HIPAA Breach News

Almost 500,000 Individuals Affected by Designed Receivable Solutions Data Breach

Posted by Steve Alder

The Cypress, CA-based revenue cycle management company, Designed Receivable Solutions (DRS), has recently confirmed the details of a data breach that was reported to the HHS’ Office for Civil Rights on March 23, 2024, as involving the protected health information of 129,584 individuals, and the Maine Attorney General as affecting 498,686 individuals.

On January 22, 2024, DRS identified suspicious activity within its network. Third-party cybersecurity specialists were engaged to investigate the incident and determine the cause of the activity. The investigation confirmed that an unauthorized actor accessed its systems and viewed and exfiltrated files from its systems. On March 8, 2024, after a time-consuming and detailed review of the files, DRS confirmed that they contained the personal and protected health information of current and former patients of its healthcare clients.

Following that determination, DRS has been working with the affected clients to review and verify the affected information and obtain up-to-date contact information to allow notification letters to be issued.  DRS said the types of data involved varied from individual to individual and may have included names, addresses, dates of birth, health insurance information, dates of service, and Social Security numbers. DRS has reviewed its policies and procedures related to data privacy and is taking steps to reduce the risk of a similar incident in the future and has offered the affected individuals complimentary credit monitoring services.

As OCR recently confirmed in a website Q&A regarding breach notification letters, HIPAA-covered entities are ultimately responsible for ensuring notification letters are sent to the affected individuals when there is a data breach at a business associate, but the covered entity may delegate the responsibility of providing individual notices to the business associate.

DRS is issuing notification letters on behalf of the following covered entity clients:

  • Air Methods
  • AMG Healthcare Management Services
  • CAN Emergency Physicians
  • Cedars-Sinai Medical Center
  • CHA Hollywood Presbyterian Medical Center, L.P.
  • Core Orthopaedics Medical Center
  • GEM Physicians Group
  • Marshall Medical Center
  • OptumCare Management, LLC
  • Redlands Community Hospital
  • Ridgecrest Regional Hospital
  • South Coast ER Medical Group
  • Southland Medical Corporation
  • Springhill Emergency Physicians
  • Sycamore Physicians, LLC
  • USC Arcadia Hospital (formerly Methodist Hospital of Southern California)
  • Valkyrie Clinical Trials, Inc.

The post Almost 500,000 Individuals Affected by Designed Receivable Solutions Data Breach appeared first on HIPAA Journal.

Patient Data Stolen from Livanova in October 2023 Ransomware Attack

Posted by Steve Alder

The medical device manufacturer Livanova, the Massachusetts community behavioral health center Aspire Health Alliance, and Santa Rosa Behavioral Healthcare Hospital in California have experienced ransomware attacks that exposed patient data.

Livanova, London, UK

Livanova, a UK-headquartered medical device manufacturer specializing in cardiac surgery and neuromodulation devices, has suffered a ransomware attack that disrupted portions of its IT systems. The ransomware attack was discovered on November 19, 2023, and the forensic investigation confirmed that hackers gained access to its network on October 26, 2023. The LockBit ransomware group claimed responsibility for the attack.

Livanova announced in a SEC filing in November that it was dealing with a cyberattack; however, it was initially unclear to what extent patient data was involved. On April 10, 2024, Livanova confirmed that the personal and protected health information of U.S. patients had been exfiltrated from its systems in the attack. In an April 25, 2024, announcement, Livanova said the investigation is ongoing however it has been determined that information such as names, contact information, dates of birth, Social Security numbers, health insurance information, and medical information such as diagnoses, conditions, treatment information, prescription information, medical record number, device serial numbers, and physician names were involved.

The affected individuals have been advised to monitor their credit reports and account statements and to be alert to unsolicited communications involving personal information. Livnova has arranged for complimentary identity protection and credit monitoring services to be provided to the affected U.S. patients. It is currently unclear how many individuals have been affected. In a February 2024 earnings call, the company confirmed that the company had incurred costs of around $2.6 million in Q4, 2023, as a result of the attack.

