HIPAA Breach News

Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000

Posted by Steve Alder

The New York Attorney General has agreed to settle alleged violations of New York’s data security and consumer protection laws with Healthplex, one of New York’s largest providers of dental insurance. Healthplex has agreed to pay a penalty of $400,000 to resolve the investigation with no admission of wrongdoing.

Attorney General Letitia James launched an investigation of Healthplex after being notified about a breach of the personal and protected health information of 89,955 individuals, including 62,922 New York residents to determine if Healthplex had complied with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and New York’s data security and consumer protection laws.

The data breach occurred on or around November 24, 2021, and was the result of an employee responding to a phishing email and disclosing her account credentials. The account contained more than 12 years of emails, some of which included customer enrolment information. Credentials alone should not be sufficient to gain access to email accounts; however, Healthplex had not implemented multi-factor authentication on its recently deployed Office 365 web interface.

The unauthorized individual used the account to send further phishing emails internally, and it was the reporting of those emails by employees that identified the attack. The attacker had access to the account for a period of almost 6 hours before access was terminated; however, during that time, the attacker could access emails dating from May 7, 2009, to November 24, 2022. The emails contained member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, driver’s license numbers, usernames and passwords for the member portal, email addresses, phone numbers, dates of service, provider names, billing information, procedure codes, diagnosis codes, prescription drug names, and plan affiliations. While unauthorized access was confirmed, insufficient logging capabilities meant it was not possible to determine which emails had been accessed or copied.

The affected individuals were notified in April and Healthplex took steps to improve security, including extending multifactor authentication to the Office 365 web interface, implementing a 90-day email retention policy, enhancing its logging capabilities, and providing further training on phishing detection and avoidance to the workforce. The investigation determined that the measures implemented by Healthplex prior to the phishing attack did not meet the standards required by New York’s data security and consumer protection laws with respect to data retention, logging, and multifactor authentication, and its data security assessments failed to identify the risk from storing years of data in email accounts when there was no business purpose for retaining that information.

In addition to paying a financial penalty, Healthplex has agreed to maintain a comprehensive information security program, encrypt personal data, implement an email retention schedule for employee email accounts, enforce the use of complex passwords, and conduct penetration tests to identify vulnerabilities. “Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” said Attorney General James. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”

The post Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000 appeared first on HIPAA Journal.

Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000

Posted by Steve Alder

The New York Attorney General has agreed to settle alleged violations of New York’s data security and consumer protection laws with Healthplex, one of New York’s largest providers of dental insurance. Healthplex has agreed to pay a penalty of $400,000 to resolve the investigation with no admission of wrongdoing.

Attorney General Letitia James launched an investigation of Healthplex after being notified about a breach of the personal and protected health information of 89,955 individuals, including 62,922 New York residents to determine if Healthplex had complied with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and New York’s data security and consumer protection laws.

The data breach occurred on or around November 24, 2021, and was the result of an employee responding to a phishing email and disclosing her account credentials. The account contained more than 12 years of emails, some of which included customer enrolment information. Credentials alone should not be sufficient to gain access to email accounts; however, Healthplex had not implemented multi-factor authentication on its recently deployed Office 365 web interface.

The unauthorized individual used the account to send further phishing emails internally, and it was the reporting of those emails by employees that identified the attack. The attacker had access to the account for a period of almost 6 hours before access was terminated; however, during that time, the attacker could access emails dating from May 7, 2009, to November 24, 2022. The emails contained member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, driver’s license numbers, usernames and passwords for the member portal, email addresses, phone numbers, dates of service, provider names, billing information, procedure codes, diagnosis codes, prescription drug names, and plan affiliations. While unauthorized access was confirmed, insufficient logging capabilities meant it was not possible to determine which emails had been accessed or copied.

The affected individuals were notified in April and Healthplex took steps to improve security, including extending multifactor authentication to the Office 365 web interface, implementing a 90-day email retention policy, enhancing its logging capabilities, and providing further training on phishing detection and avoidance to the workforce. The investigation determined that the measures implemented by Healthplex prior to the phishing attack did not meet the standards required by New York’s data security and consumer protection laws with respect to data retention, logging, and multifactor authentication, and its data security assessments failed to identify the risk from storing years of data in email accounts when there was no business purpose for retaining that information.

