HIPAA Breach News

March 2024 Healthcare Data Breach Report

Posted by Steve Alder

March was a particularly bad month for healthcare data breaches with 93 branches of 500 or more records reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), a 50% increase from February and a 41% year-over-year increase from March 2023. The last time more than 90 data breaches were reported in a single month was September 2020.

The reason for the exceptionally high number of data breaches was a cyberattack on the rehabilitation and long-term acute care hospital operator Ernest Health. When a health system experiences a breach that affects multiple hospitals, the breach is usually reported as a single breach. In this case, the breach was reported individually for each of the 31 affected hospitals. Had the breach been reported to OCR as a single breach, the month’s breach total would have been 60, well below the average of 66.75 breaches a month over the past 12 months.

Healthcare data breaches in the past 12 months

 

 

healthcare data breaches in March 2020-2024

While the breach total was high, the number of individuals affected by healthcare data breaches fell for the fourth consecutive month to the lowest monthly total since January 2023. Across the 93 reported data breaches, the protected health information of 2,971, 249 individuals was exposed or impermissibly disclosed – the lowest total for March since 2020.

records compromised in healthcare data breaches in the past 12 months

healthcare records breached in march 2020-2024

Biggest Healthcare Data Breaches in March 2024

18 data breaches were reported in March that involved the protected health information of 10,000 or more individuals, all of which were hacking incidents. The largest breach of the month was reported by the Pennsylvanian dental care provider, Risa’s Dental and Braces.  While the breach was reported in March, it occurred 8 months previously in July 2023. A similarly sized breach was reported by Oklahoma’s largest emergency medical care provider, Emergency Medical Services Authority. Hackers gained access to its network in February and stole files containing names, addresses, dates of birth, and Social Security numbers.

Philips Respironics, a provider of respiratory care products, initially reported a hacking-related breach to OCR involving the PHI of 457,152 individuals. Hackers gained access to the network of the Queens, NY-based billing service provider M&D Capital Premier Billing in July 2023, and stole files containing the PHI of 284,326 individuals, an August 2023 hacking incident was reported by Yakima Valley Radiology in Washington that involved the PHI of 235,249 individuals, and the California debt collection firm Designed Receivable Solutions, experienced a breach of the PHI of 129,584 individuals. The details of the breach are not known as there has been no public announcement other than the breach report to OCR.

 Name of Covered Entity State Covered Entity Type Individuals Affected Breach Cause
Risas Dental & Braces PA Healthcare Provider 618,189 Hacking Incident
Emergency Medical Services Authority OK Healthcare Provider 611,743 Hacking Incident
Philips Respironics PA Business Associate 457,152 Exploited software vulnerability (MoveIT Transfer)
M&D Capital Premier Billing LLC NY Business Associate 284,326 Hacking Incident
Yakima Valley Radiology, PC WA Healthcare Provider 235,249 Hacked email account
Designed Receivable Solutions, Inc. CA Business Associate 129,584 Hacking Incident
University of Wisconsin Hospitals and Clinics Authority WI Healthcare Provider 85,902 Compromised email account
Aveanna Healthcare GA Healthcare Provider 65,482 Compromised email account
Ezras Choilim Health Center, Inc. NY Healthcare Provider 59,861 Hacking Incident (data theft confirmed)
Valley Oaks Health IN Healthcare Provider 50,034 Hacking Incident
Family Health Center MI Healthcare Provider 33,240 Ransomware attack
CCM Health MN Healthcare Provider 28,760 Hacking Incident
Weirton Medical Center WV Healthcare Provider 26,793 Hacking Incident
Pembina County Memorial Hospital ND Healthcare Provider 23,811 Hacking Incident (data theft confirmed)
R1 RCM Inc. IL Business Associate 16,121 Hacking Incident (data theft confirmed)
Ethos, also known as Southwest Boston Senior Services MA Business Associate 14,503 Hacking Incident
Pomona Valley Hospital Medical Center CA Healthcare Provider 13,345 Ransomware attack on subcontractor of a vendor
Rancho Family Medical Group, Inc. CA Healthcare Provider 10,480 Cyberattack on business associate (KMJ Health Solutions)

 

Data Breach Causes and Location of Compromised PHI

As has been the case for many months, hacking incidents dominated the breach reports. 76 of the month’s breaches were classed as hacking/IT incidents, which involved the records of 2,918,585 individuals, which is 98.2% of all records compromised in March. The average breach size was 38,402 records and the median breach size was 3,144 records. The nature of the hacking incidents is getting harder to determine as little information about the incidents is typically disclosed in breach notifications, such as whether ransomware or malware was used. The lack of information makes it hard for the individuals affected by the breach to assess the level of risk they face. Many of these breaches were explained as “cyberattacks that caused network disruption” in breach notices, which suggests they were ransomware attacks.

