Atlanta Women’s Health Group is facing a class action lawsuit over an April 2023 cyberattack that saw an unauthorized third party gain access to its servers and the sensitive data of tens of thousands of its patients. Atlanta Women’s Health Group discovered the attack on April 12, 2023, and its forensic investigation confirmed that patients’ protected health information had been exposed. The types of information involved included names, dates of birth, patient ID numbers, and other information that may be contained in medical records. It was not possible to determine the exact types of information that were accessed or acquired, so notifications were sent to all individuals who had potentially been affected.

A lawsuit – M.T., vs. Atlanta Women’s Health Group P.C. – was filed in the U.S. District Court for the Northern District of Georgia Atlanta Division that alleged the OB/GYN healthcare provider had implemented inadequate data security measures and breached its duties imposed by law. As a result of those failures, unauthorized individuals were able to gain access to its network and steal highly sensitive patient data. Had appropriate cybersecurity measures been implemented, the cyberattack and data breach could have been avoided.

The lawsuit also alleged that while the Department of Health and Human Services’ Office for Civil Rights was notified about the breach within 60 days of discovery, it took Atlanta Women’s Health Group 10 months to issue email notifications to the plaintiff and class members about the attack and did not explain the reason for the delay. The letters stated that all patients were notified about the attack out of an abundance of caution; however, if that is the case, there was no reason to wait 10 months to send the notifications. The lawsuit also stated that the notification letters did not explain when the attack occurred, only when it was detected, and that while Atlanta Women’s Health Group claimed to have obtained evidence that the hackers had deleted the stolen data, the practice has no proof that the data has been permanently erased and copies of that data have not been made by the attackers.

The lawsuit claims the plaintiff and class members have been “exposed to a present injury in the form of actual misuse of their PII and PHI and have further been exposed to an ongoing substantial, heightened, and imminent risk of financial fraud and identity theft for years to come,” and that they have “suffered numerous actual and concrete injuries and damages.” The lawsuit alleges breach of fiduciary duty, negligence, negligence per se, and invasion of privacy/intrusion upon seclusion and seeks class action certification, a jury trial, and declaratory and injunctive relief. The plaintiffs are represented by MaryBeth V. Gibson of the Gibson Consumer Law Group, LLC; Todd McClelland of Sterlington, PLLC; Michael Sullivan, David H. Bouchard, and Gabriel Knisely of Finch McCranie, LLP.

The post Atlanta Women’s Health Group Sued Over 2023 Ransomware Attack appeared first on HIPAA Journal.

A class action lawsuit against Seattle Children’s Hospital (SCH) over its use of pixels and other tracking technologies on its website has been dismissed with prejudice by a Washington court. Like many other hospitals, SCH had added pixels to its website which could track user behavior on the site. The tracking technologies were used to gather information on how the website was used to improve the site and patient engagement. Depending on a user’s interactions on the website, the pixels may have captured identifiers and health information, which was transferred to third parties.

A lawsuit was filed by parents who had used the site alleging the addition of pixels violated the Washington Privacy Act, Washington Consumer Protection Act, and Washington Uniform Health Care Information Act. They alleged an invasion of privacy, breach of implied contract, conversion, and unjust enrichment. SCH argued that the information gathered by the pixels did not amount to confidential health information and that users had accepted the terms of its privacy policy and by doing so had consented to having anonymous data shared with third parties. In cases where identifying information was disclosed to third parties, it only occurred because the plaintiffs had that information placed on their browsers by third parties such as Facebook, and not by SCH, and that the plaintiffs had consented to having that identifying information placed on their browsers.

In the lawsuit, the plaintiffs alleged that there had been sensitive interactions on the SCH website, and health information related to those interactions was transmitted to third parties. SCH maintained that the sensitive interactions that were described by the plaintiffs could only happen on its patient portal and that pixels and other tracking technologies were not present on the portal. The Washington court sided with SCH and dismissed all of the plaintiffs’ claims with prejudice.

