Long Island Plastic Surgical Group Settles Class Action Lawsuit Over BlackCat Ransomware Attack

Posted by Steve Alder

A consolidated class action lawsuit against Long Island Plastic Surgical Group, P.C has been resolved with a $2,600,000 settlement. Legal action was taken by patients of the Garden City, New York-based private, academic plastic surgery practice in response to a January 4, 2024, ransomware attack by the ALPHV/BlackCat ransomware group. The forensic investigation confirmed that the BlackCat group accessed its network between January 4, 2024, and January 8, 2024, and used ransomware to encrypt files. Prior to encrypting files, sensitive data was exfiltrated from the network, including personal identifiable information (PII) and protected health information (PHI).

Data stolen in the incident included full names, Social Security numbers, driver’s license numbers or state identification numbers, dates of birth, biometric information, account numbers, credit or debit card information, medical information, patient photographs, health insurance policy information, and patient account numbers. In total, more than 161,000 current and former patients were affected. The BlackCat ransomware group demanded payment to prevent the publication of the stolen data on its dark web data leak site. Long Island Plastic Surgical Group chose to pay the ransom to prevent the release of the stolen data and received confirmation that the stolen data had been deleted.

On October 4, 2024, the affected individuals were notified by mail. Shortly after issuing notifications, seven putative class action lawsuits were filed by patients over the incident, alleging they had suffered harm as a result of the data breach. The lawsuits were consolidated – Baum et al. v. Long Island Plastic Surgical Group, P.C. – in the Supreme Court of the State of New York, County of Nassau.

The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violation of the New York Consumer Law for Deceptive Acts and Practices Act. Long Island Plastic Surgical Group denies the allegations and all liability, including claims that the defendants suffered any injury or damage as a result of the incident. To avoid the time, expense, and uncertainties of defending protracted litigation, the defendant agreed to settle the litigation. Class counsel and the class representatives agreed to the settlement as they concluded it was in the best interests of the class members.

Under the terms of the settlement, Long Island Plastic Surgical Group will establish a $2,600,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may choose to receive an alternative pro rata cash payment. An additional pro rata cash payment of up to $1,000 may be claimed by class members who had clinical photographs compromised in the incident.

The amount paid to class members claiming alternative cash payments will depend on the number of claims received, including claims for the additional cash payments. The additional cash payments may also be reduced depending on the remaining funds after legal costs and expenses, service awards, administration and notification costs, and claims for reimbursement of losses have been paid. The deadline for objection to and exclusion from the settlement is May 4, 2026. Claims must be submitted by May 18, 2026, and the final approval hearing has been scheduled for June 2, 2026.

The post Long Island Plastic Surgical Group Settles Class Action Lawsuit Over BlackCat Ransomware Attack appeared first on The HIPAA Journal.

Orthopaedic Institute of Western Kentucky Patients Affected by Vendor Data Breach

Posted by Steve Alder

Orthopaedic Institute of Western Kentucky has notified patients that their PHI was compromised in two security incidents at their managed IT services provider. Supportive Home Health Care and Patriot Outpatient has identified unauthorized access to an employee’s email account.

Orthopaedic Institute of Western Kentucky

Orthopaedic Institute of Western Kentucky (now Mercy Health — Western Kentucky Orthopedics) in Paducah, Kentucky, has been affected by two security incidents at one of its business associates, the managed IT services provider Keystone Technologies.

Keystone Technologies notified the orthopedic institute about unauthorized access to Keystone systems on two occasions: the first between April 21, 2025, and April 26, 2025, and the second between July 19, 2025, and August 1, 2025. During both periods, unauthorized individuals exfiltrated files containing patient information. The affected files were reviewed, and the affected individuals were identified in December 2025 and January 2026. Data compromised in the incident included names, addresses, dates of birth, medical record numbers, Social Security numbers, treatment information, and health insurance information. Electronic medical records were not subject to unauthorized access, nor were any of Mercy Health’s systems.

The affected individuals have now been notified and offered a complimentary 12-month membership to a credit monitoring and identity theft protection service. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Supportive Home Health Care and Patriot Outpatient

Superior Care Plus, LLC, doing business as Supportive Home Health Care and Patriot Outpatient, LLC (Patriot), a provider of home healthcare services in Northeast Ohio, has announced a data breach affecting 1,415 of its patients.

On November 17, 2025, suspicious activity was identified within an employee’s email account. An investigation was launched to determine the nature and scope of the activity, and Patriot confirmed that the email account was compromised as a result of the employee responding to a phishing email. No other email accounts or systems were compromised in the incident.

On January 9, 2026, the forensic investigation was completed, and Patriot confirmed that the compromised account contained first and last names, city/ZIP codes, email addresses, health insurance policy numbers, medical treatment information, admission/discharge dates, patient logs, referring facility, start care date, policy name, and referring primary care physician name. A limited number of individuals also had their Social Security numbers and/or Medicare numbers exposed.