Aspire Health Alliance, Massachusetts

Aspire Health Alliance, a state-designated community behavioral health center with facilities in Quincy, Braintree, and Marshfield in Massachusetts, has notified 17,490 individuals about a cyberattack that was detected on September 13, 2023. Suspicious activity was identified within its computer network and a third-party forensic investigation confirmed that its systems had been accessed by an unauthorized third party that acquired certain files and data stored on its network.

A comprehensive review was conducted to determine the types of data involved, and that process was completed on February 26, 2024, when it was confirmed that personal and protected health information was involved. The types of data varied from individual to individual and may have included names, other personal identifiers, and Social Security numbers. While data was exposed or acquired, no reports have been received to indicate any patient data has been misused. Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers were impacted, and additional security measures have been implemented to reduce the risk of a similar incident occurring in the future.

Santa Rosa Behavioral Healthcare Hospital, California

Santa Rosa Behavioral Healthcare Hospital, part of the Northern California Behavioral Health System (NCBHS), has fallen victim to a cyberattack that disrupted some of its IT systems. The attack was detected on January 28, 2024, and a third-party forensic investigation confirmed that an unauthorized third party accessed its network between January 27, 2024, and January 28, 2024. During that time, files containing patient data were accessed or acquired.

The file review confirmed that the following types of information had been exposed or stolen: names, dates of birth, medical record numbers, services received, dates of services, treating physician, and for some patients, Social Security numbers and/or driver’s license numbers. Affected patients have been advised to monitor the statements they receive from their healthcare providers and health insurers and report any services they haven’t received. Individuals whose Social Security or driver’s license numbers were involved have been offered complimentary identity theft protection services. The incident has been reported to regulators but is not yet shown on the Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Patient Data Stolen from Livanova in October 2023 Ransomware Attack appeared first on HIPAA Journal.

Email Breach at Wisconsin Dental Surgery Center Affects 13,000 Patients

Posted by Steve Alder

Bay Oral Surgery & Implant Center (Bay Oral), a network of oral & maxillofacial dental surgery centers serving the Green Bay, Marinette, and Niagara communities in Wisconsin, has recently reported a data breach to the HHS’ Office for Civil Rights (OCR) that involved the protected health information of 13,055 patients.

On February 27, 2024, Bay Oral identified suspicious activity in an employee’s email account. The password for the account was immediately changed to prevent further unauthorized access and a third-party cybersecurity firm was engaged to investigate the incident. The forensic investigation confirmed that an unauthorized individual had installed software and gained access to an employee’s email account on January 18, 2024.

The review of the emails and attachments confirmed that patients’ protected health information had been exposed. The types of information involved included names, addresses, email addresses, dates of birth, Social Security numbers, insurance card numbers, credit card numbers, banking account information, x-rays, patient health history forms, patient visit summaries, medical history questionnaires, and other types of patient health information that had been shared via email. The investigation could not determine if the unauthorized individual viewed or copied emails or attachments in the account.

In addition to immediately securing the email account, Bay Oral has taken several other steps to prevent similar incidents in the future. They include changing IT companies, implementing a 24/7 protection and monitoring solution, and implementing new policies and procedures to ensure that patients’ protected health information is not stored in email accounts.

Bay Oral said it is unaware of any reports of fraud or identity theft at the time of issuing notifications. The affected patients have been advised to be vigilant for incidents of fraud and identity theft by regularly reviewing their credit reports, credit statements, bank accounts, and other financial accounts for unauthorized activity.

The post Email Breach at Wisconsin Dental Surgery Center Affects 13,000 Patients appeared first on HIPAA Journal.

Health Data Analytics Firm Reports 1.1-Million Record MSP Data Breach

Posted by Steve Alder

A Portland, ME-based accounting and consulting firm has recently reported a data breach to the Maine Attorney General that involved the personal information of 1,107,354 individuals. Berry, Dunn, McNeil & Parker, LLC (BerryDunn) provides health data analytics services to healthcare providers, health insurers, and government regulatory and healthcare policy agencies and its clients provide BerryDunn with personal and health data to allow the firm to perform its contracted services.