The post Seattle Children’s Hospital Website Tracking Technology Lawsuit Dismissed with Prejudice appeared first on HIPAA Journal.

Planned Parenthood Los Angeles, a provider of reproductive healthcare services in Los Angeles County, has proposed a $6 million settlement to resolve all claims related to a 2021 data breach that exposed the personal information of more than 409,437 patients.

Between October 9, 2021, and October 17, 2021, hackers accessed the Planned Parenthood Los Angeles network, exfiltrated sensitive patient data, and used ransomware to encrypt files. Planned Parenthood discovered the ransomware attack on October 17, 2021, and confirmed on November 4, 2021, that the stolen files contained patient data. The stolen data included names, addresses, dates of birth, diagnoses, health insurance information, and medical information, including procedures and prescriptions.

A lawsuit – In re: Planned Parenthood Los Angeles Data Incident Litigation – was filed in the U.S. District Court of Central California over the data breach that alleged that Planned Parenthood Los Angeles was negligent by failing to implement reasonable and appropriate cybersecurity measures in line with industry standards, and had those measures been implemented, the ransomware attack and data breach could have been avoided. The lawsuit alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and the California Consumer Privacy Act (CCPA).

According to the lawsuit, the timing of the breach was such that patients would be more likely to suffer harm, as it coincided with Supreme Court debates on abortion. The stolen data also included highly sensitive health information such as abortion procedures, treatment of sexually transmitted diseases, emergency contraception prescriptions, and cancer screening information.

Planned Parenthood Los Angeles chose to settle the lawsuit with no admission of wrongdoing. Claims will be accepted up to a maximum of $10,000 to recover documented losses incurred as a result of the data breach, including bank costs, credit expenses, fraudulent charges, and losses to identity theft and fraud. Class members can also claim up to 7 hours of lost time at $30 per hour and three years of credit monitoring and identity theft protection services, which include a $1 million identity theft protection policy.

Class members will also be entitled to statutory damages, with the payments depending on participation rates. Statutory damages will be paid from the remainder of the $6 million fund after claims have been paid. If there is a 10% participation rate, statutory damages are estimated to be around $66 per class member. Class members are individuals who were notified about the data breach by Planned Parenthood Los Angeles in or around November 2021.

Key Dates:

• Deadline for objection/exclusion: June 6, 2024
• Deadline for claims: June 7, 2024
• Final Hearing: August 8, 2024

The post Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million appeared first on HIPAA Journal.

Planned Parenthood Los Angeles, a provider of reproductive healthcare services in Los Angeles County, has proposed a $6 million settlement to resolve all claims related to a 2021 data breach that exposed the personal information of more than 409,437 patients.

Between October 9, 2021, and October 17, 2021, hackers accessed the Planned Parenthood Los Angeles network, exfiltrated sensitive patient data, and used ransomware to encrypt files. Planned Parenthood discovered the ransomware attack on October 17, 2021, and confirmed on November 4, 2021, that the stolen files contained patient data. The stolen data included names, addresses, dates of birth, diagnoses, health insurance information, and medical information, including procedures and prescriptions.

A lawsuit – In re: Planned Parenthood Los Angeles Data Incident Litigation – was filed in the U.S. District Court of Central California over the data breach that alleged that Planned Parenthood Los Angeles was negligent by failing to implement reasonable and appropriate cybersecurity measures in line with industry standards, and had those measures been implemented, the ransomware attack and data breach could have been avoided. The lawsuit alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and the California Consumer Privacy Act (CCPA).

According to the lawsuit, the timing of the breach was such that patients would be more likely to suffer harm, as it coincided with Supreme Court debates on abortion. The stolen data also included highly sensitive health information such as abortion procedures, treatment of sexually transmitted diseases, emergency contraception prescriptions, and cancer screening information.