In addition to paying a financial penalty, Healthplex has agreed to maintain a comprehensive information security program, encrypt personal data, implement an email retention schedule for employee email accounts, enforce the use of complex passwords, and conduct penetration tests to identify vulnerabilities. “Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” said Attorney General James. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”

The post Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000 appeared first on HIPAA Journal.

Michigan Increases Penalties for Violence Against Healthcare Workers

Posted by Steve Alder

In the absence of federal legislation to protect healthcare workers, Michigan has introduced a new law that expands the definition of protected workers to include healthcare workers and has increased the financial penalties in an attempt to curb the growing problem of workplace violence.

Workplace Violence in Healthcare Continues to Increase

The number of reported instances of nonfatal workplace violence has been increasing year-over-year, especially in healthcare. According to data from the Bureau of Labor Statistics (BLS), workplace violence incidents that required workers to take time off work were five times higher in privately operated healthcare and social assistance establishments than in private industry overall. Since the BLS started tracking workplace violence incidents in 2011, cases have continued to increase almost every year. These incidents can result in serious injuries or worse. On average, between 2016 and 2020, BLS data show an average of 44 homicides of private healthcare workers every year.

There have been repeated calls from industry associations for federal protections to help tackle the problem. In, 2022, Sen. Tammy Baldwin, (D-WI) introduced the Workplace Violence Prevention for Health Care and Social Service Workers Act, which called for OSHA to create violence prevention measure requirements for healthcare and social services workplaces. The legislation failed to advance and was reintroduced in April this year. In September 2023, Sens. Joe Manchin, (D-WV) and Marco Rubio, (R-FL) introduced the Safety from Violence in Healthcare Act, which sought to make assaults on healthcare staff a federal crime. The Act also calls for penalties to be increased for assaults that result in bodily injury; however, the legislation has failed to advance in Congress.

In March 2023, the Occupational Safety and Health Administration (OSHA) announced that it is in the process of developing an enforceable Prevention of Workplace Violence in Healthcare and Social Assistance standard in an attempt to address this growing problem.

New Michigan Law Doubles Penalties to Deter Workplace Violence

In the absence of federal protections, many states have introduced their own laws in an attempt to deter violence against healthcare workers. Almost 40 states have now passed legislation to increase penalties for violence against healthcare workers, with Michigan the latest state to do so.

Michigan already had laws in place concerning violence against protected workers, which include police officers, firefighters, and EMS personnel. In response to the rise in bullying, violence, and the viciousness of attacks on healthcare workers, the classification has been extended to include healthcare professionals and medical volunteers. Any assault on a protected worker could result in a felony charge, and while the potential jail time has remained unchanged, the financial penalties have doubled. Medical facilities in the state must now post signs in areas visible to the public that warn of the increased fines.

The new law (House Bill 4520-21) was led by Rep. Mike Mueller (R-MI) and was signed into law on December 6, 2023. “This new law is a step toward providing a secure working environment for hospital personnel, discouraging acts of violence, and ensuring that anyone who targets them with violence is held responsible.,” said Rep. Muller. “I am proud to see this bipartisan plan come to fruition after working on it for more than a year.”

The post Michigan Increases Penalties for Violence Against Healthcare Workers appeared first on HIPAA Journal.

Norton Healthcare Data Breach: Second Class Action Lawsuit Filed

Posted by Steve Alder

Second Class Action Lawsuit Filed Over North Healthcare Data Breach

A second class action lawsuit has been filed against Norton Healthcare in response to its May 2023 ransomware attack in which the protected health information of up to 2.5 million patients was exposed and potentially stolen.

The first lawsuit was filed in the summer on behalf of plaintiff Lanisha Malone in U.S. District Court after her personal information was misused. She was contacted by her bank to inform her about a suspicious $1,5000 charge to her account which had been blocked. The lawsuit alleged the Louisville, KY-based health system had failed to implement appropriate security measures to safeguard the sensitive data of patients and that Norton Healthcare had failed to issue timely notification letters to allow the affected patients to take steps to protect themselves against identity theft and fraud.

Norton Healthcare announced in May 2023 that an investigation had been launched into a cyberattack; however, at the time the extent of the breach had yet to be established and it was unclear how many individuals had been affected and it was therefore not possible to issue individual notification letters. Norton Healthcare provided an update on the attack in December and confirmed that the cyberattack involved ransomware and that the ransom was not paid. Notification letters started to be mailed on December 8, 2023.

