HIPAA Breach News

New Jersey Nursing Facility to Pay $100,000 CMP to Resolve HIPAA Right of Access Violation

Posted by Steve Alder

The HHS’ Office for Civil Rights has announced another financial penalty has been imposed for a violation of the HIPAA Right of Access. Essex Residential Care, LLC, which does business as Hackensack Meridian Health, West Caldwell Care Center in New Jersey, has been ordered to pay a civil monetary penalty of $100,000 to resolve the alleged violation.

Hackensack Meridian Health operates skilled nursing facilities in New Jersey, including the West Caldwell Care Center. In May 2020, OCR received a complaint from the son of a mother who had received care at West Caldwell Care Center who alleged he had not been provided with a copy of her medical records within the 30 days allowed by the HIPAA Privacy Rule.

Son Not Provided with His Mother’s Records within 30 Days

The complainant was the personal representative of his mother and therefore should have been provided with a copy of his mother’s medical records. The complainant first asked for a copy of the records on April 19, 2020, via email, and on April 23, 2020, an administrator at West Caldwell Care Center advised him that the records could not be provided without a copy of a power of attorney, medical proxy or similar document executed by the mother, confirming that he was her personal representative.

The appropriate documentation was provided but West Caldwell Care Center still did not provide the requested records, which led to him filing a complaint with OCR. On October 15, 2020, OCR notified West Caldwell Care Center that an investigation had been opened as a result of the complaint and the correspondence included a data request pursuant to the investigation.

West Caldwell Care Center responded and acknowledged that the records had not been provided within the allowed 30 days and, in response to OCR’s investigation, sent the requested records in late November, which were received by the complainant on December 1, 2020, 161 days after the initial request was made.

West Caldwell Care Center Disagreed with OCR’s Determination

Most HIPAA Right of Access investigations are informally settled with OCR, a financial penalty is paid, and the covered entity agrees to adopt a corrective action plan which includes updates to its policies and procedures and training on HIPAA policies for staff members. In this case, West Caldwell Care Center’s attorney disagreed with OCR’s proposed resolution of the investigation. OCR then notified West Caldwell Care Center that the investigation had uncovered preliminary indications of non-compliance with the HIPAA Right of Access, and OCR provided West Caldwell Care Center with the opportunity to submit evidence of mitigating factors.

West Caldwell Care Center acknowledged that the complainant was not provided with the requested records, but the records were provided to another facility to which his mother had been transferred. West Caldwell Care Center also said that at the time of the initial request, there was ongoing litigation due to the non-payment of care costs. As another mitigating factor, West Caldwell Care Center said it was dealing with the COVID-19 pandemic, and that the complainant filed a complaint with OCR exactly 30 days after the request was made before West Caldwell Care Center’s response to the initial request was due. West Caldwell Care Center accepted that the matter should have been handled differently.

$100,000 Civil Monetary Penalty Imposed

OCR determined that West Caldwell Care Center failed to provide the requested records within the 30 days allowed by the HIPAA Privacy Rule and that the delay from June 23, 2020, to December 1, 2020, was a violation of the HIPAA Right of Access. The maximum civil monetary penalty was $206,080 based on the reasonable cause penalty tier (see: What are the penalties for HIPAA violations); however, per OCR’s reinterpretation of the language of the HITECH Act and its subsequent Notice of Enforcement Discretion, the penalty was capped at $100,000.

West Caldwell Care Center argued that a civil monetary penalty was not permitted because the violation was not due to wilful neglect and was timely corrected and that imposing a civil monetary penalty would be arbitrary and capricious and would violate the Administrative Procedure Act (APA). OCR disagreed that the violation was timely corrected and said the affirmative defense requirements were not met, and that the penalty was appropriate and reasonable given that the violation did not violate the APA and that the civil penalty amount was reasonable given the substantial delay providing the requested records.