Planned Parenthood Los Angeles chose to settle the lawsuit with no admission of wrongdoing. Claims will be accepted up to a maximum of $10,000 to recover documented losses incurred as a result of the data breach, including bank costs, credit expenses, fraudulent charges, and losses to identity theft and fraud. Class members can also claim up to 7 hours of lost time at $30 per hour and three years of credit monitoring and identity theft protection services, which include a $1 million identity theft protection policy.

Class members will also be entitled to statutory damages, with the payments depending on participation rates. Statutory damages will be paid from the remainder of the $6 million fund after claims have been paid. If there is a 10% participation rate, statutory damages are estimated to be around $66 per class member. Class members are individuals who were notified about the data breach by Planned Parenthood Los Angeles in or around November 2021.

Key Dates:

• Deadline for objection/exclusion: June 6, 2024
• Deadline for claims: June 7, 2024
• Final Hearing: August 8, 2024

The post Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million appeared first on HIPAA Journal.

A lawsuit against CareFirst BlueCross BlueShield that was filed in response to a 2014 data breach has had a contract class certified by a federal judge, 9 years after legal action was initiated. The lawsuit can now proceed and more than 1 million plan members are a step closer to obtaining damages. In June 2014, hackers gained access to CareFirst systems, which contained the data of around 1.1 million plan members; however, the intrusion was not detected for several months. In response to major data breaches at Anthem Inc., Premera, Excellus, and Community Health Systems, CareFirst conducted a review of its systems which reviewed there had been unauthorized access to one of its databases.

CareFirst announced the data breach in May 2015 and explained that a single database was compromised that stored data that members and other individuals enter to access CareFirst’s websites and online services. The compromised data included names, birth dates, email addresses, and subscriber ID numbers, but no highly sensitive information such as Social Security numbers, financial information, or health information.

A lawsuit – Chantal Attias, et al. vs. CareFirst  – was filed in the U.S. District Court for the District of Columbia shortly after the notification letters were mailed that alleged injuries had been suffered as a result of the breach. The lawsuit, which named seven policyholders as plaintiffs, alleged breach of contract and violations of the Consumer Protection Acts in Maryland and Virginia. The lawsuit was dismissed in 2016 due to a lack of standing, as the plaintiffs failed to allege a concrete, identifiable injury had been sustained as a result of the breach. The ruling was appealed, and the District Court’s ruling was overturned. In 2018, the Supreme Court declined a review of the case, which was referred back to the District Court, then followed several years of back-and-forth litigation. In 2022, the plaintiffs moved to certify three classes, one for each cause of action; however, in March 2023, District Court Judge Christopher Cooper denied the plaintiffs’ motion to certify two consumer classes and one contract class without prejudice, allowing the plaintiffs to file a renewed and modified motion which they did.

In late 2023, CareFirst’s motion for summary judgment was partially granted, and the claims under the consumer protection statutes in Maryland and Virginia were dismissed. The court found that the plaintiffs could not show there had been any identity theft, and under Washington D.C. law, mitigation expenses incurred to abate the risk of future fraud do not qualify as actual damages, therefore the plaintiffs would only be able to recover nominal damages.

On March 29, 2023, after careful consideration and a hearing on the matter, Judge Cooper found that certification of a contract class was warranted. “The standing issue that prevented the Court from certifying the last go around has since dissolved because, as all sides agree, each member of the proposed class has allegedly suffered a concrete injury based on CareFirst’s supposed breach of its contractual obligation to safeguard its customers’ data—regardless of whether they sustained an additional, tangible injury due to the data breach,” wrote Judge Cooper in his ruling.

The contract class consists of all individuals in the District of Columbia, Maryland, or Virginia who purchased or possessed health insurance from CareFirst, had their sensitive data exposed in the data breach, and were notified about that breach by CareFirst in May 2015.

The post Contract Class Certified in CareFirst Data Breach Lawsuit 9 Years After Legal Action was Initiated appeared first on HIPAA Journal.