Causes of March 2024 healthcare data breaches

There were 11 unauthorized access/disclosure incidents reported involving a total of 36,533 records. The average breach size was 3,321 records and the median breach size was 1,956 records. There were 4 theft incidents and 1 loss incident, involving a total of 15,631 records (average: 3,126 records; median 3,716 records), and one improper disposal incident involving an estimated 500 records. The most common location for breached PHI was network servers, which is to be expected based on the number of hacking incidents, followed by compromised email accounts.

Location of breached PHI in March 2024 healthcare data breaches

Where Did the Data Breaches Occur?

The OCR data breach portal shows there were 77 data breaches at healthcare providers (2,030,568 records), 10 breaches at business associates (920,522 records), and 6 data breaches at health plans (20,159 records). As OCR recently confirmed in its Q&A for healthcare providers affected by the Change Healthcare ransomware attack, it is the responsibility of the covered entity to report breaches of protected health information when the breach occurs at a business associate; however, the responsibility for issuing notifications can be delegated to the business associate. In some cases, data breaches at business associates are reported by the business associate for some of the affected covered entity clients, with some covered entities deciding to issue notifications themselves. That means that data breaches at business associates are often not abundantly clear on the breach portal. The HIPAA Journal has determined the location of the breaches, with the pie charts below show where the breaches occurred, rather than the entity that reported the breach.

Data breaches at HIPAA-regulated entities in March 2024

Records breached at HIPAA-regulated entities in March 2024

Geographical Distribution of Healthcare Data Breaches

In March, data breaches were reported by HIPAA-regulated entities in 33 U.S. states. Texas was the worst affected state with 16 breaches reported, although 8 of those breaches were reported by Ernest Health hospitals that had data compromised in the same incident. California experienced 10 breaches, including 3 at Ernest Health hospitals, with New York also badly affected with 7 reported breaches.

State Breaches
Texas 16
California 10
New York 7
Pennsylvania 6
Indiana 5
Colorado & Florida 4
Illinois, Ohio & South Carolina 3
Arizona, Idaho, Massachusetts, Michigan, Minnesota, New Mexico, North Carolina, Oklahoma & Utah 2
Alabama, Georgia, Kansas, Kentucky, Nevada, New Jersey, North Dakota, Oregon, Tennessee, Virginia, Washington, West Virginia, Wisconsin & Wyoming 1

HIPAA Enforcement Activity in March 2024

OCR announced one settlement with a HIPAA-regulated entity in March to resolve alleged violations of the HIPAA Rules. The Oklahoma-based nursing care company Phoenix Healthcare was determined to have failed to provide a daughter with a copy of her mother’s records when the daughter was the personal representative of her mother. It took 323 days for the records to be provided, which OCR determined was a clear violation of the HIPAA Right of Access and proposed a financial penalty of $250,000.

Phoenix Healthcare requested a hearing before an Administrative Law Judge, who upheld the violations but reduced the penalty to $75,000. Phoenix Healthcare appealed the penalty and the Departmental Appeals Board affirmed the ALJ’s decision; however, OCR offered Phoenix Healthcare the opportunity to settle the alleged violations for $35,000, provided that Phoenix Healthcare agreed not to challenge the Departmental Appeals Board’s decision.

The post March 2024 Healthcare Data Breach Report appeared first on HIPAA Journal.

Kisco Senior Living & Island Ambulatory Surgery Center Disclose Summer 2023 Cyberattacks

Posted by Steve Alder

Notification letters have been sent to more than 34,500 individuals about ransomware attacks that occurred more than 9 months ago. Kisco Senior Living experienced its attack in June 2023, and Island Ambulatory Surgery Center suffered an attack in July.