West Caldwell Care Center said its staff believed they had responded in the allowed time frame by transferring the records to another facility; however, OCR’s view was that the records were not provided to the personal representative as required by HIPAA. West Caldwell Care Center was advised of its right to request a hearing with an administrative law judge; but on advice from its legal counsel, chose to waive that right.

“A patient’s timely access to health records is paramount for medical care. The Office for Civil Rights continues to receive complaints from individuals and personal representatives on behalf of individuals who do not receive timely access to their health records,” commented OCR Director Melanie Fontes Rainer. “OCR will continue to vigorously enforce this essential right to ensure compliance by health care facilities across the country.”

This is the fourth financial penalty imposed by OCR in 2024 to resolve alleged HIPAA violations and its 145th financial penalty to date. OCR has now fined 48 HIPAA-regulated entities for failing to provide patients or their personal representatives with timely access to the requested medical records that they are legally entitled to obtain.

The post New Jersey Nursing Facility to Pay $100,000 CMP to Resolve HIPAA Right of Access Violation appeared first on HIPAA Journal.

OCR Settles HIPAA Right of Access Investigation with Phoenix Healthcare for $35,000

Posted by Steve Alder

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that a $35,000 settlement has been reached with Phoenix Healthcare to resolve a HIPAA Right of Access violation. This is the 47th investigation of a HIPAA Right of Access case to result in a financial penalty. The HIPAA Right of Access provision of the HIPAA Privacy Rule requires patients or their personal representatives to have timely access to their health information. Access/copies of the requested information must be provided within 30 days of the request being received.

OCR received a complaint from a daughter whose mother was a patient of Phoenix Healthcare, an Oklahoma multi-facility organization in nursing care. The daughter was the personal representative of her mother and had not been provided with timely access to her mother’s medical records. The daughter requested the records on multiple occasions and had to wait almost a year to receive the requested data. The requested records were provided 323 days after the initial request was made.

The daughter reported the matter to OCR as a potential HIPAA investigation and OCR launched an investigation. OCR determined that there had been a violation of the HIPAA Right of Access and informed Phoenix Healthcare by letter on March 30, 2021, of its intention to impose a financial penalty of $250,000 for the failure to comply with the HIPAA Right of Access provision of the HIPAA Privacy Rule. Phoenix Healthcare contested the proposed fine and requested a hearing before an Administrative Law Judge (ALJ). The ALJ upheld the violations cited by OCR and that there had been wilful neglect of the HIPAA Privacy Rule. The ALJ ordered Phoenix Healthcare to pay a civil monetary penalty of $75,000.

Phoenix Healthcare appealed the $75,000 penalty, contesting both the penalty amount and the wilful neglect determination. The Departmental Appeals Board affirmed the ALJ’s decision that there had been wilful neglect of the HIPAA Rules and order to pay $75,000; however, OCR chose to settle with Phoenix Healthcare and reduced the financial penalty to $35,000 on the condition that the Departmental Appeals Board’s decision is not challenged, that Phoenix Healthcare revises its HIPAA policies and procedures, and provides HIPAA training on the revised policies and procedures to its workforce.

“Patients need to make the best decisions possible for their health and well-being, so timely access to their medical records is imperative,” said OCR Director Melanie Fontes Rainer. “Without this access, patients are at risk for incorrect treatments, inaccurate health records, and lack of understanding of their health conditions. It is unacceptable for a health care provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.”

This is the third OCR HIPAA investigation of 2024 to result in a financial penalty, the others being a $4,750,000 settlement with Montefiore Medical Center, and a $40,000 settlement with Green Ridge Behavioral Health.

The post OCR Settles HIPAA Right of Access Investigation with Phoenix Healthcare for $35,000 appeared first on HIPAA Journal.

MFA Bypassed in Cyberattack on L.A. County Department of Mental Health

Posted by Steve Alder

Cyberattacks and data breaches have been reported by the L.A. County Department of Mental Health, Healthfirst, Wyndemere Senior Care, Risas Dental & Braces, and Baylor College of Medicine.

