If you are in a hurry -> Lessons and Best Practices for CISOs

Introduction

($1.6M Nonstop Administration and Insurance Services data breach class action settlement) In late 2022, Nonstop Administration & Insurance Services, Inc. (“Nonstop” or “Nonstop Health”) – a California-based third-party administrator for self-funded health plans ($1.6M Nonstop Administration and Insurance Services data breach class action settlement) – discovered a major data breach.

An unauthorized actor accessed Nonstop’s cloud systems on December 22, 2022, exposing sensitive personal data of plan members and employees.

According to Nonstop’s breach notification for its client Eisner Health, the incident revealed patient names, Social Security numbers and protected health information (PHI) (Eisner Health Patients’ Confidential Information Leaked in Data Breach at Nonstop Administration and Insurance Services | Console and Associates, P.C. - JDSupra) (Eisner Health Patients’ Confidential Information Leaked in Data Breach at Nonstop Administration and Insurance Services | Console and Associates, P.C. - JDSupra).

Class-action filings allege the breach ultimately compromised data for over 8,500 individuals ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit) ($1.6M Nonstop Administration and Insurance Services data breach class action settlement).

Nonstop began notifying affected individuals in February 2023, several months after discovery (Eisner Health Patients’ Confidential Information Leaked in Data Breach at Nonstop Administration and Insurance Services | Console and Associates, P.C. - JDSupra).

Class Action and Plaintiffs

In March 2023, a proposed nationwide class action was filed in California (Prutsman, et al. v. Nonstop Admin. & Ins. Servs., Case No. 3:23-cv-01131) on behalf of those affected.

The named plaintiffs (e.g. John Prutsman, Sunny Lai, Amira Martz and others) are plan participants or employees whose data was exposed (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

They allege Nonstop failed to protect their information.

Plaintiffs’ attorneys (from Cole & Van Note LLP and Milberg Coleman Bryson Phillips Grossman) represent a putative class of all U.S. individuals whose PHI or personally identifiable information (PII) was leaked, with a California “subclass” for state residents.

The lawsuit alleges multiple legal theories.

At the core are common-law claims (negligence and negligence per se, breach of implied contract, and breach of fiduciary duty) based on Nonstop’s purported failure to secure and safeguard data (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131) (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

Plaintiffs also assert statutory claims under various data-privacy and consumer-protection laws.

In California alone, they invoke the Confidentiality of Medical Information Act (CMIA) and California’s Unfair Competition Law (UCL) and Consumer Privacy Act (CCPA)/Consumer Records Act (CCRA) ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit).

The complaint includes state-law claims for other jurisdictions as well (e.g. Alaska and Colorado consumer protection acts).

In sum, the suit contends Nonstop’s lapse in security gives rise to negligence and consumer-protection violations.

As one summary notes, plaintiffs claim Nonstop was “negligent[ly] fail[ing] to implement reasonable cybersecurity measures” that could have prevented the breach (Do You Qualify for Any of February’s Class Action Settlements?).

Alleged Cybersecurity Failures

Plaintiffs detail how Nonstop’s defenses fell short of industry standards.

The complaint alleges hackers “infiltrated Defendant’s inadequately protected network servers” and accessed unencrypted PHI/PII (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

For example, social-security numbers were kept in an unencrypted format, violating California’s encryption requirement for SSNs (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

In legal filings, plaintiffs emphasize Nonstop’s failure to follow basic HIPAA “Security Rule” best practices – using HIPAA as evidence of negligence (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131) (FAQs: Encryption and HIPAA compliance).

They also point to delays in breach response: Nonstop learned of the intrusion in December 2022 but did not notify affected individuals (or law enforcement regulators) until February 2023 (Eisner Health Patients’ Confidential Information Leaked in Data Breach at Nonstop Administration and Insurance Services | Console and Associates, P.C. - JDSupra) ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit).

In short, the class action characterizes the breach as “massive and preventable” (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

It details both technical and administrative lapses: servers lacking sufficient firewall/segmentation, data-at-rest not encrypted, absence of routine security audits, and insufficient incident detection/monitoring.

For instance, the proposed injunctive relief includes orders for Nonstop to encrypt all stored PHI/PII and to segment its network so that a breach in one area cannot spread laterally (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

Settlement and Relief

In January 2025 Nonstop agreed to a $1.6 million class-action settlement to resolve the lawsuit ($1.6M Nonstop Administration and Insurance Services data breach class action settlement) ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit).

The company did not admit wrongdoing, but agreed to pay as part of a global resolution ($1.6M Nonstop Administration and Insurance Services data breach class action settlement).

The settlement provides for reimbursements to class members for out-of-pocket losses (up to $5,000 per person) related to fraud or misuse of their data, as well as a nominal alternative cash payment (about $50) ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit).

California residents in the class may also claim a $100 statutory payment under the CCPA ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit).

Notices have been sent and the claim deadline is in early 2025.

Notably, Nonstop will also implement enhanced security measures as part of the agreement, effectively binding it to strengthen its defenses against future attacks ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit).

