Iowa Attorney General Brenna Bird has filed a lawsuit against Change Healthcare, UnitedHealth Group, and Optum over the February 2024 ransomware attack that resulted in the theft of the electronic protected health information of 192.7 million Americans, including 2.2 million Iowans.

AG Bird accuses the defendants of making false representations about their cybersecurity practices and systems before and after the cyberattack. AG Bird claims the defendants played down the seriousness of the incident in the February 21, 2024, filing with the U.S. Securities and Exchange Commission (SEC), which stated that a suspected nation state actor had gained access to some of its information systems and that the affected systems had been isolated.

AG Bird said what was described as a relatively benign isolation of systems was in fact the largest healthcare data breach in U.S. history, and one of the largest data breaches of any kind in the United States. “The breach and subsequent shutdown of services, without warning and without adequate backup and redundancies, was so great that it sent the entire U.S. healthcare system into a virtual meltdown,” AG Bird stated in the lawsuit.

Cybercriminals have long targeted U.S. healthcare organizations, and given the high volume of attacks, the defendants should have known that they would be a huge target for cybercriminals, given the volume of sensitive data that flowed through Change Healthcare’s systems and the impact a ransomware attack would have. Despite this, AG Bird alleged that the measures implemented were insufficient and did not match the standards claimed by the defendants. AG Bird alleged that the Change Healthcare cyberattack and data breach “occurred because Change’s systems were insecure, outdated, and lacked appropriate segmentation and redundancies—in violation of Change’s advertised practices, company policies, federal privacy requirements, and basic standards of enterprise information security.”

According to the lawsuit, following a Congressional inquiry into the incident, and over the course of many months, “it became clear that defendants materially misrepresented the quality and characteristics of their cybersecurity systems to Iowans and to Iowa healthcare providers, in violation of Iowa law.” In addition to failing to adequately secure its systems and sensitive data, AG Bird took issue with the time taken to notify the affected individuals, some of whom only learned that their data had been compromised 20 months after their data was stolen.

The lawsuit asserts claims of violations of the Iowa Consumer Fraud Act, Iowa Code, and the Personal Information Security Breach Protection Act. The lawsuit seeks civil monetary penalties of $40,000 per violation of Iowa Code § 714.16(7), civil penalties of $5,000 for each violation of the Iowa Consumer Fraud Act, for all moneys or property acquired in violation of the Iowa Consumer Fraud Act to be disgorged to the Attorney General, and awards of damages on behalf of all persons injured due to the violations of the Iowa Personal Information Security Breach Protection Act. Further, the lawsuit seeks to enjoin the defendants from continuing to commit further unlawful practices pursuant to Iowa Code.

The post Iowa AG Sues Change Healthcare Over 2024 Ransomware Attack appeared first on The HIPAA Journal.

Eye Physicians of Central Florida has agreed to settle a class action lawsuit stemming from a 2023 data breach that affected more than 31,000 patients. Eye Physicians of Central Florida identified suspicious activity within its computer network on November 5, 2023, and confirmed access by an unauthorized third party. The data breach affected 31,189 patients, according to the breach notice submitted to the HHS’ Office for Civil Rights (OCR).

The hackers gained access to systems containing names, addresses, dates of birth, medical diagnosis and treatment information, provider names, patient ID numbers, procedure codes, dates of service, treatment cost information, financial account information, state ID, health insurance information, and/or prescription information.

A class action lawsuit – Connell v. Eye Physicians of Central Florida, P.L.C. – was filed in the Circuit Court for Orange County, Florida, by plaintiff Alisa Connell individually and on behalf of similarly situated individuals who had data exposed in the incident. Eye Physicians of Central Florida sought to have the lawsuit dismissed, and was partially successful, although the lawsuit was allowed to proceed, and the plaintiff filed an amended complaint asserting claims for negligence and breach of fiduciary duty.

The lawsuit was actively litigated for 18 months, then all parties engaged in private mediation, resulting in a settlement that was agreeable to all parties. Eye Physicians of Central Florida maintains there was no wrongdoing, believes there is no liability, and denies and continues to deny all claims and allegations in the lawsuit.

The settlement provides multiple benefits for the class members. Class members are entitled to claim two years of credit monitoring and identity theft protection services, which include a $1 million identity theft insurance policy. In addition, a claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach and attested lost time of up to three hours at $25 per hour. Claims for reimbursement of losses are capped at $2,000 per class member for ordinary losses and $7,500 for extraordinary losses. There is no alternative cash payment.

The post Eye Physicians of Central Florida Data Breach Settlement appeared first on The HIPAA Journal.