Transformative Healthcare is facing legal action over a recently disclosed data breach that affected 911,757 patients of the Fallon Ambulance Service. The lawsuit also names Coastal Medical Transportation Systems, LLC, as a defendant. Coastal Medical Transportation Systems acquired Fallon Ambulance Services in September 2022, although the data breached was an archive copy of data from before the acquisition.

The lawsuit – Daniel Durgin v. Transformative Healthcare, LLC, and Coastal Medical Transportation Systems, LLC – was filed in the U.S. District Court for the District of Massachusetts on January 18, 2023, on behalf of Daniel Durgin, who received emergency medical transportation from the Fallon Ambulance Service before it ceased operations in December 2022. The lawsuit alleges the defendants should have known how to keep sensitive data protected, yet failed to implement reasonable and appropriate cybersecurity measures and comply with industry security standards, which allowed hackers to gain access to the plaintiff’s and class members’ sensitive data.

The lawsuit claims the plaintiff and class have incurred costs and expenses associated with the time spent mitigating the consequences of the data breach, including checking credit reports for signs of misuse of their data, purchasing credit monitoring services, and having to deal with withdrawal and purchase limits on their accounts, as well as the loss of property value of their personal information, and stress, nuisance, and aggravation of having to deal with the issues caused by the data breach.

The plaintiff and class asset claims of negligence, breach of implied contract, unjust enrichment/quasi-contract, and breach of fiduciary duty. The lawsuit seeks class-action status, a jury trial, monetary and statutory damages, and injunctive relief.

The plaintiff and class are represented by David Pastor of Pastor Law Office, PC, and Nicholas A. Migliaccio and Jason Rathod of Migliaccio & Rathod LLP.

January 2, 2024: More Than 911,000 Individuals Affected by Fallon Ambulance Service Data Breach

Legal counsel for Transformative Healthcare, a Newton MA-based medical, transportation & logistics company, has notified the HHS’ Office for Civil Rights about a data breach that has affected 911,757 individuals. The data breach affected individuals who had previously received services from the Fallon Ambulance Service, the Massachusetts medical transportation arm of Transformative Healthcare. Fallon responded to patient emergencies in the greater Boston area and provided administrative services for affiliated medical transportation companies.

In September 2022, Fallon Ambulance Service was acquired by Coastal Medical Transportation Systems and ceased business operations in December 2022. In order to comply with legal data retention requirements, Transformative Healthcare retained an archived copy of data that was previously stored on Fallon’s computer systems. On or around April 21, 2023, Transformative Healthcare detected unauthorized activity in its archive environment. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the extent of the breach. The forensic investigation confirmed that an unauthorized third party gained access to the archive on February 17, 2023, and retained access to the archive environment until April 22, 2023. During that time, files were copied from the archive.2

The affected files were reviewed and that process was completed on December 27, 2023, when it was confirmed that the files contained names, addresses, Social Security numbers, medical information including COVID-19 testing/ vaccination information, and information provided to Fallon in connection with employment or application for employment.

While data was removed from the archive, neither Fallon nor Transformative Healthcare have found any evidence to indicate misuse of the data. Affected patients were notified by mail on December 27, 2023, and credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Transformative Healthcare Sued Over Fallon Ambulances Service Data Breach appeared first on HIPAA Journal.

Anna Jaques Hospital in Newburyport, MA, experienced a cyberattack on Christmas Day that resulted in an outage of its medical record system. The decision was taken to divert ambulances to other hospitals in the area until systems could be restored. On December 26, 2023, the emergency department started accepting patients. Few details have been released at this stage about the exact nature of the cyberattack and it is too early to tell if the attackers gained access to patient information. Third-party cybersecurity experts have been engaged and are investigating the attack and further information will be released as the investigation progresses.