Los Angeles County Department of Mental Health

The Los Angeles County Department of Mental Health has recently notified the California Attorney General about a breach of an employee’s email account. The email account had multi-factor authentication (MFA) in place; however, MFA was bypassed. The cyber threat actors bypassed MFA using a technique known as push notification spamming, where a user is sent multiple MFA push notifications to their mobile device in the hope that they will eventually respond. The employee did respond, resulting in their email account being compromised.

According to the Department of Mental Health, the attack stemmed from a breach at the City of Gardena Police Department (GDP). “GPD’s email exchanges with the Department of Mental Health (DMH) allowed the malicious actor or actors to send an email to a DMH employee and get access to that employee’s Microsoft Office 365 account.” The account contained names, dates of birth, Social Security numbers, addresses, telephone numbers, and medical record numbers.

This is not the first attack of this kind to affect the Department of Mental Health. Similar attacks occurred on October 6, 2023, and October 24, 2023. The breach notices sent to the affected individuals on December 6, 2023, December 22, 2023, and March 22, 2024, all include the following statement, “We have also notified Microsoft of the vulnerability in the Microsoft Office 365 multifactor authentication that was exploited by the malicious actor or actors. We have since implemented new security controls to address this specific attack.” Only one report is currently showing on the HHS’ Office for Civil Rights breach portal – dated December 22, 2023 – indicating 1,284 individuals were affected. It is unclear how many individuals had their data exposed in the latest attack.

Healthfirst

The New York health insurance provider, Healthfirst, has recently notified 6,836 of its 2 million members about unauthorized access to its member portal. Healthfirst, which provides health plans under the names Healthfirst PHSP, Inc., Healthfirst Health Plan, Inc., and Healthfirst Insurance Company, said member names, dates of birth, Healthfirst member ID numbers, and member zip codes were used to create unauthorized accounts. The accounts have now been disabled and internal protocols for digital member account validation have been updated to prevent similar incidents in the future. An investigation is ongoing into the source of the unauthorized activity. Healthfirst said it has no reason to believe that the unauthorized activity is linked to the Change Healthcare cyberattack. The affected individuals were notified on March 19, 2024.

Wyndemere Senior Care

Wyndemere Senior Care LLC, a Wheaton, IL-based provider of independent & assisted living neighborhoods, skilled nursing, & memory care, has notified 6,846 individuals that some of their personal information has been exposed in a cyberattack. Suspicious activity was detected in its computer systems on September 8, 2023, with the forensic investigation confirming there had been unauthorized network access between September 1, 2023, and September 8, 2023. A review of the files on the compromised parts of the network confirmed on February 21, 2024, that names and financial account numbers had been exposed. Individual notifications were mailed to the affected individuals on March 28, 2024. Wyndemere said it is implementing additional cybersecurity safeguards and is providing further training to its employees.

Risas Dental & Braces

Risas Dental & Braces in Phoenix, AZ, has recently notified patients about a cyberattack detected in July 2023 in which their protected health information was exposed. Unusual activity was identified in its computer systems on July 10, 2023, and immediate action was taken to secure its network. Third-party cybersecurity specialists were engaged to investigate the incident and determine the nature and scope of the unauthorized activity. The digital forensics team determined that unauthorized individuals had gained access to the network and may have downloaded files containing patient data.

The review of those files was completed on January 26, 2024, and confirmed they contained protected health information such as names, contact information, high-level treatment information such as procedure names or notes, the initial date or dates of service, and/or insurance subscriber information.  The affected individuals were notified by mail on March 22, 2024. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.

Baylor College of Medicine (Advarra)

Baylor College of Medicine in Houston, TX, has confirmed that the personal information of certain participants in breast cancer clinical trials has been exposed in a data breach at its vendor, Advarra. The data was present in the email account of an Advarra employee that was accessed by an unauthorized third party in October 2023. Baylor College of Medicine was first made aware of the email security incident in November 2023, with the Advarra investigation determining in February 2024 that research participants’ data had been exposed. Advarra reported the breach to the Maine Attorney General in February as affecting 4,656 individuals and involving names, other personal identifiers, and Social Security numbers. It is unclear whether that figure includes the research participants.

