OneBlood, a non-profit organization that provides blood to approximately 350 hospitals in the southeastern United States, has agreed to pay up to $1,000,000 to resolve a class action lawsuit over its July 2024 ransomware attack and data breach. Between July 14, 2024, and July 29, 2024, a threat actor had access to OneBlood’s computer systems and exfiltrated sensitive data before using ransomware to encrypt files. The investigation confirmed that protected health information had been exposed, and a total of 167,400 individuals had their names and Social Security numbers exposed or stolen.
Three of the affected individuals, Deanna Newberry, Matthew Shuttleworth, and Andy Shuttleworth, took legal action seeking damages for themselves and similarly situated individuals. In the lawsuit, Deanna Newberry, et al. v OneBlood, Inc., the plaintiffs claimed that OneBlood failed to implement reasonable and appropriate security measures to secure their personal information, and that the ransomware attack and data breach could have been prevented if appropriate security measures had been implemented.
OneBlood disagrees with the claims and contentions in the lawsuit and denies any wrongdoing, while the plaintiffs believe that their claims have merit. A settlement was agreed upon by all parties to resolve all claims in the lawsuit, with both sides agreeing that a settlement was in the best interests of all parties to avoid the costs and risks of a trial and related appeals. The settlement has received preliminary approval from Florida Circuit Court Judge Keathan B. Frink and provides benefits for the plaintiffs and class members.
Class members may choose one of two cash payments: a claim may be submitted for reimbursement of up to $2,500 per class member for documented, unreimbursed out-of-pocket losses related to the data breach, or they may instead claim an alternative cash payment of $60.00. OneBlood will pay a maximum of $1,000,000 to cover attorneys’ fees and expenses, service awards for class members, settlement administration costs, and cash payments. If that total is reached, the cash payments will be subject to a pro rata decrease. OneBlood has also committed to making improvements to security and will provide class counsel with a confidential list of the security measures implemented since the data breach to improve security for the benefit of the settlement class and other future donors.
Class members must submit a claim for a cash payment by December 4, 2025. Should any class member wish to opt out of the settlement or file an objection, they must do so by November 9, 2025. The final fairness hearing has been scheduled for December 9, 2025. Further information can be found on the settlement website: https://oneblooddatasettlement.com/
January 15, 2025: OneBlood Notifies Individuals Affected by July 2024 Ransomware Attack
On July 31, 2024, the Florida nonprofit blood donation organization OneBlood announced it had fallen victim to a ransomware attack. The attack took its IT systems out of operation, and while blood was still able to be collected, tested, and distributed, manual processes had to be used, which significantly reduced its capacity. The reduced capacity forced the hospitals OneBlood serves to implement their critical blood shortage protocols. OneBlood serves around 350 hospitals in the Southeastern United States.
OneBlood has recently confirmed that the ransomware group exfiltrated files and folders in the attack that contained the personal information of blood donors, including their names and Social Security numbers. The breach notification letters explain that the ransomware attack was detected on or around July 28, 2024, and the investigation confirmed that the ransomware group had access to its IT network from July 14 to July 29, 2024.
It has taken four and a half months to investigate the incident and review the files and folders on the compromised parts of its network to determine the individuals affected and the types of information involved. That process was completed on December 9, 2024, and notification letters started to be mailed on or around January 9, 2025, five and a half months after the data was stolen. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months. In addition to signing up for those services, the affected individuals should carefully check their accounts for signs of fraudulent charges going back to the date of the initial compromise – July 14, 2024.
It is currently unclear how many individuals had their data stolen in the attack. OneBlood has notified the South Carolina State Attorney General that 1,530 blood donors in the state are affected.
August 1, 2024: Ransomware Attack on U.S. Blood Donation Nonprofit Affecting Blood Supplies
OneBlood, a Florida-based nonprofit blood donation organization, has experienced a ransomware attack that is affecting its ability to provide blood to U.S. hospitals. OneBlood operates in Alabama, Florida, Georgia, and North and South Carolina, and provides blood to around 350 hospitals in those states. OneBlood announced on July 31, 2024, that it had fallen victim to a ransomware attack that affected its software system. OneBlood said it is still operational and is continuing to collect, test, and distribute blood, but is having to use manual processes and procedures that take considerably longer, which means it is currently operating at a significantly reduced capacity.
Due to the limited operational capacity, OneBlood has informed all 350 hospitals that it serves to implement their critical blood shortage protocols and to remain in that status until the ransomware attack has been remediated. One of the affected health systems is AdventHealth in Florida, which has confirmed that it has implemented its blood conservation protocols. To help prevent critical blood shortages, the national blood community is rallying to assist OneBlood and the hospitals and patients it serves by sending blood and platelets.
OneBlood said all blood types are required, but there is an urgent need for O-positive and O-negative blood and platelet donations, and donors across the country are being urged to make appointments for donations as soon as possible. National resources are being coordinated by the AABB Disaster Task Force to direct additional blood products to OneBlood.
OneBlood has engaged cybersecurity specialists to assist with the investigation and determine the scope of the attack. At this early stage of the investigation, it is not possible to tell to what extent, if any, donor information has been obtained by the attackers. Further information will be released as the investigation progresses, and if donor information is involved, notifications will be issued to the affected individuals.
A source contacted Bleeping Computer and said the attack occurred over the weekend and involved the encryption of data on its VMware hypervisor infrastructure and OneBlood has confirmed that it is working around the clock to restore its software systems. While the threat actor responsible for the attack has yet to be confirmed, the RansomHub group is suspected of being behind the attack. RansomHub has no qualms about conducting attacks on healthcare organizations and has recently attacked the Rite Aid pharmacy chain, the Florida Department of Health, American Clinical Solutions (ACS) in Florida, the Baim Institute for Clinical Research in Boston, and the UK-based independent living aid manufacturer NRS Healthcare. While RansomHub was not behind the ransomware attack on Change Healthcare, it did attempt extortion after obtaining a copy of the data stolen in the attack.
There have been other recent ransomware attacks on healthcare organizations that have caused blood supply shortages. On June 3, 2024, the Qilin ransomware group conducted a ransomware attack on Synnovis, a UK pathology services provider to the National Health Service (NHS). The attack caused major disruption to blood transfusions in London, and without access to automated processes, its ability to operate was greatly reduced, and the attack led to blood shortages that are continuing.
The hospitals that Synnovis serves were asked to restrict the use of O Type blood to essential cases and to use substitutions when it was safe to do so. Synnovis has now confirmed that it restored its systems this week; however, its blood transfusion services are expected to face continued disruption over the summer, with a full recovery not expected until early autumn. Another attack affected the U.S. operations of the Swiss pharma firm OctaPharma Plasma, which operates more than 190 donation centers in 35 states. The ransomware attack is thought to have been conducted by the BlackSuit ransomware group and forced OctaPharma Plasma to shut down its donation centers for several weeks.
The post OneBlood Will Pay Up to $1M to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.