On December 14, 2023, a second class action lawsuit was filed against Norton Healthcare over the ransomware attack on behalf of Margaret Garrett of Crestwood, KY, and similarly situated individuals. The latest lawsuit alleges Norton Healthcare violated the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately protect patient information and also takes issue with the alleged lack of transparency about the ransomware attack and data breach. Norton Healthcare has now confirmed the types of data potentially compromised in the attack but has been unable to say exactly how many individuals were affected or the specific types of data that were compromised in the attack.

The lawsuit claims that the sensitive data of patients and employees is now in the hands of cybercriminals and could be used for identity theft and fraud and that now that sensitive data has been sold or posted in public forums, patients and employees could be contacted directly by the ALPHV/BlackCat ransomware group and threatened with further exposure of their sensitive data, especially patients with sexually transmitted diseases or terminal illnesses. Recently, a cyberattack on the Fred Hutchinson Cancer Center has resulted in patients being extorted directly by hackers after the decision was taken by Fred Hutchinson Cancer Center not to pay the ransom.

The lawsuit – Gerrett v. Norton Healthcare Inc. was filed in U.S. District Court for the Western District of Kentucky and seeks class action status, a jury trial, damages, and legal fees. The plaintiff and class are represented by Andrew W. Ferich and Carlynne A. Wagner of Ahdoot & Wolfson, PC, and John C Whitfield of Whitfield Coleman Montoya, PLLC.

Norton Healthcare said it takes the privacy and security of patient and employee data very seriously and plans to vigorously defend itself in any litigation over the ransomware attack and data breach.

December 11, 2023: Norton Healthcare Notifies 2.5 Million Individuals About May 2023 Ransomware Attack

The Kentucky-based health system, Norton Healthcare, has recently confirmed that the personal and protected health information of patients and employees was exposed, and potentially stolen, in a May 2023 ransomware attack. According to the breach report submitted to the Maine Attorney General, the Norton Healthcare data breach has affected up to 2.5 million individuals.

Norton Healthcare operates eight hospitals in Kentucky and Indiana. On May 9, 2023, suspicious activity was identified within its network and it was later determined that ransomware had been used. Immediate action was taken to secure its network and a forensic investigation was conducted to determine the extent of the breach. The investigation confirmed that an unauthorized third party had access to its network between May 7, 2023, and May 9, 2023, including network storage devices that contained sensitive patient and employee data. Norton Healthcare’s medical record system and Norton MyChart were not accessed and remained secure.

Throughout the investigation, Norton Healthcare provided updates on its website, with the first announcement made on May 11, 2023. Norton Healthcare previously confirmed that it was able to recover the affected files from backups, and started to do so on May 10, 2023; however, the investigation and file review have taken several months. Those processes have now concluded and notification letters started to be sent to the affected individuals on December 8, 2023.

The Norton Healthcare data breach was reported to the HHS’ Office for Civil Rights on July 7, 2023, to meet the breach reporting requirements of the HIPAA Breach Notification Rule, but an interim figure of 501 individuals was provided as it had yet to be determined how many individuals had been affected. In mid-November, Norton Healthcare determined that “based on the data available to it, and out of an abundance of caution,” the most efficient approach was to notify all current (as of May 10, 2023) and former patients, employees, employee dependents and beneficiaries about the ransomware attack. If a notification letter is received it does not necessarily mean that personal and protected health information has been stolen, only that sensitive information may have been exposed.

The types of data involved may have included names in combination with one or more of the following: contact information, Social Security Number, date of birth, health information, insurance information, and medical identification number, and for certain individuals, driver’s license number, other government ID numbers, financial account numbers, and digital signatures. Norton Healthcare said it has enhanced its security safeguards since the attack and has not found any additional indicators of compromise as its networks were restored. As a precaution against misuse of data, Norton Healthcare has arranged for the affected individuals to be provided with complimentary credit monitoring and identity theft protection services for up to 24 months.

Norton Healthcare did not confirm the name of the ransomware group behind the attack, but the BlackCat ransomware group claimed responsibility. Norton Healthcare is facing legal action over the attack, with one lawsuit alleging Norton Healthcare failed to implement appropriate safeguards to prevent attacks and did not issue timely notifications to the affected individuals.