Baylor College of Medicine said the research participants’ data exposed in the attack related to breast cancer research and clinical trials at the Dan L Duncan Comprehensive Cancer Center between 1999 to 2013. Baylor College of Medicine said the breach names and dates of birth and that Advarra has offered affected individuals complimentary credit monitoring, fraud consultation, and identify theft restoration services.

The post MFA Bypassed in Cyberattack on L.A. County Department of Mental Health appeared first on HIPAA Journal.

Harvard Pilgrim Health Care Increases Ransomware Victim Count to 2.86 Million

Posted by Steve Alder

In February, Harvard Pilgrim Health Care revised the total number of individuals affected by an April 2023 ransomware attack, increasing the total by more than 81,000 to 2,632,275 individuals. That total was increased for the fourth time on March 27, 2024, as the ongoing investigation identified more data that was compromised in the attack. Now, at least 2,860,795 individuals are known to have been affected.

The ransomware attack was discovered on April 17, 2023, with the forensic investigation determining there had been unauthorized access to its network between March 28, 2023, and April 17, 2023. The additional 228,520 affected individuals have now been notified by mail and the notification letters state the exact types of data that were likely compromised in the attack. Harvard Pilgrim Health Care said it is offering complimentary credit monitoring and identity protection services through IDX.

It is not unusual for data breach investigations to uncover additional compromised data. Further data identified as having been accessed in the attack included the information of patients of Brigham and Women’s Physician Organization (BWPO). BWPO is not part of Harvard Pilgrim, but an employee of Harvard Pilgrim Health Care Institute also worked at BWPO part-time. The employee had backed up the contents of their laptop to Harvard Pilgrim’s servers, and the backup file included BWPO data. BWPO learned of the data exposure in January 2024.

BWPO said the backup file included data from January 1, 2017, to May 1, 2019, including names, addresses, phone numbers, dates of birth, medical record numbers, health insurance numbers, and limited clinical information, such as lab results, procedures, medications, and diagnoses related to care provided at BWPO. A BWPO spokesperson said appropriate steps have been taken to address the breach and prevent similar incidents from occurring in the future.

The post Harvard Pilgrim Health Care Increases Ransomware Victim Count to 2.86 Million appeared first on HIPAA Journal.

California and North Dakota Hospitals Report Cyberattacks

Posted by Steve Alder

Cyberattacks have been reported by Pembina County Memorial Hospital, Pomona Valley Hospital Medical Center, and Rancho Family Medical Group. The Massachusetts Department of Developmental Services has discovered documents containing PHI have been left unsecured for a decade.

Pembina County Memorial Hospital

Pembina County Memorial Hospital in Cavalier, ND, has recently confirmed that unauthorized individuals gained access to its network and exfiltrated sensitive patient data. Suspicious activity was detected within its network on April 13, 2023, and after securing its systems, a forensic investigation was launched to determine the nature and scope of the unauthorized activity. The investigation confirmed that there had been unauthorized access to its network between March 7, 2023, and April 13, 2023, and files had been exfiltrated from the network.

The forensic investigation and document review took almost a year, with the hospital stating in its breach notice that those processes were not completed until March 4, 2024. The types of information involved varied from individual to individual and may have included first and last names in combination with one or more of the following: address, phone number, email address, date of birth, driver’s license number, government identification number, vehicle identification number, passport number, Social Security number, patient ID account number, medical information, health information and/or health insurance information.

Pembina County Memorial Hospital said it has implemented additional cybersecurity safeguards, enhanced its cybersecurity training, and revised and updated its policies, procedures, and protocols. Complimentary identity monitoring and protection services have been offered to individuals whose Social Security numbers were involved. The breach is not yet showing on the HHS’ Office for Civil Rights breach portal, but the notification sent to the Maine Attorney General indicates that 23,451 individuals have been affected.