Patriot has taken several steps to prevent further unauthorized access to email data. The affected email account was deleted, and the individual, and a new account was created, rather than reactivating the account after a password change. Further training has been provided to the workforce on email security and phishing email identification, and third-party cybersecurity experts have helped Patriot enhance its technical security measures and procedures.

The post Orthopaedic Institute of Western Kentucky Patients Affected by Vendor Data Breach appeared first on The HIPAA Journal.

Iran Linked Hacking Group Wipes Data of Leading U.S. Medical Device Manufacturer

Posted by Steve Alder

Stryker, a U.S. medical device and medical equipment manufacturer based in Portage, Michigan, is dealing with a cyberattack linked to the current U.S. military action in Iran. The cyberattack started shortly after midnight and has caused an outage of systems across the organization. An Iran-linked hacking group has claimed responsibility for the attack.

Stryker has operations in 61 countries and has a global workforce of more than 56,000 employees. Stryker said in a filing with the U.S. Securities and Exchange Commission (SEC) that the attack has and is expected to continue to cause “disruptions and limitations of access to certain of the Company’s information systems and business applications.” Stryker is currently unable to provide a timeline for when systems and data will be recovered and when normal operations will resume.

This does not appear to have been a ransomware attack, but rather a data theft and wiping attack. The attack affected Stryker’s Microsoft programs, including the wiping of Windows-based devices such as mobile phones and laptops. Stryker said it has found no indications that ransomware or malware was used, and said it believes it has contained the attack. An investigation has been launched to determine the impact of the attack on its computer systems.

According to the Wall Street Journal, Stryker’s login pages were defaced with the hacking group’s logo. Stryker said it has business continuity measures in place and will continue to support its customers and partners while it recovers from the attack. Stryker has also committed to transparency and said it will keep stakeholders informed as the investigation and recovery processes progress.

An Iran-linked hacking group called Handala immediately claimed responsibility for the attack in an announcement on X. The group claimed its attack has caused disruption at 79 Stryker offices around the world, involved more than 200,000 systems, servers, and mobile devices being wiped, and 50 terabytes of data were exfiltrated in the attack. “We announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success,” the group said in a post on X.

While the initial access vector is not known, security researcher Kevin Beaumont suggests that Handala actors gained access to Stryker’s Active Directory services and used the Microsoft endpoint management tool Intune to remotely wipe Microsoft devices, including devices used by employees managed under its bring-your-own-device policy.

While Handala appears at face value to be a hacktivist group, the group has been linked to Iran’s Ministry of Intelligence and Security. Palo Alto Networks suggests that Handala is part of the Ministry of Intelligence and Security and masquerades as a hacktivist group, allowing Iran to deny responsibility for its cyber operations.

While Iran has executed a military response to the US-Israel military action, retaliation to the attacks was always likely to involve more than just missiles. Iran has sophisticated cyber capabilities, and any response was likely to take place in cyberspace. Iranian officials stated this week that Tehran would expand its targeting to include economic centers and banks tied to the United States or Israel, and that U.S. companies with ties to the U.S. military or Israel would also be attacked. Stryker has a presence in Israel, including OrthoSpace, an orthopedic device maker that the company acquired in 2019. Handala claimed that Stryker was “a Zionist-rooted corporation.”

“Attacks like this unfortunately aren’t surprising. Even before the latest geopolitical tensions, hacktivist activity targeting healthcare and other critical infrastructure had been steadily increasing, and that trend makes organizations like medical device manufacturers and hospitals more likely to be caught in the crossfire. In many cases, attackers simply find the path of least resistance—an exposed system, an unsecured management console, or credentials that allow them to move deeper into the environment—and once they gain administrative access, they effectively hold the keys to the kingdom and can disrupt everything from mobile devices to operational systems,” Skip Sorrels, Field CTO and CISO, Claroty, said in a statement provided to The HIPAA Journal. “As a former ICU nurse, I’ve seen firsthand how even small technology outages ripple through care delivery, which is why cybersecurity in healthcare must be treated as part of patient safety, with organizations prioritizing visibility into their cyber-physical systems and closing those “open doors” before attackers find them.”

Steve Povolny, Vice President of AI Strategy & Security Research at Exabeam told The HIPAA Journal the attack illustrates how cyber operations are increasingly becoming the asymmetric response of choice during periods of regional conflict or political tension, and that cyber activity from proxy groups provides Tehran with a deniable way to impose costs on Western economies and technology ecosystems.

“Groups like Handala blur the line between hacktivism and state operations, giving governments plausible deniability while still achieving strategic signaling. The cautionary lesson for defenders is that these campaigns are rarely isolated events,” said Povolny. “They are often part of a broader pressure strategy designed to create disruption across multiple industries that support national stability, from healthcare and logistics to energy and manufacturing. Organizations that do not traditionally view themselves as geopolitical targets may increasingly find themselves on the front lines of state-linked cyber conflict.”

The post Iran Linked Hacking Group Wipes Data of Leading U.S. Medical Device Manufacturer appeared first on The HIPAA Journal.