The post Norton Healthcare Data Breach: Second Class Action Lawsuit Filed appeared first on HIPAA Journal.

Ransomware Attacks Reported by Foursquare Healthcare and Hi-School Pharmacy

Posted by Steve Alder

Foursquare Healthcare Ltd, a Rockwall, TX-based operator of short-term rehabilitation, skilled nursing, and long-term nursing care facilities has recently confirmed it experienced a ransomware attack in September. The ransomware attack was detected on September 27, 2023, and the forensic investigation confirmed the attackers accessed its network between September 27, 2023, and September 29, 2023, and acquired certain files that contained employee and patient information. The information in the files varied from individual to individual and included names along with one or more of the following: address, billing information, Social Security number, banking information, and clinical information regarding care received at its clinics.

The attack did not cause any material disruption to Foursquare care or services and no evidence has been found to indicate that any of the stolen data has been misused for identity theft or fraud. Foursquare said it has received assurances that all of the stolen data has been deleted. That usually, but not always, means the ransom was paid. Foursquare said it believes the incident has been contained and it will continue to monitor its systems for unauthorized activity.

The breach has recently been reported to the HHS’ Office for Civil Rights as involving the protected health information of 10,890 patients. Foursquare has offered the affected individuals two years of complimentary credit monitoring and identity theft protection services and while assurances were provided that the stolen data has been deleted, Foursquare encourages the affected patients and employees to be vigilant against identity theft and fraud.

Hi-School Pharmacy Suffers Ransomware Attack

The Vancouver, WA-based drug store chain, Hi-School Pharmacy, has recently notified the Maine Attorney General about a data breach that has affected 17,676 individuals. On November 3, 2023, Hi-School Pharmacy experienced a cyberattack that caused network disruption. The forensic investigation confirmed on November 21, 2023, that the attackers had access to parts of the network that contained protected health information including names and Social Security numbers. Notification letters were sent to the affected individuals on November 5, 2023. Credit monitoring and identity theft protection services have been offered to the affected individuals.

The post Ransomware Attacks Reported by Foursquare Healthcare and Hi-School Pharmacy appeared first on HIPAA Journal.

9 Prime Healthcare Hospitals Affected by MOVEit Data Breach

Posted by Steve Alder

Ontario, CA-based Prime Healthcare has been affected by a data breach at its revenue cycle management vendor, CBIZ KA. The vendor used Progress Software’s MOVEit Transfer solution, a zero-day vulnerability in which was exploited by the Clop hacking group in late May 2023. Prime Healthcare received a copy of the stolen files from CBIZ KA on September 20, 2023, and has confirmed that they contained names in combination with one or more of the following: date of birth, address, medical record number, Social Security Number, admission date, and discharge date.

Prime Healthcare operates 45 hospitals, although only 9 were affected: Saint Clare’s Hospital, Saint Michael’s Medical Center, and St. Mary’s General Hospital in New Jersey, Roxborough Memorial Hospital, Lower Bucks Hospital, and Suburban Community Hospital in Pennsylvania, Garden City Hospital and Lake Huron Medical Center in Michigan, and Landmark Medical Center in Rhode Island. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity protection services.

PHI Compromised in Cyberattack on Sierra County, CA

Sierra County in California experienced a “sophisticated cyberattack” on or around February 21, 2023. Sierra County detected the breach on March 5, 2023, secured its systems to prevent further unauthorized access, and engaged third-party cybersecurity experts to investigate the breach. The investigation revealed the attackers had access to parts of the network that contained information such as names, addresses, dates of birth, email addresses, phone numbers, Social Security numbers, driver’s license or government ID numbers, medical/prescription or health insurance related information, drug or alcohol screening results, credit or debit card numbers, biometric data, or financial account/routing numbers. No evidence has been found that indicates actual or attempted misuse of the impacted data. The Department of Public Health and Department of Behavioral Health confirmed that the protected health information of 2,463 individuals was exposed and potentially stolen in the attack.

Email Account Breach Reported by Advarra, Inc.

Advarra, Inc., a Columbia, MD-based provider of integrated research compliance solutions, has discovered unauthorized access to an employee email account. The email account breach was detected on October 26, 2023, and the account was immediately disabled. The forensic investigation confirmed that the breach was limited to a single account, with the unauthorized access commencing on October 25, 2023. The attacker copied information from the account that included names and Social Security numbers. The breach was recently reported to the Maine Attorney General as affecting 1,782 individuals. No evidence of misuse of the stolen data has been identified; however, as a precaution, affected individuals have been offered complimentary credit monitoring services for 24 months and those individuals are being encouraged to take advantage of those services.