Legal Claims and Issues

Claim types: The allegations span negligence, contract and privacy-law claims.

Plaintiffs assert Nonstop owed them a duty to protect their PHI/PII.

They allege common-law negligence (and negligence per se based on violation of statutes), breach of an implied contract to keep data secure, and even a breach of fiduciary duty due to the trust inherent in handling personal health information (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

On the statutory side, the case is built on consumer-protection laws.

In California this includes the CMIA (for patient medical data) and the Unfair Competition Law (UCL), as well as California’s Consumer Privacy Act (CCPA) and related “breach notice” rules ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit).

For example, plaintiffs claim Nonstop violated state law by disclosing medical information without consent, and by failing to encrypt sensitive data as required by Cal. Civ. Code §1798.81.5 (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131) (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

The UCL count recites that Nonstop’s security failures constituted “unfair” business practices under Cal. Bus. & Prof. Code §17200 (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

Technical failures: The suit specifically faults Nonstop’s cybersecurity posture.

It alleges Nonstop did not implement “reasonable security measures” commensurate with the sensitivity of the data (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

Key technical claims include: inadequate encryption of PHI/PII, lack of robust intrusion prevention, and failure to timely detect and report the breach (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131) (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

(For instance, the complaint notes that if Nonstop had encrypted stored SSNs, the data would have been unusable to thieves (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131) (FAQs: Encryption and HIPAA compliance).)

Plaintiffs also highlight delayed breach notification, implying failures in incident-response processes.

Overall, the legal claims center on Nonstop’s purported failure to meet industry-standard cybersecurity controls (firewalls, encryption, training, monitoring) to keep PHI/PII safe (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131) (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

Lessons and Best Practices for CISOs

This case offers cautionary lessons for security leaders.

A chief takeaway is that robust data protection is critical – especially for sensitive health information.

Encryption should be applied wherever possible.

Indeed, HIPAA recommends encrypting PHI both at rest and in transit (FAQs: Encryption and HIPAA compliance).

In practice, CISOs should ensure that servers and databases holding Social Security numbers or medical IDs use strong encryption (e.g. AES-256).

Multi-factor authentication (MFA) is another essential control – it makes account compromise vastly harder (Multifactor Authentication | Cybersecurity and Infrastructure Security Agency CISA).

Network segmentation and firewalls should limit attackers’ lateral movement; the Nonstop complaint explicitly calls for isolating systems so a breach in one area cannot compromise others (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131).

Other best practices include rigorous access controls, continuous monitoring and logging, and regular vulnerability assessments.

An incident-response plan is crucial so any breach is rapidly contained.

Staff training on phishing and secure handling of data can mitigate human errors.

Importantly, CISOs must ensure compliance with legal/security frameworks: non-encrypted SSNs or delayed breach notification can become violations of law (as alleged here).

Maintaining up-to-date policies aligned with HIPAA, NIST/ISO controls and state privacy requirements can provide both security and legal safeguards.

In short, the Nonstop settlement underscores that failure to implement basic cybersecurity hygiene can lead not only to a breach but to costly litigation.

Security executives should see the case as a reminder to proactively audit and bolster controls around PHI/PII – using encryption, MFA, network defenses and other “reasonable” measures to prevent the very claims made here (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131) (FAQs: Encryption and HIPAA compliance).

Demonstrating a culture of security (through training, testing and documentation) is key to avoiding similar lawsuits in the future.

Sources: Official case filings and notices, as summarized by ClassAction.org and other legal news ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit) ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit) (Do You Qualify for Any of February’s Class Action Settlements?), along with commentary from data-breach analysts (Eisner Health Patients’ Confidential Information Leaked in Data Breach at Nonstop Administration and Insurance Services | Console and Associates, P.C. - JDSupra) (FAQs: Encryption and HIPAA compliance) (Multifactor Authentication | Cybersecurity and Infrastructure Security Agency CISA).

References: ClassAction.org ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit) ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit); TopClassActions.com ($1.6M Nonstop Administration and Insurance Services data breach class action settlement); The Penny Hoarder (Do You Qualify for Any of February’s Class Action Settlements?); Console & Assoc. (JD Supra) (Eisner Health Patients’ Confidential Information Leaked in Data Breach at Nonstop Administration and Insurance Services | Console and Associates, P.C. - JDSupra) (Eisner Health Patients’ Confidential Information Leaked in Data Breach at Nonstop Administration and Insurance Services | Console and Associates, P.C. - JDSupra); Nonstop Class Action Settlement site ($1.6M Settlement Resolves Nonstop Administration and Insurance Services Data Breach Lawsuit); Complaint (Prutsman v. Nonstop) (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131) (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131) (Prutsman et al. v. Nonstop Administration and Insurance Services, Inc. - 3:23-cv-01131); CISA/MFA guidance (Multifactor Authentication | Cybersecurity and Infrastructure Security Agency CISA); HIPAA Times (FAQs: Encryption and HIPAA compliance).