Ernest Health Sued Over 2024 Ransomware Attack and Data Breach

The Texas health system Ernest Health is being sued by patients who had their protected health information compromised in a recent cyberattack. This is likely to be one of many lawsuits filed against Ernest Health over the theft of at least 94,747 patients’ data. Ernest Health operates hospitals in Arizona, California, Colorado, Idaho, Indiana, Montana, New Mexico, Ohio, South Carolina, Texas, Utah, Wisconsin, and Wyoming. On February 1, 2024, suspicious activity was detected in its networks, with the investigation confirming there had been unauthorized access to its network between January 16, 2024, and February 4, 2024. The LockBit ransomware group claimed responsibility for the attack and threatened to publish the stolen data on its leak site. Ernest Health said the compromised information included names, contact information, dates of birth, health plan IDs, health data, Social Security numbers, and driver’s license numbers.

A lawsuit has been filed by Joe Lara and Lauri Cook on behalf of themselves and similarly situated individuals who had their personal and protected health information compromised in the Ernest Health cyberattack. The lawsuit alleges that Ernest Health lost control of the data of current and former patients due to insufficient cybersecurity safeguards and a lack of cybersecurity training for its employees, which meant it had no effective means to prevent, detect, or stop the attack. The plaintiffs argue that it took 73 days from the initial compromise for Ernest Health to issue individual notifications, which denied them the opportunity to mitigate their injuries in a timely manner.

While Ernest Health said it has implemented additional safeguards in response to the breach, the plaintiffs claim the health system has done too little, too late, and that the offer of credit monitoring and identity theft protection services is wholly insufficient. The lawsuit alleges negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty and seeks a jury trial, declaratory and other equitable relief, injunctive relief, and compensatory, exemplary, punitive damages, and statutory damages. The plaintiffs and class are represented by Joe Kendall of the Kendall Law Group, and Samuel J. Strauss and Raina Borrelli of the law firm, Turke & Strauss.

The post Ernest Health Sued Over 2024 Ransomware Attack and Data Breach appeared first on HIPAA Journal.

MedData Settles Class Action Data Breach Lawsuit for $7 Million

Last month, the Spring, TX-based revenue cycle management firm MedData agreed to a $7 million settlement to resolve a class action lawsuit filed following the exposure of the personal and health information of 136,000 individuals on a public-facing website.

MedData helps healthcare providers and health plans by processing Medicaid eligibility, third-party liability, workers’ compensation, and patient billing, including healthcare providers and health plans such as Memorial Hermann, Aspirus Health Plan, OSF HealthCare, and the University of Chicago Medical Center. All of those HIPAA-covered entities had member and patient data exposed by MedData.

Between December 2018 and September 2019, a MedData employee inadvertently uploaded the data to personal folders on GitHub Arctic Code Vault, which is a public-facing part of the GitHub website. The data remained there unprotected and exposed for more than a year. MedData was informed about the data exposure by a security researcher on December 10, 2020, and the files were removed from GitHub on December 17, 2020.

MedData has faced 5 class action lawsuits over the data breach, four of which have been dismissed. This amended lawsuit is the last remaining action against MedData over the data breach. Under the terms of the settlement, class members can choose one of two payment tiers. The first option allows class members to claim back documented, unreimbursed out-of-pocket expenses fairly traceable to the data breach up to a maximum of $5,000 per class member. Alternatively, class members can claim up to $500 for “de-minimis” or minimal affirmative action in response to being notified about the data breach. Regardless of the option chosen, class members can also claim 36 months of health data and fraud monitoring services at no cost. Those services include a $1 million identity theft insurance policy.

The settlement also requires MedData to implement and maintain an enhanced cybersecurity program, which must include robust monitoring and auditing for data security issues, annual cybersecurity testing, training on data privacy for employees, data encryption, enhanced access controls, annual penetration testing, a data deletion policy, and a monitored internal whistleblowing mechanism. The board must also consider appropriate cybersecurity spending annually, and regularly update internal security policies and procedures.

The post MedData Settles Class Action Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.

FTC Prohibits Alcohol Addiction Firm from Sharing Consumer Data with Third Parties

The Federal Trade Commission (FTC) has ordered the alcohol addiction treatment firm Monument to stop disclosing consumers’ health data to third parties for advertising purposes without obtaining affirmative consent. A $2.5 million civil monetary penalty has also been imposed but the penalty has been suspended due to the inability of Monument to pay.

The FTC’s proposed order settles FTC charges that Monument disclosed consumers’ personal and health information to third parties such as Google and Meta between 2020 and 2022 without obtaining consent. The data disclosed revealed that customers were receiving help with alcohol addiction when Monument had informed its customers that their data would remain 100% confidential.

When customers sign up for Monument’s services, they disclose sensitive information including their name, email address, date of birth, phone number, address, information about their alcohol consumption, medical history, copies of their government-issued IDs, and their IP address and device IDs are collected. According to the complaint, between 2020 and 2022, Monument informed consumers on its website and in communications that the personal and health information provided to the company would be 100% confidential and would not be disclosed to third parties without user consent. Monument also claimed that it was compliant with the Health Insurance Portability and Accountability Act (HIPAA).

However, Monument added tracking technologies to its website, also known as pixels and application programming interfaces (APIs), which were used to collect information that allowed it to target ads for its services to new consumers and current customers who had signed up for the lowest-cost memberships. Monument classified website interactions under standard and custom events, with the latter given descriptive titles such as “Paid: Weekly Therapy” or “Paid: Med Management,” when a user signed up for a service.

The “custom events” information was disclosed to advertising platforms along with users’ email addresses, IP addresses, and other identifiers, that allowed individuals to be identified and associated with the custom events. The descriptions confirmed that the individuals were receiving treatment for alcohol addiction. Monument did not track the disclosures nor maintain an inventory of the information it collected and disclosed to third parties; however, according to the FTC, as many as 84,000 of its users had their information disclosed to third parties without consent.

These disclosures were deemed to constitute unfair and deceptive practices that violated the FTC Act and the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA). The $2.5 million civil monetary penalty will have to be paid if the company is found to have misrepresented its finances. Monument must also identify the user data it has sent to third parties and instruct them to delete the data, implement a comprehensive privacy program with strong safeguards to protect consumer data and address the issues the FTC identified in its complaint, and inform consumers whose information has been disclosed to third parties for advertising purposes. The FTC order now awaits approval from a District Court judge.

“This action continues the FTC’s work to ensure strict limits on how firms handle sensitive health data, rather than putting the onus on consumers to protect themselves,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Following on the heels of actions against GoodRx, BetterHelp, and Premom, the market should be getting the message that consumer health data should be handled with extreme caution.”

The FTC has also recently taken action against the mental health telehealth company Cerebral and has ordered the company to pay a $7.1 million penalty.

The post FTC Prohibits Alcohol Addiction Firm from Sharing Consumer Data with Third Parties appeared first on HIPAA Journal.