BerryDunn’s Health Analytics Practice Group (HAPG) contracted with a managed service provider (MSP) called Reliable Networks of Maine, LLC (RMN), which manages systems on behalf of HAPG. On September 14, 2023, RMN notified HAPG that it had identified suspicious activity on its network, including in the systems it manages for HAPG. BerryDunn immediately initiated its incident response protocols and brought in third-party cybersecurity experts to investigate to determine the extent to which client data was involved.

The investigation confirmed that a threat actor gained access to the RMN network and used the vendor’s privileged access to steal data from the HAPG systems the MSP managed. A vendor was engaged to conduct a review of the affected files, and that process was completed on April 2, 2024. The information exposed or stolen in the incident included names, addresses, dates of birth, Social Security numbers, health insurance policy numbers, Medicare or Medicaid numbers, state or governmental ID numbers, passport numbers, and medical information. Notification letters were mailed to the affected individuals on April 25, 2024, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. Those services include a $1 million identity theft reimbursement policy.

It is unclear how many of BerryDunn clients have been affected. BerryDunn has confirmed that it has decommissioned all systems under the control of RMN, migrated all HAPG data to secure internal BerryDunn servers, and said those servers are continuously monitored for unauthorized access under its cybersecurity program.

The post Health Data Analytics Firm Reports 1.1-Million Record MSP Data Breach appeared first on HIPAA Journal.

Bipartisan Coalition of Attorneys General Call for UHG to Take Decisive Action to Help Providers and Patients

Posted by Steve Alder

A bipartisan coalition of 22 state attorneys general sent a letter to UnitedHealth Group CEO Andrew Witty to express their concern about the response to the February 21, 2024, ransomware attack on Change Healthcare and the continuing problems faced by providers, pharmacies, and patients.

Providers and pharmacies in their various jurisdictions have reported catastrophic disruptions due to the extended outage and limited restoration of Change Healthcare’s services, and wholly inadequate responses from Change Healthcare and its payor partners. Many providers and pharmacies have said they are in jeopardy of collapse, with patients experiencing disruption to care due to delays in receiving vital prescription medications. In some cases, patients have been denied access to medications due to providers’ inability to conduct eligibility checks.

In the weeks following the attack, the Attorneys General have received increasingly dire messages from healthcare facilities, care providers, and patients due to the prolonged disruption to Change Healthcare’s services. The outage has caused problems with prescription drug access, there are catastrophic billing and payment backlogs, and other problems stemming from the continued lack of access to Change Healthcare’s services.

“Facilities that use Change Healthcare as their backbone to track services and claims have been unable to timely complete prior authorizations, confirm benefits, document and submit claims, and in some instances have even lost access to basic care IT infrastructure,” wrote the Attorneys General. “You must do more than you are currently to avoid imposing further harm to our states’ health care infrastructure and the patients who rely upon it.”

In addition to the lack of access to Change Healthcare’s systems, it has now been confirmed that there was a considerable data breach. UnitedHealth Group issued a statement confirming that personally identifiable and protected health information was compromised and that the data breach could affect “a substantial proportion of the U.S. population.” Further, “Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.”

The Attorneys General have been contacted by care providers and non-HG facilities who said they are unable to reach Change Healthcare staff who can provide timely information about the data that has been breached, how they can get financial support that does not impose unreasonable conditions such as waiver of liability, and how they can document and submit claims during the outage. While financial assistance has been provided, for many providers that have experienced financial difficulties due to the attack, the support offered has been “paltry”. Some independent providers have been quoted relief of as little as $10 per week.

In the letter, the Attorneys General outlined some of the specific actions that they believe need to be taken to help alleviate the harm caused by the outage. Those measures include the enhancement and expansion of financial assistance to all affected providers, ensuring providers and practices owned by UHG or its subsidiaries are not being offered more advantageous financial assistance than others, providing a dedicated helpline to allow providers to resolve unanswered questions, ensuring that the claims backlog is expeditiously resolved, to issuing timely notifications to the practices and patients whose data has been compromised. The Attorneys General also asked to be provided with an independent analysis confirming that UHG’s and Change Healthcare’s systems have been secured and the vulnerabilities that contributed to the cyberattack have been addressed.

The post Bipartisan Coalition of Attorneys General Call for UHG to Take Decisive Action to Help Providers and Patients appeared first on HIPAA Journal.