Volunteer at NYC Health + Hospitals Impermissibly Accessed Patient Data

NYC Health + Hospitals has recently announced there has been an unauthorized disclosure of patients’ protected health information. NYC Health + Hospitals said it discovered on October 23, 2023, that an employee of NYC Health + Hospitals/Kings County allowed a Kings County volunteer to assist with processing laboratory test specimens for Kings County patients; however, the volunteer was not authorized to work in the laboratory and was not permitted to access patients’ protected health information.

While assisting in the laboratory, the volunteer accessed patients’ names, dates of birth, medical record numbers, locations within the hospital, and the laboratory tests ordered. Affected individuals had laboratory tests performed between October 2, 2021, and August 14, 2023. While PHI was impermissibly accessed, there are no indications that any of that information has been misused.

NYC Health + Hospitals said it has taken steps to prevent similar incidents from occurring in the future, including notifying all laboratory personnel that they are not permitted to provide non-employees with access to any NYC Health + Hospitals laboratories. NYC Health + Hospitals has also confirmed that the employee no longer works for NYC Health + Hospitals and has been barred from future employment at NYC Health + Hospitals, and the volunteer is no longer volunteering at NYC Health + Hospitals and has been barred from future volunteer work at NYC Health + Hospitals.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Anna Jaques Hospital Suffers Christmas Day Cyberattack appeared first on HIPAA Journal.

ProSmile Holdings, LLC, a New Jersey dental service organization, started notifying patients on December 22, 2023, about a breach of its email environment. Suspicious activity was detected in July 2022, and a third-party cybersecurity company was engaged to investigate the unauthorized activity and determine if any sensitive data had been exposed or compromised. ProSmile Holdings was notified on December 1, 2022, that numerous email accounts had been compromised and accessed without authorization, and personal and protected health information may have been accessed or acquired.

On January 27, 2023, ProSmile Holdings engaged a vendor to conduct a review of the affected files, and the review was completed on November 29, 2023. The compromised information included names, dates of birth, Social Security numbers, driver’s license or other state identification card numbers, financial account numbers, payment card numbers, medical treatment information, diagnosis or clinical information, provider information, prescription information, and health insurance information.

ProSmile Holdings made an announcement about the data breach on March 28, 2023, but was unable to confirm at that time how many individuals had been affected or what data had been exposed. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

It is also unclear why it took 5 months to discover that patient data was involved, a further two months to initiate a document review, and 10 months to complete that review. The first announcement about the breach was not made for 7 months, and it has taken 17 months for individual notifications to be issued.

Valley Health System Affected by Data Breach at ESO Solutions

Valley Health System in Las Vegas has confirmed that it was affected by a ransomware attack and data breach at its software vendor, ESO Solutions, in late September. ESO notified Valley Health System about the breach in late October and confirmed that patient names, phone numbers, addresses, and some personal or health information were compromised. The breach has affected 5 Valley Health System hospitals: Centennial Hills Hospital, Desert Springs Hospital, Spring Valley Hospital, Summerlin Hospital, and Valley Hospital. The affected individuals were notified about the breach on December 12, 2023.

The post ProSmile Holdings Notifies Patients About July 2022 Data Breach appeared first on HIPAA Journal.

Pan-American Life Insurance Group, Inc. (PALIG) has recently confirmed that it was one of the victims of the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in late May 2023.

PALIG was notified about the vulnerability by Progress Software and immediately disabled to software until the patch could be applied. The patch was applied, and steps were taken to improve the security of its systems. At the same time, an investigation was launched to determine if the vulnerability had been exploited, and that proved to be the case. On October 5, 2023, PALIG determined that files had been removed from the MOVEit server that contained the protected health information of 105,387 individuals, including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, contact information, medical and medical benefits information, subscriber numbers, certain biometric data, and financial account and credit card information.

PALIG has now notified those individuals and has offered complimentary credit monitoring services. PALIG has also confirmed that steps have been taken to further improve security and ensure the security of third-party transfer tools.

Bellin Health Notifies Patients About October Cyberattack

Bellin Health has recently announced that an unauthorized third party gained access to its internal systems and may have viewed or acquired the information of patients who purchased home care equipment between 2006 and 2013. Unauthorized activity was detected within its computer systems on October 27, 2023. Its IT security team immediately took steps to contain the activity and launched an investigation to determine the nature and scope of the unauthorized activity.