Pomona Valley Hospital Medical Center

Pomona Valley Hospital Medical Center in California is notifying 13,345 individuals about a data breach at a subcontractor of one of its business associates. The hospital used a vendor to run its patient-management tool, and the vendor subcontracted out the storage of the underlying data to another company. In November 2023, the vendor was unable to access the patient management tool and worked with its subcontractor to address the problem. The access problems were due to a ransomware attack.

The attacker was discovered to have accessed patient data, including names, medical record numbers, dates of birth, and clinical information such as allergies, diagnoses, medications, and doctors’ notes. The hospital clarified the data that was involved, verified contact information, and notification letters have now been sent to the affected individuals. The hospital has confirmed that it no longer uses the vendor or subcontractor in connection with patient data.

Rancho Family Medical Group

Rancho Family Medical Group, Inc., a 10-location Californian health system, has confirmed that it has been affected by a data breach at its business associate, KMJ Health Solutions, a provider of online signout and charge capture systems.

Rancho Family Medical Group was notified on January 11, 2024, that there had been unauthorized access to the KMJ Health Solutions network on November 19, 2023. The compromised parts of the network contained the protected health information of 10,480 individuals, including names, dates of birth, hospital medical record numbers, hospital treatment locations, dates of service, and procedure medical codes. Rancho Family Medical Group mailed individuals notifications to the affected individuals on March 11, 2024, along with information about the steps that the affected individuals can take to protect themselves against misuse of their data.

Massachusetts Department of Developmental Services

The Massachusetts Department of Developmental Services (DDS), a state agency that provides support to individuals with intellectual and developmental disabilities across the state, has discovered physical records have been exposed and may have been accessed by unauthorized individuals.

Personal documents containing protected health information were inadvertently left in buildings that were part of the former Walter E. Fernald Developmental Center campus in Waltham, MA, which was sold to the city of Waltham in 2014. The records included the PHI of individuals served by the DSS at the Fernald Developmental Center, as well as some staff records. DDS received a complaint about the documents on January 11, 2024, and visited the facilities to recover the documents the following day.

The documents had been improperly stored in the buildings since 2014 and many had degraded, so it was not possible to tell the exact types of information that had been exposed. Some documents contained names, dates of birth, diagnoses, medical information, medication/prescription information, and other treatment information. Financial account information or Social Security numbers have not been found, but DDS said it could not confirm whether those data types had been exposed due to the state of the documents. Similarly, it may not be possible to determine exactly how many people have been affected. An interim figure of 500 individuals was used when reporting the breach. DDS is now awaiting recommendations from the State Archivist and Secretary of State’s Office on how long the documents should be retained.

The post California and North Dakota Hospitals Report Cyberattacks appeared first on HIPAA Journal.

Benefytt, EMSA, Lindsay Municipal Hospital Affected by Cyberattacks

Posted by Steve Alder

Health Plan Intermediaries Holdings (Benefytt) has been affected by a cyberattack on a vendor, Emergency Medical Services Authority said patient data was exposed in a February cyberattack, and the Bian Lian group has claimed responsibility for a cyberattack on Lindsay Municipal Hospital.

Bian Lian Hacking Group Claims Responsibility for Lindsay Municipal Hospital Cyberattack

Lindsay Municipal Hospital in Oklahoma has recently reported a hacking incident to the HHS’ Office for Civil Rights (OCR) that has affected 500 individuals, a number that is commonly used as a placeholder to meet the breach reporting requirements of the HIPAA Breach Notification Rule when the number of affected individuals has yet to be confirmed.

Aside from the report to OCR, Lindsay Municipal Hospital has remained quiet about the cyberattack and data breach; however, the group behind the attack has not. The Bian Lian hacking group has claimed responsibility for the attack and added Lindsay Municipal Hospital to its data leak site, including evidence to support its claims.

