A consolidated class action lawsuit against Long Island Plastic Surgical Group, P.C has been resolved with a $2,600,000 settlement. Legal action was taken by patients of the Garden City, New York-based private, academic plastic surgery practice in response to a January 4, 2024, ransomware attack by the ALPHV/BlackCat ransomware group. The forensic investigation confirmed that the BlackCat group accessed its network between January 4, 2024, and January 8, 2024, and used ransomware to encrypt files. Prior to encrypting files, sensitive data was exfiltrated from the network, including personal identifiable information (PII) and protected health information (PHI).
Data stolen in the incident included full names, Social Security numbers, driver’s license numbers or state identification numbers, dates of birth, biometric information, account numbers, credit or debit card information, medical information, patient photographs, health insurance policy information, and patient account numbers. In total, more than 161,000 current and former patients were affected. The BlackCat ransomware group demanded payment to prevent the publication of the stolen data on its dark web data leak site. Long Island Plastic Surgical Group chose to pay the ransom to prevent the release of the stolen data and received confirmation that the stolen data had been deleted.
On October 4, 2024, the affected individuals were notified by mail. Shortly after issuing notifications, seven putative class action lawsuits were filed by patients over the incident, alleging they had suffered harm as a result of the data breach. The lawsuits were consolidated – Baum et al. v. Long Island Plastic Surgical Group, P.C. – in the Supreme Court of the State of New York, County of Nassau.
The consolidated lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violation of the New York Consumer Law for Deceptive Acts and Practices Act. Long Island Plastic Surgical Group denies the allegations and all liability, including claims that the defendants suffered any injury or damage as a result of the incident. To avoid the time, expense, and uncertainties of defending protracted litigation, the defendant agreed to settle the litigation. Class counsel and the class representatives agreed to the settlement as they concluded it was in the best interests of the class members.
Under the terms of the settlement, Long Island Plastic Surgical Group will establish a $2,600,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or they may choose to receive an alternative pro rata cash payment. An additional pro rata cash payment of up to $1,000 may be claimed by class members who had clinical photographs compromised in the incident.
The amount paid to class members claiming alternative cash payments will depend on the number of claims received, including claims for the additional cash payments. The additional cash payments may also be reduced depending on the remaining funds after legal costs and expenses, service awards, administration and notification costs, and claims for reimbursement of losses have been paid. The deadline for objection to and exclusion from the settlement is May 4, 2026. Claims must be submitted by May 18, 2026, and the final approval hearing has been scheduled for June 2, 2026.
The post Long Island Plastic Surgical Group Settles Class Action Lawsuit Over BlackCat Ransomware Attack appeared first on The HIPAA Journal.