Assisted by third-party cybersecurity experts, Bellin Health determined that a cyber actor gained access to a folder containing archived scanned documents that contained patient names in combination with one or more of the following: address, phone number, date of birth, and/or health information related to home care equipment. A limited number of documents also included Social Security numbers.

Bellin Health said it has strengthened system security and will continue investing in cybersecurity. The breach was reported to the HHS’ Office for Civil Rights as affecting 20,790 individuals. Patients whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

Clay County, Minnesota Suffered a Ransomware Attack in October

Clay County in Minnesota announced on December 22, 2023, that it fell victim to a ransomware attack in October. The unauthorized activity was detected in its electronic document management system on October 27, 2023, and the forensic investigation revealed there had been unauthorized access between October 23, 2023, and October 26, 2023, when ransomware was used to encrypt files.

The investigation confirmed that access had been gained to names in combination with one or more of the following: address, date of birth, Social Security number, information regarding services provided by Clay County Social Services (locations of service, dates of service, client identification number or unique identifier), insurance identification number, and insurance or billing information.

Clay County officials confirmed that they have taken several steps to improve security, including implementing multifactor authentication for remote access to the compromised CaseWorks application, updating procedures for external access by vendors, implementing tools to enhance detection and accelerate the response to cyber incidents, and implementing enhanced technical security measures for the CaseWorks application.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Pan-American Life Insurance Group Reports 105,000-Record Data Breach appeared first on HIPAA Journal.

Almost 456,000 individuals have been affected by a Retina Group of Washington data breach and have started receiving notifications, 9 months after the breach occurred.

On December 22, 2023, Retina Group of Washington, PLLC, filed a breach report with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that involved the protected health information of 455,935 individuals. Notification letters started to be mailed the same day.

According to the notification letters, Retina Group of Washington started experiencing difficulty accessing information on some of its systems on March 26, 2023. An investigation was launched, and the Federal Bureau of Investigation (FBI) was notified, and it was determined that the file access problems were due to a cyberattack.

Retina Group of Washington did not state the cause of the cyberattack but the wording of the letters suggests this was a ransomware attack. In the notification letters, Retina Group of Washington said the investigation into the cyberattack is still ongoing, but it has been confirmed that patient data was stolen in the attack.

The types of information involved include names, addresses, telephone numbers, email addresses, dates of birth, demographic information, Social Security numbers, Driver’s license numbers, medical record numbers, health information, payment information, and health insurance information.

Retina Group of Washington said it has not identified any attempted or actual misuse of patient data and will continue to implement additional procedures and security measures to strengthen the security of its systems.

Based on the breach notifications, it does not appear that credit monitoring and identity theft protection services are being offered. Affected patients have been told to “remain vigilant against incidents of identity theft and fraud, to review their account and explanation of benefits statements, and to monitor their free credit reports for suspicious activity and to detect errors.” Retina Group of Washington also suggests placing a credit freeze on accounts.

The post Retina Group of Washington Data Breach Affects 456,000 Patients appeared first on HIPAA Journal.

Integris Health has agreed to pay $30 million to settle class action data breach litigation. The settlement resolves claims stemming from a major data breach in 2023 that saw hackers gain access to systems containing the electronic protected health information of more than 2.38 million individuals.

Integris Health, one of the largest health systems in Oklahoma, first announced the cyberattack and data breach in December 2023. Hackers gained access to its computer network on November 28, 2023, and exfiltrated files containing patient data. The threat actor did not encrypt files but demanded payment to prevent the release of the stolen data. On December 24, 2025, Integris Health started to be contacted by patients who had been contacted directly by the threat actor, who was demanding $50 per patient to delete their stolen data.