Bian Lian has been in operation since at least 2021 and favors attacks on healthcare providers, manufacturing companies, and law firms, where there is greater potential for a high ransom payment. The group engages in double extortion tactics, where data is stolen, and payment is required to prevent the release of that data and to obtain the keys to decrypt encrypted files. The listing states that the stolen data will be uploaded soon. It is unclear whether Lindsay Municipal Hospital is negotiating with the group.

Patient Data Stolen in Cyberattack on Emergency Medical Services Authority

The Emergency Medical Services Authority (EMSA) in Oklahoma City, OK, has announced that it fell victim to a cyberattack that saw unauthorized individuals gain access to its network between February 10, 2024, and February 13, 2024. The intrusion was detected on February 13, 2024, and systems were shut down to prevent further unauthorized access. The forensic investigation confirmed that the attackers exfiltrated files containing patient data including names, addresses, dates of birth, dates of service, and, for some individuals, the name of their primary care provider and/or Social Security number.

Notification letters have started to be mailed to the affected individuals, although EMSA has yet to publicly confirm how many individuals have been affected. Complimentary credit monitoring and identity theft protection services have been offered to individuals who had their Social Security numbers exposed.

Health Plan Intermediaries Holdings (Benefytt) Affected by Cyberattack on Vendor

Health Plan Intermediaries Holdings, which operates as Benefytt, has recently confirmed that it was affected by a data breach at a business associate of its vendor, Multiplan Inc. Multiplan used the law firm, Orrick, Herrington & Sutcliffe, LLP, which suffered a ransomware attack. Benefytt said its systems and those of Multiplan were unaffected; however, data provided to the law firm to perform its contracted duties was exposed and potentially compromised. The cyberattack was detected on March 13, 2023, and on March 10, 2023, Orrick, Herrington & Sutcliffe confirmed that files containing sensitive data had been stolen. Benefytt said neither MultiPlan nor Orrick could determine which health insurance plans were affected, and that it has been working with the two firms to obtain the necessary information to issue notifications.

Benefytt said it is notifying all affected individuals and is offering them complimentary credit monitoring services. Orrick, Herrington & Sutcliffe reported the breach to the HHS’ Office for Civil Rights on June 30, 2023, as affecting 40,823 individuals; however, the total was revised upwards to 152,818 individuals, and the notification to the Maine attorney General in December 2023 states that 637,620 individuals were affected. It is currently unclear how many Multiplan/Benefytt health plan members have been affected.

The post Benefytt, EMSA, Lindsay Municipal Hospital Affected by Cyberattacks appeared first on HIPAA Journal.

Med-Data Settles Data Breach Lawsuit for $7 Million

Posted by Steve Alder

The Spring, TX-based revenue cycle management company Med-Data has agreed to a $7 million settlement to resolve all claims stemming from a data breach between 2018 and 2019 that involved the protected health information of approximately 136,000 individuals.

Between December 2018 and September 2019, an employee of Med-Data uploaded patient data to the public-facing software development hosting platform GitHub. The files were added to personal folders on GitHub Arctic Code Vault and contained the protected health information of patients of several of its clients. The exposed data included names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, claims information, dates of service, subscriber IDs, medical procedure codes, provider names, and health insurance policy numbers. Med-Data removed the files when it was alerted to the data exposure and offered the affected individuals complimentary credit monitoring and identity protection services.

A lawsuit was filed in response to the data breach that claimed Med-Data failed to adequately protect the sensitive data it obtained from its clients and did not issue timely notifications when the breach was discovered. Med-Data chose to settle the lawsuit and the settlement has received preliminary court approval. There are two tiers to the settlement. The first tier allows affected individuals to claim up to $5,000 to cover documented, unreimbursed losses incurred due to the data breach, including out-of-pocket expenses such as bank fees, credit costs, and communication expenses, up to five hours of lost time at $25 per hour, and losses due to identity theft, identity theft, and medical identity theft.

Alternatively, class members can opt for the second tier, which will provide a cash payment of up to $500 to cover time spent in response to the data breach, including monitoring credit reports, signing up for credit monitoring services, changing passwords, and other actions. Claims will be paid pro rata, depending on the number of claims received.