Phishers Gain Access to 23 L.A. County Department of Health Services Email Accounts

Posted by Steve Alder

Los Angeles County Department of Health Services’ employees were targeted in a recent phishing campaign, and almost 2,800 Catholic Medical Center patients have been affected by a data breach at one of its vendors.

Los Angeles County Department of Health Services Phishing Attack

The Los Angeles County Department of Health Services was recently targeted in a phishing campaign that saw 23 employees tricked into disclosing their email account credentials after clicking a hyperlink in an email that appeared to have been sent by a trusted sender. The email accounts were accessed by an unauthorized third party between February 19, 2024, and February 20, 2024.

The Department of Health Services said the attack was reported to law enforcement which recommended delaying notifying the affected individuals so as not to interfere with the investigation. Notification letters have now been mailed to the affected individuals who have been provided with information on the steps they can take in response to the breach. The types of data exposed varied from individual to individual and may have included one or more of the following: first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.

The Department of Health Services has sent awareness notifications to all members of the workforce reminding them to be vigilant when opening emails, has enhanced its training regarding identifying and responding to phishing emails, and has implemented further controls to minimize the risk of further successful attacks.

The breach has been reported to the HHS Office for Civil Rights but is not yet showing on the OCR breach portal, so it is currently unclear how many individuals have been affected.

Catholic Medical Center Patients Affected by Email Breach at Business Associate

Almost 2,800 patients of Catholic Medical Center (CMC) in New Hampshire have been affected by a data breach at one of its vendors, the accounts receivable management service provider Lamont Hanley & Associates. Lamont Hanley & Associates notified CMC on March 6, 2024, that there had been unauthorized access to an employee’s email account. The breach was detected on June 20, 2023, and it was determined that patient data may have been accessed or acquired by the unauthorized third party, although no specific evidence of data access or data theft was identified.

The account contained the protected health information of 2,792 CMC patients, including names, Social Security numbers, dates of birth, medical and claim information, health insurance information, individual identification information, and financial account information. Lamont Hanley & Associates is offering complimentary credit monitoring services to eligible individuals and has taken steps to improve security to prevent similar breaches in the future.

The post Phishers Gain Access to 23 L.A. County Department of Health Services Email Accounts appeared first on HIPAA Journal.

Kaiser Permanente Agrees to Pay Up to $47.5 Million to Settle Web Tracker Litigation

Posted by Steve Alder

The Oakland, CA-based healthcare giant Kaiser Permanente has agreed to pay up to $47.5 million to settle class action litigation over its use of tracking technologies on its websites, patient portals, and mobile applications. This is one of the largest settlements to be agreed to resolve claims stemming from the use of tracking tools by a healthcare organization.

Kaiser disclosed the data breach last year following a voluntary internal investigation into its use of tracking technologies, which confirmed that up to 13.4 million individuals had potentially been affected – the second-largest healthcare data breach to be announced in 2024. Kaiser removed the tracking tools from its websites and mobile applications out of an abundance of caution and sent notifications to all potentially affected individuals. Kaiser also engaged experts and, based on their guidance, implemented additional safeguards to prevent similar privacy breaches in the future.

Website tracking technologies, such as pixels, are used extensively on websites to track user activity. They can provide website owners with valuable information on site usage, and that data can be used to improve the websites to benefit web visitors. Various studies have shown that these tools have been extensively used by healthcare organizations, with one study suggesting that 99% of hospitals in the United States had these tools on their websites. The problem with the use of these tools in healthcare is that they may transmit information protected under HIPAA – personally identifiable health information. In some cases, the data has been further disclosed and used to serve individuals with personalized ads based on the pages they visited on a healthcare website.

Since these data transfers are not expressly permitted by the HIPAA Privacy Rule, disclosures are only possible with patient consent or if a business associate agreement is entered into with the third party that receives the data (and disclosure is permitted by the HIPAA Privacy Rule). The HHS’ Office for Civil Rights issued guidance after learning that these tools were being used on healthcare providers’ websites, warning that the tools likely violate the HIPAA Rules. The guidance was challenged in court and was partially successful. While the tools can be used on healthcare websites, they must not be used on any authenticated pages, such as patient portals or other pages or mobile applications that require users to log in.

