminate use of SSNs as personal identifiers. The NBEO later announced it discontinued use of SSNs in favor of a new numbering system, a move Dr. Thau called a step in the right direction "to provide peace of mind for our members and colleagues."

Meanwhile, the alleged data breach continued affecting the profession with multiple waves of malicious credit line openings and other financial damages. In court filings, plaintiffs noted fraudulent use of their information into 2017 and later. Throughout, AOA repeatedly called on the responsible party to step forward and provide a remedy. So, too, AOA relayed information to members and students on how to mitigate damage from an alleged breach, including hosting a listening session with the Federal Trade Commission's (FTC's) Bureau of Consumer Protection, Division of Privacy and Identity Protection.

Read more about steps victims can take to mitigate damages in the event of a data breach.

For more information about the NBEO class action settlement please visit www.nbeosettlement.com or call 1.877.451.2127