HIPAA Breach News

Magellan Health Settles Class Action Data Breach Lawsuit for $1.43 Million

Posted by HIPAA Journal

Magellan Health has agreed to settle a class action data breach lawsuit and will create a $1.43 million fund to cover claims from patients affected by the breach.

The lawsuit – Dearing v. Magellan Health Inc. et al. – was filed in the Arizona Superior Court against Magellan Health Inc. and Magellan RX Management, LLC on behalf of patients whose protected health information was exposed in a May 2019 phishing attack. Unauthorized individuals gained access to emails and email attachments that contained patients’ protected health information, including names, Social Security numbers, and health information. Approximately 273,000 individuals were affected and had their protected health information exposed.

The plaintiffs alleged the defendants failed to implement appropriate cybersecurity measures to prevent unauthorized access to sensitive patient data and had those safeguards been implemented, the data breach would have been prevented. The plaintiffs alleged the security failures were in violation of the Health Insurance Portability and Accountability Act, although the lawsuit was filed over the violation of state laws.

The plaintiffs also took issue with how Magellan Health handled the data breach and the delay in issuing notifications. The phishing attack occurred in May 2019, was not detected until July 2019, and notification letters were not sent to affected individuals until November 2019, 6 months after the attack. Had notifications been issued sooner, the plaintiffs argued that they could have taken steps to protect against identity theft and fraud.

The decision was taken to settle the lawsuit to prevent further legal costs and to avoid the uncertainty of trial. The defendants made no admission of wrongdoing and do not accept any liability for the data breach. Under the terms of the settlement, $1.43 million will be made available to cover claims from the class members.

All class members are entitled to submit claims of up to $225 to cover ordinary out-of-pocket expenses, such as the costs of credit reports, telephone calls, and Internet usage, and up to two hours of lost time at $15 per hour. Class members that have incurred costs related to credit monitoring and fraud resolution may also be able to claim back those costs. Claims may be submitted for extraordinary losses up to $2,500, such as monetary losses due to fraud and identity theft, as well as a further 3 hours of lost time at $15 per hour. Those claims must be supported by appropriate documentation.

Class members have until November 15, 2022, to exclude themselves or object to the settlement. The final approval hearing for the settlement is December 2, 2022, and all claims must be submitted by December 15, 2022.

The post Magellan Health Settles Class Action Data Breach Lawsuit for $1.43 Million appeared first on HIPAA Journal.

Physicians Business Office Reports Data Breach Affecting 196,573 Individuals

Posted by HIPAA Journal

Physicians Business Office (PBO), a Parkersburg, WV-based provider of medical practice management and administrative services, has recently disclosed a security incident that occurred in April 2022. PBO detected unusual activity within its network and took immediate steps to isolate the affected systems and prevent further unauthorized access. A third-party computer forensics company was engaged to determine the nature and scope of the breach and assist with the incident response.

The forensic investigation confirmed files were present on the compromised systems that contained the protected health information of certain individuals, including names, home addresses, dates of birth, Social Security numbers, driver’s license numbers, medical treatment and diagnosis information, disability codes, prescription information, and health insurance account information. Those files were potentially accessed and may have been copied from its systems

PBO said the review of the files on its systems took until June 30, 2022, and the affected healthcare provider clients were notified about the breach on July 26, 2022. Consent was then obtained to send notification letters on behalf of the affected healthcare provider clients, and work commenced on obtaining up-to-date contact information for the affected individuals. That process was completed on September 16, 2022, and notification letters were sent shortly thereafter. Affected individuals have been offered complimentary credit and identity monitoring services. PBO said it has now implemented additional security measures to reduce the risk of future breaches.

The data breach has been reported to the HHS’ Office for Civil Rights as affecting up to 196,573 individuals.

Data Breach Affects More than 58,500 Reelfoot Family Walk-In Clinic Patients

Dyersburg Family Walk-In Clinic, doing business as Reelfoot Family Walk-In Clinic in Dyersburg, TN, has recently notified 58,562 patients that some of their protected health information has been acquired by unauthorized individuals who gained access to its computer systems.

Suspicious activity was detected in its computer systems on July 24, 2022, and immediate action was taken to investigate and mitigate the activity. Third-party forensics specialists were engaged to investigate the breach and confirmed that the attackers had access to its systems between July 10, 2022, and August 14, 2022, and during that time certain files were exfiltrated from its systems.

The review of all files potentially accessed was completed on September 16, 2022. Reelfoot said the information that was subjected to unauthorized access included names, Social Security numbers, dates of birth, full home addresses, diagnoses, disability codes, lab results, medications, medical records, other treatment information, driver’s license numbers, financial account information, claims information, patient IDs and other identifiers, and other billings information.

Reelfoot said it is working on improving the security of its systems and will be providing further security awareness training to its workforce. Affected individuals have been offered complimentary credit monitoring services for 12 months.

The post Physicians Business Office Reports Data Breach Affecting 196,573 Individuals appeared first on HIPAA Journal.