Several patients filed lawsuits against the Kaiser companies Kaiser Foundation Health Plan, Kaiser Foundation Hospitals, and Kaiser Foundation Health Plan of Washington, over the data breach. The lawsuits alleged that the plaintiffs’ and class members’ personal and protected health information had been disclosed to third parties without their knowledge or consent, including Adobe, Microsoft, Google, and X (Twitter).

The lawsuits asserted claims of negligence, common law invasion of privacy-intrusion upon seclusion, breach of implied contract, breach of express contract, and violations of many state laws, including the California Confidentiality of Medical Information Act, District of Columbia Consumer Protection Procedures Act, Maryland Wiretapping and Electronic Surveillance Act, Virginia Insurance Information and Privacy Protection Act, Washington Health Care Information Act, and many other state laws. Kaiser was also alleged to have violated the federal Electronic Communications Privacy Act. The lawsuits were consolidated into a single complaint in the United States District Court for the Northern District of California, San Francisco Division.

Kaiser denies the material allegations in the litigation and also denies that the plaintiffs and class members are entitled to any relief, and that any damages have been suffered as a result of the data breach. While Kaiser has not identified any misuse of its members’ protected health information, nor determined that any of that information has been or will be at risk, after considering the likely cost of continuing with the litigation, and the uncertainties associated with any trial and related appeals, the decision was taken to settle the litigation, with no admission of liability or wrongdoing.

Under the terms of the settlement, Kaiser has agreed to pay $46 million to settle the litigation, with the settlement fund potentially being increased to no more than $47.5 million, should certain conditions be met. The settlement class consists of individuals who accessed authenticated Kaiser webpages (wa-member.kaiserpermanente.org, healthy.kaiserpermanente.org, or mydoctor.kaiserpermanente.org) or Kaiser mobile applications (Kaiser Permanente Washington App, Kaiser Permanente App, My Doctor Online (NCAL Only) App, My KP Meds App, or the KP Health Ally App) between November 2017 and May 2024. There are several subclasses for members residing in states such as California, Georgia, Maryland, Oregon, Washington, and the District of Columbia.

The settlement will cover attorneys’ fees (likely to be up to one-third of the settlement fund), attorneys’ expenses, settlement administration costs, and awards for the class representatives. The remainder of the settlement fund will be divided among the class members, with each settlement class member receiving an equal pro rata share. The settlement has received preliminary approval from the court. The deadline for submitting claims and the date of the final approval hearing have yet to be announced.

April 26, 2024: Kaiser Permanente Website Tracker Breach Affects 13.4 Million Individuals

Kaiser Foundation Health Plan Inc. is notifying 13.4 million individuals that some of their personal data has been disclosed to third parties such as Microsoft (Bing), Google, and X (Twitter) via tracking technologies on its websites and apps. This is the largest healthcare data breach to be reported so far in 2024 and the largest confirmed healthcare data breach to date involving website tracking technologies.

Kaiser said the tracking technologies were identified during a voluntary internal investigation and they have now been removed from its websites and mobile applications. Additional measures have been implemented to prevent similar occurrences in the future. Notifications are being sent to all individuals who have potentially been affected “out of an abundance of caution,” including current and former health plan members in all markets that Kaiser operates, and individuals who used its websites and mobile apps. Notifications are expected to be issued in May 2024.

The types of data potentially disclosed to tech companies included names, IP addresses, sign-in statuses, and information about users navigated through the websites and apps. Other information was potentially disclosed based on individuals’ usage of the websites and apps, including search terms when using its health encyclopedia such as symptoms, drugs, injuries, and exercises.  No highly sensitive information such as Social Security numbers, financial information, and usernames/passwords were disclosed. Kaiser said it is not aware of any misuse of the disclosed data; however, it is possible that individuals may have been served targeted ads based on their interactions on Kaiser’s websites and apps.