Kisco Senior Living

Kisco Senior Living is a Carlsbad, CA-based operator of 20 senior living communities in 6 U.S. States. According to the notification letters mailed to the affected individuals in April 2024, a cyberattack was detected on June 6, 2023, when its network was disrupted. A cybersecurity firm was engaged to investigate the disruption and confirmed that unauthorized individuals accessed its network and exfiltrated files containing the personal information of residents. It took more than 10 months (April 10, 2024) to determine the types of information involved and the number of individuals affected.

According to the notification sent to the Maine Attorney General, the breach included names and Social Security numbers and affected 26,663 individuals. Kisco Senior Living said additional security features have been implemented to prevent similar breaches in the future and the affected individuals have been offered 12 months of complimentary credit monitoring services, which include a $1 million identity fraud loss reimbursement policy.

Island Ambulatory Surgery Center

Island Ambulatory Surgery Center in Brooklyn, NY, has recently notified 7,900 individuals about a cyberattack that was detected on or around July 31, 2023. Cybersecurity experts were engaged to investigate the breach and determined that an unauthorized actor had access to its network and acquired certain files, some of which contained patients’ personal and health information.

The review of the affected files was completed on February 7, 2024, and confirmed some or all of the following information was compromised: name, date of birth, Social Security number, driver’s license number, medical information, and/or health insurance information. Notification letters were mailed to the affected individuals on April 5, 2024. Island Ambulatory Surgery Center said it takes privacy and security seriously and has implemented measures to prevent similar incidents in the future.

The post Kisco Senior Living & Island Ambulatory Surgery Center Disclose Summer 2023 Cyberattacks appeared first on HIPAA Journal.

Email Accounts Compromised at UW Health and Medical Home Network

Posted by Steve Alder

Email accounts have been compromised at the University of Wisconsin Hospitals and Clinics Authority and the Medical Home Network in Illinois.

University of Wisconsin Hospitals and Clinics Authority Email Account Breach

The University of Wisconsin Hospitals and Clinics Authority (UW Health) recently provided an update on a security incident that was detected in late 2023. Suspicious activity was detected in an employee’s email account and the password was immediately changed to prevent further unauthorized access. A third-party cybersecurity firm was engaged to investigate the breach and it was determined on January 5, 2024, that the email account had been accessed by an unauthorized individual at various times between Sep. 20, 2023, and Dec. 5, 2023. Some of the emails in the account were viewed, and data may have been stolen.

The account was reviewed to determine the individuals affected and the types of information that had been exposed. The review was completed on February 9, 2024, and confirmed that the account contained names, dates of birth, medical record numbers, and clinical information, such as dates of service, provider names, and diagnoses. The emails did not contain any Social Security numbers, health insurance ID numbers, or financial information. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 85,902 individuals.

The affected individuals have now been notified and while UW Health has not found any evidence of misuse of patient data, patients have been advised to exercise caution regarding any emails they receive that claim to be from UW Health or other healthcare providers, and to monitor their billing statements and to report any charges for services that have not been received. UW Health also said users of the UW Health MyChart portal have been targeted in the past with scams through the use of fraudulent websites and has urged all patients to be vigilant when callers or emails request personal information. Scammers may claim to be UW Health employees when contacting people by phone, may send phishing emails using stolen UW Health logos, or may send phishing text messages requesting login credentials or linking to malicious URLs.

Medical Home Network Email Environment Compromised

MHNU Corporation, which does business as Medical Home Network (MHN) in Illinois, has recently notified 681 individuals about the exposure of some of their protected health information. Suspicious activity was identified in MHN’s email environment on or around October 11, 2023. After securing its email accounts, independent cybersecurity experts were engaged to investigate and determine the cause of the activity. The forensic investigation confirmed that an unauthorized actor gained access to the email accounts of two employees between October 4, 2023, and October 12, 2023, and emails and attached files may have been viewed or acquired.