Regardless of the tier chosen, class members can also claim a 3-year membership to a health data and fraud monitoring service (Medical Shield Premium), which includes a $1 million identity theft insurance policy (Pango). Class members have until April 26, 2024, to object to or exclude themselves from the settlement, and the final approval hearing has been scheduled for September 11, 2024.

The post Med-Data Settles Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.

Roper St. Francis Healthcare Settles Data Breach Lawsuit for $1.5 Million

Posted by Steve Alder

Roper St. Francis Healthcare has agreed to a $1.5 million settlement to resolve a class action lawsuit that was filed in response to a data breach in 2020. Roper St. Francis Healthcare is a South Carolina-based healthcare system with 4 hospitals and more than 117 healthcare facilities in the state. In late October 2020, Roper St. Francis Healthcare discovered three email accounts had been compromised after employees responded to phishing emails. The email accounts were accessed by unauthorized individuals between October 14 and October 29, 2020. The compromised accounts contained the protected health information of 89,761 patients, including names, medical record numbers, patient account numbers, dates of birth, and limited treatment and clinical information, such as dates of service, locations of service, providers’ names, and billing information.

A lawsuit was filed in response to the breach that claimed Roper St. Francis Healthcare was negligent by failing to implement reasonable and appropriate cybersecurity measures, and that Roper St. Francis Healthcare should have been aware that it was vulnerable to cyberattacks as it had experienced multiple data breaches in the past. Roper St. Francis Healthcare disagreed with the plaintiffs’ claims and chose to settle the lawsuit with no admission of wrongdoing.

Under the terms of the settlement, individuals who were notified about the data breach by Roper St. Francis Healthcare may claim up to $325 as reimbursement for data breach-related expenses, including credit costs and bank fees, and up to four hours of lost time at $20 per hour. If extraordinary losses have been incurred due to identity theft and fraud, claims may be submitted up to a maximum of $3,250. All class members are entitled to one year of credit monitoring services, in addition to those already offered in the individual notifications about the data breach. The deadline for exclusion from and objection to the settlement is April 30, 2024, and the final approval hearing has been scheduled for May 2, 2024.

The post Roper St. Francis Healthcare Settles Data Breach Lawsuit for $1.5 Million appeared first on HIPAA Journal.

Avem Health Partners Agrees $1.45 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

A $1.45 million settlement has been agreed by Avem Health Partners to resolve claims related to a 2022 data breach involving the protected health information of 271,303 individuals. Avem Health Partners is an Oklahoma City-based provider of administrative and technology services to healthcare organizations. On May 16, 2022, hackers were found to have gained access to the servers of one of its vendors, 365 Data Centers. The unauthorized access occurred on May 14, 2022, and Avem Health Partners was notified about the data breach on September 9, 2022.

The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and diagnosis and treatment information, and the affected individuals were notified by Avem Health Partners in December 2022. Legal action – Bingaman, et al. v. Avem Health Partners Inc. – was taken over the breach with the plaintiffs alleging their protected health information was negligently maintained and had appropriate cybersecurity measures been implemented, the breach could have been prevented. Avem Health Partners chose to settle the lawsuit with no admission of wrongdoing.

Claims will be accepted from individuals who were notified about the data breach by Avem Health Partners. Claims may be submitted for up to $7,000 to cover out-of-pocket expenses incurred due to the data breach, including credit expenses, bank fees, losses to identity theft and fraud, and up to five hours of lost time at $25 per hour. Individuals who do not submit claims to cover losses will be eligible to receive a cash payment of up to $100, although that amount may be reduced depending on the number of claims received.

Regardless of the option chosen, class members will be eligible to receive three years of identity theft protection and credit monitoring services, which include a $1 million identity theft insurance policy. The deadline for objection to and exclusion from the settlement is April 25, 2024, and the final approval hearing has been scheduled for May 10, 2024.

The post Avem Health Partners Agrees $1.45 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.