The privacy violation has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) as a breach of the Health Insurance Portability and Accountability Act (HIPAA). In December 2022, OCR published guidance on HIPAA and tracking technologies and recently updated its guidance to clarify when these technologies can be used and how they can be made HIPAA-compliant. OCR and the Federal Trade Commission (FTC) have been cracking down on the use of these technologies and sent around 130 warning letters to hospitals and telehealth companies last year reminding them of their obligations under HIPAA and the FTC Act, and the FTC has settled 5 complaints – Easy Healthcare (Premom), GoodRx, BetterHelp, Monument, and Cerebral – that alleged violations of the FTC Act related to the use of these technologies without consumers’ consent. State attorneys general have also investigated privacy violations related to the use of tracking technologies, including the New York Attorney General, who settled alleged violations of HIPAA and state laws with New York Presbyterian Hospital over the use of these tools.

The post Kaiser Permanente Agrees to Pay Up to $47.5 Million to Settle Web Tracker Litigation appeared first on The HIPAA Journal.

BianLian Threat Group Claims Responsibility for Cyberattack on Tennessee Eye Clinic Network

Posted by Steve Alder

Politzer and Durocher, PLC, which does business as Optometric Physicians of Middle Tennessee (OPMT), has recently reported a hacking incident to the HHS Office for Civil Rights involving the personal and protected health information of 29,000 individuals. The Lebanon, TN-based eye clinic chain said it detected unauthorized access to its network on March 25, 2024. The attackers had circumvented its security controls, and accessed one of its servers and exfiltrated files containing “a very limited amount of healthcare information.” The investigation confirmed that other identifying information may have been accessed in the attack. A forensic investigation is currently underway to determine the exact types of information involved and notification letters will be mailed to the affected individuals when that process is completed. OPMT said, “Even though it is not specifically required by HIPAA, we will offer identity theft protection services to all affected individuals; we feel that this is an important precaution to protect our patients.”

The BianLian group has claimed responsibility for the attack. Like several other cybercriminal groups, BianLian tends not to use ransomware anymore and just steals data and demands payment to prevent the exposure or sale of the data. The BianLian has added OPMT to its leak site and claims to have exfiltrated 1.5TB of data in the attack, including financial information, HR data, biometric data, contracts and confidential agreements, SQL databases, and patients’ PII and PHI.

Moffitt Cancer Center Affected by Data Breach at Advarra

Moffitt Cancer Center has recently announced that it has been affected by a security breach at one of its vendors, Advarra.  Advarra provided services to Moffitt Cancer Center related to the care and treatment of patients and a research study. On October 26, 2023, Advarra discovered suspicious activity in an employee’s user account. The forensic investigation confirmed it had been accessed by an unauthorized individual on October 25, 2023, who acquired a limited amount of data. On or around February 8, 2024, Advarra completed its file review and confirmed that the compromised data belonged to Moffitt Cancer Center.

Moffitt Cancer Center was notified about the breach by Advarra on February 21, 2024, and completed its review of the affected data on March 13, 2024. Moffitt Cancer Center has confirmed that its own systems were not accessed and that the information exposed was limited to names, dates of birth, and Social Security numbers. Advarra is notifying the affected individuals on behalf of Moffitt Cancer Center.

Advarra has recently reported the breach to the HHS’ Office for Civil Rights as affecting 596 individuals and Moffit Cancer Center has reported the breach to the Maine Attorney General as affecting 26,577 individuals. Advarra said it has implemented additional measures to further strengthen its internal files system and is offering the affected individuals complimentary identity theft monitoring through Kroll. Moffitt Cancer Center also recently announced that it was affected by a data breach at another vendor, the law firm Gunster, Yoakley, and Stewart.

Patient Data Stolen in Cyberattack on Somerset Dental Las Vegas

Somerset Dental Las Vegas in Nevada has notified 11,321 patients that some of their protected health information has been exposed. The security breach was detected on February 16, 2024, and a third-party forensic investigation confirmed that certain files were exfiltrated from its network in the attack. The stolen data varied from individual to individual and may have included names, dates of birth, addresses, telephone numbers, email addresses, Social Security numbers, driver’s license numbers, health information, and dental insurance information.  Somerset Dental Las Vegas said it is reviewing its security safeguards and will strengthen security. Complimentary identity protection and credit monitoring services have been offered to individuals whose Social Security numbers and/or driver’s license numbers were involved.