On April 12, 2024, MHN learned that the protected health information of current and former members of CountyCare, Wellness West, and NeueHealth were stored in the compromised accounts. Those companies were notified about the incident on February 16, 2024, and MHN coordinated with the companies to effectuate notification to the affected individuals. MHN said the breached information included first and last names, patient IDs, phone numbers, dates of birth, and medical information; however, no evidence of misuse of that information had been identified at the time of issuing notifications. MHN said it takes privacy and security seriously and has taken steps to prevent similar incidents in the future.

The post Email Accounts Compromised at UW Health and Medical Home Network appeared first on HIPAA Journal.

Cyberattacks Reported by Healthcare Providers in North Carolina, Rhode Island, & California

Posted by Steve Alder

Knowles Smith & Associates, which does business as Village Family Dental and operates 7 dentistry offices in North Carolina, recently notified 240,214 current and former patients that some of their protected health information was exposed in a November 2023 cyberattack.

Village Family Dental said anomalous activity was detected within its network on November 17, 2023. The affected systems were immediately taken offline and third-party cybersecurity experts were engaged to investigate the activity. The forensic investigation confirmed that there had been unauthorized access to its network, and on February 8, 2024, it was confirmed that files containing patient data were potentially viewed or acquired.

Dental records and other health information were not exposed, with the compromised data limited to names, patient ID numbers, provider names, addresses, dates of birth, chart numbers, telephone numbers, and email addresses. Village Family Dental said no evidence has been found to indicate any attempted or actual misuse of patient data. Notification letters were mailed to the affected individuals on April 8, 2024.

Village Family Dental said it has been working with third-party cybersecurity experts to evaluate and enhance its security practices to prevent similar incidents in the future and confirmed that “significant steps” have been taken to mitigate the risk to persons impacted by the cyberattack.

Valley Mountain Regional Center

On April 19, 2024, Valley Mountain Regional Center in California announced a data security incident that was detected on August 1, 2023. Unusual activity was detected within its network and immediate action was taken to secure its systems. The forensic investigation confirmed that unauthorized individuals had access to its network and exfiltrated files containing patient information on or around July 29, 2023.

A third-party vendor was engaged to review the affected files, and on February 20, 2024, confirmed that personal and protected health information was involved. The types of data involved varied from individual to individual and may have included names, Social Security numbers, taxpayer identification numbers, dates of birth, driver’s license numbers, username and password, biometric data, medical treatment and/or diagnosis information, and/or health insurance information. Valley Mountain Regional Center said it is unaware of any misuse of patient data. The affected individuals have been offered complimentary identity protection services through Cyberscout.

The breach has been reported to the HHS’ Office for Civil Rights, but it is not yet displayed on OCR’s breach portal, so it is currently unclear how many individuals have been affected.

Blackstone Valley Community Health Center

Blackstone Valley Community Health Center in Pawtucket, RI, has announced a cyberattack that occurred on November 11, 2023, which disrupted its computer network. After securing its network, third-party cybersecurity experts were engaged to investigate the cause of the disruption and determined that an unauthorized third party had access to its network.

The review of the exposed files was concluded on March 11, 2024, and confirmed that they contained patient data including names, Social Security numbers, and medical information. Notification letters were mailed to the affected individuals on April 18, 2024. The affected individuals have been offered single bureau monitoring, credit reporting, and credit score services at no charge, and network security has been enhanced to prevent similar breaches in the future. The breach was recently reported to the Maine Attorney General as affecting up to 34,416 individuals.

The post Cyberattacks Reported by Healthcare Providers in North Carolina, Rhode Island, & California appeared first on HIPAA Journal.

Cyberattacks Reported by UT Health Science Center; SysInformation Healthcare Services; Jackson Medical Center

Posted by Steve Alder

Cyberattacks have been reported by the University of Tennessee Health Science Center, SysInformation Healthcare Services (EqualizeRCM/1st Credentialing), and Jackson Medical Center. Moveable Feast has discovered the improper disposal of documents containing PHI.

University of Tennessee Health Science Center – Ransomware Attack

The University of Tennessee Health Science Center (UT-HSC) said a cyberattack on one of its vendors has resulted in the exposure and possible theft of the protected health information of 19,353 patients who received obstetrics and gynecology (OB/GYN) services at Regional One Health (ROH).