The post 9 Prime Healthcare Hospitals Affected by MOVEit Data Breach appeared first on HIPAA Journal.

OCR Imposes First HIPAA Penalty for a Phishing Attack

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) has agreed to settle a landmark cyber investigation and has imposed its first financial penalty under the Health Insurance Portability and Accountability Act (HIPAA) for a phishing attack. Lafourche Medical Group, a Louisiana-based medical group specializing in emergency medicine, occupational medicine, and laboratory testing, reported a data breach to OCR on May 28, 2021, involving the protected health information (PHI) of up to 34,862 individuals.

According to the breach notification, a hacker gained access to the email account of one of its owners on March 30, 2021, following a response to a phishing email that spoofed one of the medical group’s owners. The threat actor gained access to the Microsoft 365 environment, which contained patient data. Lafourche Medical Group said that because of the size of the email system, it was not possible to determine all patient information that had been exposed so notification letters were mailed to all patients. The exposed data included names, addresses, dates of birth, dates of service, e-mail addresses, telephone numbers, medical record numbers, insurance and health plan beneficiary numbers, guarantor names, diagnoses, treating practitioner names, and lab test results.

OCR launched an investigation into the incident to determine whether a failure to comply with the HIPAA Rules led to or contributed to the security breach. OCR’s investigators discovered Lafourche Medical Group had not conducted a security risk analysis prior to the phishing attack. The HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information. OCR also determined that Lafourche Medical Group had not implemented procedures to regularly review records of information system activity prior to the phishing attack. This is also a required implementation specification of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(D).

Lafourche Medical Group agreed to settle the investigation with no admission of liability or wrongdoing. In addition to paying a sizeable financial penalty, Lafourche Medical Group has agreed to implement a robust corrective action plan (CAP) which includes establishing and implementing security measures to reduce security risks and vulnerabilities to ePHI, developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA Rules, and providing HIPAA training to all staff members who have access to PHI. OCR will also monitor Lafourche Medical Group for two years to ensure compliance with the HIPAA Rules.

“Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”

This is the 12th HIPAA violation penalty imposed by OCR in 2023 and the second-largest of the year. So far this year, OCR has imposed HIPAA penalties totaling $4,016,500

 

The post OCR Imposes First HIPAA Penalty for a Phishing Attack appeared first on HIPAA Journal.

CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General

Posted by Steve Alder

In late September 2023, Indiana Attorney General Todd Rokita filed a lawsuit against CarePointe ENT over a ransomware attack and data breach that affected 48,742 individuals. A settlement has been reached that will see CarePointe pay $125,000 to resolve alleged violations of the Health Insurance Portability and Accountability (HIPAA) Act and state data privacy and security laws.

CarePointe ENT operates three ear, nose, throat, sinus, and hearing centers in Merrillville, Munster & Hobart in Northwest Indiana. On June 25, 2021, CarePointe ENT experienced a ransomware attack which resulted in files being encrypted and data being exfiltrated. The stolen data included names, addresses, dates of birth, Social Security numbers, medical insurance information, and health information. Affected individuals were notified about the data breach in August 2021.

AG Rokita launched an investigation into the attack to determine if CarePointe ENT had complied with its obligations under HIPAA and state laws. Despite claiming that it was committed to safeguarding patient information, CarePointe ENT was determined to have failed to implement appropriate security policies, conduct appropriate risk analyses, and address known security risks in a reasonable amount of time.

CarePointe ENT hired a third-party IT vendor that conducted a HIPAA risk analysis and identified security concerns in January 2021. The vendor was hired in March to address the identified vulnerabilities, but they were not fixed in a reasonable time frame. In June 2021, some of the unaddressed vulnerabilities were exploited in a ransomware attack. In addition to the failure to address known security issues, CarePointe ENT failed to enter into a business associate agreement with the vendor, even though the vendor was provided with access to systems containing protected health information.