The HHS’ Office for Civil Rights was notified about the data breach in February 2024 and was told that the protected health information of 2,385,646 individuals was compromised in the attack. The stolen data included names, contact information, birth dates, demographic information, and Social Security numbers. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – Bointy, et al. v. Integris Health, Inc. – as the lawsuits had overlapping claims and were based on the same facts.  In total, ten class action lawsuits were filed in the District Court of Oklahoma County, and a further eleven were filed in the U.S. District Court for the Western District of Oklahoma.

The consolidated lawsuit was filed in the District Court of Oklahoma County and alleged that Integris Health had failed to implement reasonable and appropriate safeguards to protect the data stored on its network. In contrast to the OCR breach portal, the lawsuit claimed the protected health information of 2,426,868 individuals was compromised in the incident, including 255,647 minors.

Integris Health claimed that business associate Tech Mahindra, LLC, was to blame for the breach, as it was caused by its failure to maintain reasonable and appropriate cybersecurity measures. Tech Mahindra filed a motion to compel arbitration and dismiss the lawsuit, and Integris Health voluntarily dismissed Tech Mahindra from the litigation. Integris Health maintains there was no wrongdoing and is no liability and denies all material allegations made by the plaintiffs; however, the decision was taken to settle the lawsuit to avoid the cost, risk, and uncertainty of continuing with the litigation. Following settlement discussions between Integris Health and legal counsel for the plaintiffs, a suitable settlement was agreed upon, which has now received preliminary approval from the court.

The settlement provides substantial benefits for the class members. Integris Health has agreed to establish a $30 million settlement fund to cover attorneys’ fees and expenses, service awards for class representatives, settlement administration costs, and benefits for the class members. Benefits will be paid from the remainder of the settlement fund after all costs have been deducted.

All class members are entitled to claim three years of credit monitoring services, which include a $1 million identity theft insurance policy. In addition, class members may claim one of two cash payments. Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $25,000 per class member. Alternatively, a claim may be submitted for a cash payment, which is estimated to be $100 per class member, but will be adjusted pro rata upward or downward depending on the number of valid claims received. The cash payments will exhaust the settlement fund.

Individuals wishing to object to or exclude themselves from the settlement must do so by December 21, 2025. Claims must be submitted by December 22, 2025, and the final approval hearing has been scheduled for December 16, 2025.

February 13, 2025: Integris Health Confirms 2.39 Million Individuals Affected by Cyberattack

Integris Health has completed the review of the files that were accessed/stolen in its November 2023 cyberattack and has reported the incident to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as affecting 2,385,646 individuals. The HIPAA breach notices explain that the information stolen in the cyberattack varies from individual to individual and includes names in combination with one or more of the following: date of birth, contact information, demographic information, and/or Social Security number. Integris Health’s investigation confirmed that employment information, driver’s licenses, financial/payment information, and usernames/passwords were not accessed or stolen. Integris Health said it has reviewed and enhanced existing policies and procedures to reduce the likelihood of a similar future incident.

The lawsuits against Integris Health are mounting. One of the latest, Johnston v. Integris Health Inc., was filed in the U.S. District Court for the Western District of Oklahoma and names Teresa Johnson as lead plaintiff. The lawsuit alleges negligence for failing to implement reasonable and appropriate safeguards and seeks compensatory damages, punitive damages, nominal damages, restitution, injunctive and declaratory relief, and attorney fees and costs. The class action lawsuits make similar claims and and are based on the same facts, so they are likely to be consolidated into a single lawsuit.

Jan 4, 2024: Integris Health Facing Multiple Class Action Lawsuits Over Cyberattack & Data Breach

Several class action lawsuits have been filed against Integris Health over its recent cyberattack and data breach. While Integris Health has yet to confirm how many individuals have been affected, the threat actor behind the attack claims to have obtained the data of around 2 million patients and emailed those patients directly on December 24, 2023, demanding payment after Integris Health refused to pay the ransom.