UT-HSC contracted with a company called KMJ Health Solutions which provided patient handoff software that is used to support OB/GYN patients and ensure they receive the appropriate care when they are transferred to another healthcare provider. UT-HSC was notified by KMJ on or around November 29, 2023, about a security incident discovered while investigating a server outage. KMJ erased and reformatted the server and hired a cybersecurity firm to investigate the incident but was unable to make a definitive determination about whether there had been unauthorized access. On January 18, 2024, KMJ’s hosting provider, Liquid Web, found evidence of a ransomware attack but could not determine whether the attackers downloaded a copy of the data stored in the eDocList.

The potentially affected individuals had received OB/GYN services at ROH between November 2014 and November 2023. The information potentially compromised included first and last name, medical record number, age, date of admission, allergies, service, resident assigned, parity, diagnoses, prenatal provider, laboratory results, medications, fetal or delivery details, contraception, type of infant feeding, and information regarding follow up care.

KMJ has implemented new technical safeguards including vulnerability scans, penetration testing, and configuration reviews. Due to the nature of the exposed data, UT-HSC does not believe there is any significant risk of identity theft or harm to credit; however, the affected individuals have been advised to be on the lookout for any letters, emails, or phone calls, and other communications from unknown individuals wanting to discuss any of the services received from ROH.

SysInformation Healthcare Services (EqualizeRCM/1st Credentialing) – Cyberattack

SysInformation Healthcare Services (SysInformation), an Austin, TX-based provider of revenue cycle support to medical billing companies and hospitals that does business as EqualizeRCM and 1st Credentialing, has experienced a cyberattack that caused a network outage. SysInformation said suspicious activity was detected within its network in June 2023. IT systems were secured, and third-party forensics experts were engaged to investigate the incident. The investigation revealed unauthorized access to its network between June 3, 2023, and June 18, 2023, and certain files had been exfiltrated.

SysInformation said an extensive review was conducted to determine the types of information involved and the individuals affected and notification letters were mailed to the affected individuals on April 17, 2024. The types of data involved varied from individual to individual and may have included one or more of the following: name, government identification number, date of birth, Driver’s license number, employer identification number, electronic signature, financial account information, health insurance information, medical history/treatment information, login information, mother’s maiden name, government-issued identification number, passport information, Social Security number, and/or tax identification number.

Complimentary credit monitoring services have been offered to the affected individuals, security policies and procedures have been reviewed, and additional safeguards have been implemented to prevent similar incidents in the future. The breach has been reported to regulators; however, it is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Jackson Medical Center – Cyberattack

Jackson Medical Center in Alabama has notified 509 patients about the exposure of some of their protected health information in a cyberattack that disrupted some of its IT systems. The attack was detected on February 22, 2024, and third-party forensics experts were engaged to investigate the incident and confirmed that an unauthorized third party had access to its network between February 17, 2024, and February 22, 2024. During that time, files were accessed or removed from its network.

A review of the affected files confirmed on March 8, 2024, that they contained patients’ protected health information including names and one or more of the following: contact information, dates of birth, driver’s license or state identification numbers, diagnoses, treatment information, and/or health insurance information. Notification letters have been mailed to the affected individuals and complimentary identity monitoring services have been offered to patients whose Social Security numbers, driver’s license numbers, or state identification numbers were potentially involved. Jackson Medical Center said additional safeguards and technical security measures have been implemented to further protect and monitor its systems.

Moveable Feast – Improper Disposal of Documents

Moveable Feast, a Baltimore, MD-based non-profit that provides care to individuals living with HIV/AIDS and other life-threatening illnesses, has discovered that documents containing sensitive data were disposed of incorrectly. Moveable Feast’s policies require sensitive documents to be placed in shredding bins, but some were inadvertently disposed of in regular recycling bins. The HIPAA violation was discovered when a recycling bin awaiting curb pickup was blown over, scattering its contents.

Staff collected most of the documents, but some pages could not be retrieved. The missing pages contained the information of 568 individuals such as their client number, name, gender, race, and age, and for a subset of Moveable Feast clients, the last 4 digits of their Social Security numbers. Notification letters have been sent to all affected individuals and 12 months of credit monitoring services have been made available at no cost. Staff members have also been retrained on handling sensitive information.

The post Cyberattacks Reported by UT Health Science Center; SysInformation Healthcare Services; Jackson Medical Center appeared first on HIPAA Journal.