The post BianLian Threat Group Claims Responsibility for Cyberattack on Tennessee Eye Clinic Network appeared first on HIPAA Journal.

City of Hope Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

City of Hope, a Duarte, California-based non-profit clinical research and cancer treatment center, has agreed to settle a class action lawsuit stemming from a 2023 data breach that affected more than 827,000 individuals. Hackers had access to the City of Hope network between September 2023 and October 2023, and exfiltrated sensitive data.

Several class action lawsuits were filed over the data breach, as detailed in previous coverage by The HIPAA Journal below. The lawsuits had overlapping claims and were consolidated – In re City of Hope Data Security Breach Litigation – in the Superior Court of the State of California for the County of Los Angeles. The consolidated lawsuit asserted claims of negligence, breach of fiduciary duty, breach of implied contract, and invasion of privacy. City of Hope maintains there was no wrongdoing or liability. Following mediation, all parties reached an agreement in principle to settle the lawsuit to avoid the cost, time, risks, and uncertainty associated with continuing with the litigation. The terms of the settlement have now been agreed, and the settlement has received preliminary approval from the court.

City of Hope has agreed to establish an $8,500,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards, and benefits for the class members. Class members may claim up to $5,000 in reimbursement for documented, unreimbursed losses fairly traceable to the data breach, which may include up to four hours of lost time at $25 per hour. Alternatively, class members may submit a claim for a cash payment estimated to be $100. The cash payments may be increased or decreased pro rata depending on the remaining funds after attorneys’ fees, expenses, administration costs, service awards, reimbursement claims, and credit monitoring costs have been paid.

All class members who submit a claim for reimbursement of documented losses or the alternative cash payment will receive a code that can be used to enroll in a medical information and protection service from CyEx, which includes single-bureau credit monitoring and protection against medical fraud. Class members who resided in California at any point between September 19, 2023, and January 13, 2026, are entitled to claim an additional cash payment of $250, which may also be adjusted pro rata.

Individuals who wish to object to or be excluded from the settlement have until December 15, 2025, to do so, and all claims must be submitted by January 13, 2026. The final approval hearing has been scheduled for February 20, 2026.

April 25, 2024: Multiple Class Action Lawsuits Filed Against City of Hope National Medical Center Over Data Breach

Several class action lawsuits have been filed against City of Hope National Medical Center, a National Cancer Institute (NCI)-designated cancer treatment and research center, over a recently disclosed data breach that exposed the protected health information of more than 827,000 individuals.

City of Hope National Medical Center identified suspicious activity within its network on October 13, 2023, and the forensic investigation confirmed there had been unauthorized access by a third party between September 19, 2023, and October 12, 2023. During that time, files containing patient data were exfiltrated from its network. The exposed and stolen data included contact information, Social Security numbers, driver’s license numbers, financial information, health insurance information, medical records, medical histories, diagnoses/conditions, and health insurance information. City of Hope National Medical Center issued notification letters on April 2, 2024, and offered the affected individuals complimentary credit monitoring services.

Class action lawsuits started to be filed soon after notification letters were mailed. The lawsuits make similar claims, that City of Hope National Medical Center failed to implement reasonable and appropriate cybersecurity safeguards, did not follow industry best practices for cybersecurity, and that the cyberattack that exposed their sensitive data could have been prevented. The plaintiffs allege that City of Hope National Medical Center should have been aware that it was a likely target for cybercriminals due to the high value of healthcare data on the black market and numerous warnings from federal agencies about the high risk of cyberattacks on the sector. The plaintiffs also allege an unnecessary delay in issuing notifications – five months after the cyberattack was detected.

The plaintiffs allege that injuries have been sustained as a result of the data breach. They face an imminent and increased risk of identity theft and fraud since their sensitive data is now in the hands of cybercriminals, and have and will continue to need to spend time and money protecting themselves from fraud, identity theft, and medical identity theft. At least 8 lawsuits have been filed to date in response to the data breach that make claims of negligence, breach of fiduciary duty, breach of implied contract, and invasion of privacy. The lawsuits seek class action certification, a jury trial, damages, and injunctive relief.

The post City of Hope Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.