One of the lawsuits – Zinck et al v. Integris Health Inc. – was filed by William Federman of the law firm Federman & Sherman in the U.S. District Court for the Western District of Oklahoma on behalf of plaintiff Aaron Zinck and similarly situated individuals. The lawsuit alleges that Integris Health failed to implement reasonable and appropriate security measures to protect patient data, despite being aware of a high risk of ransomware and other cyberattacks on hospitals.

Federman criticized Integris Health for the lack of transparency about the cyberattack and data breach, claiming Integris Health did not make any announcement about the attack until after patients were contacted directly by the hackers. Integris Health explained in its notification to patients that the threat actor gained access to its systems on November 28, 2023. Federman alleges Integris Health withheld important information that could have allowed the plaintiff and class members to take action to secure their identities and protect against fraud. While it is typical for healthcare organizations to offer complimentary credit monitoring and identity theft protection services when sensitive data is known to have been stolen, those services do not appear to have been offered.

The lawsuit seeks a jury trial, an award of damages, and attorney’s fees. Several other lawsuits have also been filed in the past few days that make similar claims, including Joseph E Bointy v. Integris Health, Gregory Leeb v. Integris Health, and Civi et al v. Integris Health Inc.

December 27, 2023 – Integris Health Patients Contacted Directly by Threat Actors After Cyberattack

Integris Health, the largest not-for-profit Oklahoma-owned health system in the state, has confirmed that its internal systems have been compromised in a cyberattack and an unauthorized third party obtained patient data. Integris Health operates 15 hospitals in Oklahoma and many specialty clinics, family care practices, and centers of excellence. Integris Health uploaded a notice to its website on December 24, 2023, about a data privacy incident. According to Integris Health, suspicious activity was detected within its IT systems, and immediate action was taken to prevent further unauthorized access. An investigation was launched to determine the nature and scope of the breach, which revealed that the unauthorized access started on November 28, 2023. The unauthorized actor exfiltrated sensitive data from Integris Health’s systems but did not encrypt files.

Integris Health has conducted a review of the affected files and has confirmed that the compromised information includes names, dates of birth, contact information, demographic information, and Social Security numbers. Integris Health said health information, financial information, driver’s licenses, and usernames/passwords were not stolen. On December 24, 2023, Integris Health started to be contacted by some of its patients after they received communications from a group that claimed responsibility for the cyberattack. The threat group explained in the communications with patients that they had obtained names, dates of birth, SSNs, addresses, phone numbers, insurance information, and employer information, and that they would be selling the data on the dark web to be used for fraud and identity theft. Patients were told they could prevent the sale of their data by making a payment before January 5, 2024; otherwise, the entire database will be sold to a data broker. The communications with patients include a sample of the stolen data as proof, which some patients have confirmed is genuine.

The threat actor claims to have obtained the protected health information of more than 2 million Integris Health patients, and that the reason for demanding payment from patients is that Integris Health has refused to pay to have the information deleted. The patients have been provided with a Tor link to make payment and the threat actor is charging individuals $3 to view their stolen data or $50 to have the data deleted. According to Bleeping Computer, the Tor extortion site lists 4,674,000 records, although it is unclear if all of those records are unique. Integris Health has yet to confirm how many individuals have been affected.

There have been several recent cyberattacks where individual patients have been contacted directly by the threat actors behind the attack after the breached organization refused to pay a ransom demand. Earlier this year, patients of a plastic surgery clinic were contacted directly and were told that sensitive photographs and other information had been put in the public domain and payment was required to have the information taken down. Recently, the Hunters International threat group contacted patients of the Fred Hutchinson Cancer Center when the ransom was not paid and told the patients they had to pay $50 to have their information deleted, otherwise it would be sold. The data was stolen in a cyberattack over the Thanksgiving Day weekend.

While paying the $50 may result in the stolen data being deleted, there is no guarantee. Individuals who pay up could be subjected to further extortion attempts, and/or their sensitive data may still be sold.  “We encourage anyone receiving such communications to NOT respond or contact the sender, or follow any of the instructions, including accessing any links,” said Integris Health in its website notification.

The post $30 Million Settlement Agreed to Resolve Integris Health Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.