Michigan’s Largest FQHC Suffers Ransomware Attack Affecting 184,000 Patients

Posted by Steve Alder

Cherry Street Services, Inc., which operates as Cherry Health Services, fell victim to a ransomware attack in December 2023. Cherry Health is the largest federally qualified health center in Michigan, with 20 healthcare facilities in six counties in the state, and provides healthcare services to underserved communities, regardless of insurance status or their ability to pay for healthcare.

The Grand Rapids, MI-based healthcare provider said it experienced network disruption on December 21, 2024, that prevented access to some of its computer systems. Third-party cybersecurity specialists were engaged to investigate the incident and determined that unauthorized individuals had accessed certain files on its network. The review of the affected files was completed on March 25, 2024, and confirmed that protected health information was exposed in the attack, including names, addresses, phone numbers, dates of birth, health insurance information, health insurance ID number, patient ID number, provider name, service date, diagnosis/treatment information, prescription information, financial account information and/or Social Security numbers. The types of information exposed varied from individual to individual.

While healthcare data was potentially stolen in the attack, Cherry Health said it is unaware of any instances of actual or attempted misuse of patient data; however, as a precaution, the affected individuals have been offered 12 months of complimentary credit monitoring services, which includes monitoring of the dark web for the publication or sale of sensitive personal information, a $1 million identity theft insurance policy, and identity theft identity recovery services. Cherry Street said it has already taken steps to improve its technical safeguards to prevent similar incidents in the future. The incident has recently been reported to the Maine Attorney General as affecting 184,372 individuals.

The post Michigan’s Largest FQHC Suffers Ransomware Attack Affecting 184,000 Patients appeared first on HIPAA Journal.

Ernest Health Sued Over 2024 Ransomware Attack and Data Breach

Posted by Steve Alder

The Texas health system Ernest Health is being sued by patients who had their protected health information compromised in a recent cyberattack. This is likely to be one of many lawsuits filed against Ernest Health over the theft of at least 94,747 patients’ data. Ernest Health operates hospitals in Arizona, California, Colorado, Idaho, Indiana, Montana, New Mexico, Ohio, South Carolina, Texas, Utah, Wisconsin, and Wyoming. On February 1, 2024, suspicious activity was detected in its networks, with the investigation confirming there had been unauthorized access to its network between January 16, 2024, and February 4, 2024. The LockBit ransomware group claimed responsibility for the attack and threatened to publish the stolen data on its leak site. Ernest Health said the compromised information included names, contact information, dates of birth, health plan IDs, health data, Social Security numbers, and driver’s license numbers.

A lawsuit has been filed by Joe Lara and Lauri Cook on behalf of themselves and similarly situated individuals who had their personal and protected health information compromised in the Ernest Health cyberattack. The lawsuit alleges that Ernest Health lost control of the data of current and former patients due to insufficient cybersecurity safeguards and a lack of cybersecurity training for its employees, which meant it had no effective means to prevent, detect, or stop the attack. The plaintiffs argue that it took 73 days from the initial compromise for Ernest Health to issue individual notifications, which denied them the opportunity to mitigate their injuries in a timely manner.

While Ernest Health said it has implemented additional safeguards in response to the breach, the plaintiffs claim the health system has done too little, too late, and that the offer of credit monitoring and identity theft protection services is wholly insufficient. The lawsuit alleges negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty and seeks a jury trial, declaratory and other equitable relief, injunctive relief, and compensatory, exemplary, punitive damages, and statutory damages. The plaintiffs and class are represented by Joe Kendall of the Kendall Law Group, and Samuel J. Strauss and Raina Borrelli of the law firm, Turke & Strauss.

The post Ernest Health Sued Over 2024 Ransomware Attack and Data Breach appeared first on HIPAA Journal.

MedData Settles Class Action Data Breach Lawsuit for $7 Million

Posted by Steve Alder

Last month, the Spring, TX-based revenue cycle management firm MedData agreed to a $7 million settlement to resolve a class action lawsuit filed following the exposure of the personal and health information of 136,000 individuals on a public-facing website.