AG Rokita’s lawsuit alleged one count of a failure to comply with the HIPAA Privacy Rule, one count of failing to comply with the HIPAA Security Rule, one count of failing to comply with the Indiana Disclosure of Security Breach Act (DSBA), and one count of failing to comply with the Indiana Deceptive Consumer Sales Act (DCSA). CarePointe ENT chose to settle the alleged violations of HIPAA and state laws with no admission of wrongdoing. Under the terms of the settlement, a financial penalty of $125,000 will be paid to the state and CarePointe ENT has agreed to ensure full compliance with the HIPAA Privacy and Security Rules and the DCSA and DSBA with respect to the safeguarding of personal information (PI), protected health information (PHI), and electronic protected health information (ePHI). CarePointe ENT has also agreed not to make misrepresentations about the extent to which it ensures the privacy, security, confidentiality, and integrity of PI, PHI, and ePHI.

The settlement agreement includes a comprehensive list of privacy and security measures. These include implementing a comprehensive information security program, appointing a HIPAA Security Officer to oversee that program, implementing technical safeguards and controls to ensure the privacy and security of patient data, developing an incident response plan and testing that plan through table-top exercises, developing policies and procedures regarding business associate agreements, and providing privacy and security training to all members of the workforce with access to PI, PHI, or ePHI,

The post CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General appeared first on HIPAA Journal.

Proliance Surgeons Sued Over Ransomware Attack and Data Breach

Posted by Steve Alder

A class action lawsuit has been filed against Proliance Surgeons, a Seattle, Washington-based surgery group over a recently disclosed ransomware attack and data breach that has affected almost 437,400 individuals.

The group operates around 100 surgery centers in the state and treats more than 800,000 patients each year. On May 24, 2023, a third-party forensic investigation into a cyberattack confirmed that hackers had access to files containing patient data and that they had removed “a limited number of files” from its network on February 11, 2023.  The data compromised in the attack included names, contact information, Social Security numbers, financial information, treatment information, driver’s license numbers, and usernames and passwords. Notifications were issued on November 21, 2023.

A lawsuit has been filed in federal court in Seattle by plaintiff and former patient, Alicia Berend, and similarly situated individuals whose sensitive information was compromised in the cyberattack. The lawsuit alleges Proliance Surgeons failed to adequately protect patient data as required by federal and state law and in accordance with its internal security policies, and that the data security failures constituted a violation of the Health Insurance Portability and Accountability Act (HIPAA).

The lawsuit also references an earlier security breach where unauthorized individuals had access to its online payment system for seven months between November 2019 and June 2020, allowing access to be gained to names, zip codes, and payment card information. Following that incident Proliance Surgeons said it would be enhancing its security measures to prevent similar incidents in the future. The earlier security breach is not shown on the HHS’ Office for Civil Rights (OCR) website, which indicates either the breach was not reported to OCR, that Proliance Surgeons determined protected health information had not been compromised, or the breach affected fewer than 500 individuals. The lawsuit claims that two major security breaches in a little over 3 years demonstrates a pattern of negligence with respect to data security.

The lawsuit also takes issue with the length of time taken to discover that patient data was involved, which occurred 102 days after the security breach was detected, and Proliance Surgeons then failed to issue notification letters to the affected individuals until November 21, 2023 – 283 days after the data breach occurred. The lawsuit claims that the plaintiff and class were kept in the dark about the breach, thus depriving them of the opportunity to mitigate their injuries in a timely manner.

The lawsuit claims the plaintiff and class have suffered widespread injury and monetary damages, and that the plaintiff has already suffered from identity theft and fraud. She has received emails indicating someone has used her identity for various out-of-state activities, including inquiries into properties in Florida, and has also received an increased number of spam messages and phone calls and now fears for her personal and financial security. The plaintiff claims that she has suffered anxiety, sleep disruption, stress, fear, and frustration and that these injuries go far beyond mere worry or inconvenience.

The lawsuit alleges negligence, breach of implied contract, breach of fiduciary duty, invasion of privacy, unjust enrichment, and violations of the Washington Consumer Protection Act, Washington Data Breach Disclosure Law, and Washington Uniform Health Care Information Act (UHCIA). The lawsuit seeks class action certification, a jury trial, compensatory, exemplary, punitive, and statutory damages, and attorneys’ fees and legal costs.

The plaintiff and class are represented by Samuel J. Strauss of the law firm, Turke & Strauss LLP.

The post Proliance Surgeons Sued Over Ransomware Attack and Data Breach appeared first on HIPAA Journal.