MedData helps healthcare providers and health plans by processing Medicaid eligibility, third-party liability, workers’ compensation, and patient billing, including healthcare providers and health plans such as Memorial Hermann, Aspirus Health Plan, OSF HealthCare, and the University of Chicago Medical Center. All of those HIPAA-covered entities had member and patient data exposed by MedData.

Between December 2018 and September 2019, a MedData employee inadvertently uploaded the data to personal folders on GitHub Arctic Code Vault, which is a public-facing part of the GitHub website. The data remained there unprotected and exposed for more than a year. MedData was informed about the data exposure by a security researcher on December 10, 2020, and the files were removed from GitHub on December 17, 2020.

MedData has faced 5 class action lawsuits over the data breach, four of which have been dismissed. This amended lawsuit is the last remaining action against MedData over the data breach. Under the terms of the settlement, class members can choose one of two payment tiers. The first option allows class members to claim back documented, unreimbursed out-of-pocket expenses fairly traceable to the data breach up to a maximum of $5,000 per class member. Alternatively, class members can claim up to $500 for “de-minimis” or minimal affirmative action in response to being notified about the data breach. Regardless of the option chosen, class members can also claim 36 months of health data and fraud monitoring services at no cost. Those services include a $1 million identity theft insurance policy.

The settlement also requires MedData to implement and maintain an enhanced cybersecurity program, which must include robust monitoring and auditing for data security issues, annual cybersecurity testing, training on data privacy for employees, data encryption, enhanced access controls, annual penetration testing, a data deletion policy, and a monitored internal whistleblowing mechanism. The board must also consider appropriate cybersecurity spending annually, and regularly update internal security policies and procedures.

The post MedData Settles Class Action Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.

Orrick, Herrington & Sutcliffe Agrees $8 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

The San Francisco, CA-based law firm Orrick, Herrington & Sutcliffe has agreed to a $8 million settlement to resolve a class action lawsuit filed in response to a 2023 cyberattack and data breach.

In March 2023, the law firm that specializes in helping companies that have experienced security breaches suffered one of its own. On March 13, 2023, hackers were discovered to have gained access to its network, with the forensic investigation revealing they had access for around two weeks between February 28 and March 13, 2023, before the intrusion was detected. The personal and protected health information of 637,620 individuals was compromised; however, it took months to determine how many individuals had been affected with the last batch of notification letters mailed to affected individuals in January 2024. The affected individuals were offered 2 years of complimentary credit monitoring services.

A lawsuit was filed against Orrick, Herrington & Sutcliffe in the U.S. District Court for the Northern District of California shortly after the announcement about the breach. The lawsuit made several allegations, including the failure to secure its systems, the failure to prevent and stop the breach, the failure to detect the breach in a timely manner, and the failure to disclose material facts that adequate system security measures were not in place to prevent data breaches. The lawsuit also alleged Orrick, Herrington & Sutcliffe did not honor repeated promises and representations to protect the information of the breach victims and failed to provide timely notifications. Several other lawsuits were filed over the breach that made similar claims, and they were consolidated into a single action – In re Orrick Herrington & Sutcliffe LLP Data Breach Litig.

The plaintiffs alleged they had been harmed by the data breach, including receiving a flood of spam emails and phone calls, actual and attempted identity theft, and other misuse of their personal information. Orrick, Herrington & Sutcliffe has denied liability and wrongdoing and said it regretted the inconvenience and distraction that the malicious incident caused. The proposed settlement was deemed to be reasonable and fair by class counsel and has received preliminary approval from the court. Under the terms of the settlement, class counsel may claim up to 25% of the settlement amount and after costs of up to $50,000 and $2,500 service awards for the lead plaintiffs have been deducted, the remainder of the settlement will cover claims from individuals affected by the data breach.

The settlement includes up to 5 hours of compensation for lost time at $25 per hour, reimbursement of up to $2,500 for unreimbursed out-of-pocket expenses, reimbursement of up to $7,500 for extraordinary losses such as identity theft and fraud, and three years of three-bureau credit monitoring services. California residents are entitled to a cash payment of $150. If class members choose not to submit a claim for lost time and reimbursement for out-of-pocket expenses and extraordinary losses, a claim may instead be submitted for a cash payment of $75.

The post Orrick, Herrington & Sutcliffe Agrees $8 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.