Humana Members Impacted by Choice Health Data Breach

Posted by HIPAA Journal

Humana has recently announced that the protected health information of 22,767 individuals has potentially been compromised in a security incident and data breach at one of its business associates – Choice Health – which Human used to sell Medicare products on its behalf. On May 18, 2022, Choice Health learned that a Choice Health database was accessible over the Internet, with the investigation confirming the misconfiguration was caused by a third-party service provider.

An unauthorized individual gained access to the database, removed certain database files, and threatened to publicly release the stolen data. The exposed database was detected by Choice Health on May 14, 2022, with the theft of database files identified on May 18. The unauthorized access and data theft occurred on or around May 7, 2022.

Initially, it was thought that the breach was limited to Choice Health lead generation and marketing information; however, further investigations confirmed that the data of some of its carrier partners had also been compromised, including first and last names, Social Security numbers, Medicare beneficiary identification numbers, dates of birth, addresses, other contact information, and health insurance information.

Choice Health worked with its service provider to ensure the database was secured and additional data security measures have been implemented to prevent similar occurrences in the future. Complimentary memberships to credit monitoring and identity theft protection services have been offered to affected individuals.

Tessie Cleveland Community Services Corp Reports Email Account Breach

The Los Angeles, CA-based mental health clinic, Tessie Cleveland Community Services Corp (TCCSC), has recently announced that an unauthorized third party gained access to the email accounts of some of its employees and potentially viewed or obtained the protected health information of patients.

TCCSC identified the unauthorized access on July 20, 2022, and, assisted by a cybersecurity firm, it was confirmed that the email accounts were compromised between June 17, 2022, and June 30, 2022. The investigation suggested the attackers were not interested in obtaining patient information, rather this was an attempted business email compromise attack to commit business fraud against TCCSC; however, the theft of patient data could not be ruled out.

The review of the compromised email accounts confirmed they contained information such as names, demographic information, health insurance identification numbers, limited information regarding care at Tessie, and in some instances, Social Security numbers. Up to 9,747 patients have been notified that their information has been exposed. Credit monitoring services have been offered to eligible individuals.

Email Accounts Breached at Easterseals-Goodwill Northern Rocky Mountain

Easterseals-Goodwill Northern Rocky Mountain, a Great Falls, MT-based provider of services to children and adults with disabilities, has announced a breach of eight employee email accounts and the exposure of the protected health information of 3,886 patients.

Easterseals-Goodwill did not state in its notification letters when the unauthorized access was discovered but said the forensic investigation concluded on July 20, 2022, and determined the email accounts were accessed by an unauthorized individual between October 12, 2021, and November 11, 2021. The email accounts contained names, Social Security numbers, and other personal information, but did not involve its marketing email subscriber list, store transaction information, or donor information.

Notifications were sent to affected individuals on September 16, 2022. Complimentary credit monitoring services have been offered to individuals who had their Social Security numbers exposed. Internal controls have been augmented to prevent similar breaches in the future.

The post Humana Members Impacted by Choice Health Data Breach appeared first on HIPAA Journal.

Cyberattacks Reported by Wolfe Clinic, Reiter Affiliated Companies, & SERV Behavioral Health System

Posted by HIPAA Journal

Wolfe Clinic, P.C in Iowa has recently confirmed that it was affected by the data breach at the electronic medical record provider, Eye Care Leaders. The attack exposed the protected health information of 542,776 current and former Wolfe Clinic patients.

Wolfe Clinic used the myCare Integrity medical records platform, which was accessed by an unauthorized party on or around December 4, 2021, who deleted databases and system configuration files. A forensic investigation of the security incident was conducted but the deletion of files meant there was a lack of forensic evidence, so it was not possible to determine whether the PHI of Wolfe Clinic patients was accessed or acquired in the attack. Wolfe Clinic said names, addresses, birth dates, Social Security numbers, diagnostic information, and health insurance information were potentially compromised.

At the time of issuing notifications, Wolfe Clinic had not received any reports of identity theft and fraud related to the Eye Care Leaders data breach. Affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services.

The Eye Care Leaders data breach is known to have affected at least 40 eye care providers and resulted in the exposure of the PHI of at least 3.6 million patients.

Reiter Affiliated Companies Reports June 2022 Cyberattack

Reiter Affiliated Companies, the largest fresh, multi-berry producer in the world, has recently confirmed that an unauthorized third party gained access to its network between June 25, 2022, and July 4, 2022. The attack was detected on July 4, 2022, when certain systems were made unavailable. Prompt action was taken to secure its systems to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the attack. The forensic investigation confirmed that files had been exfiltrated from its systems during the period of unauthorized access, and those files included Health and Wellness Plan enrollment rosters that contained plan member names, dates of birth, and Social Security numbers.

Affected individuals have been notified by mail and have been offered complimentary credit monitoring and identity theft protection services. Reiter Affiliated Companies said steps have been taken to improve security to prevent further data breaches in the future.

The breach has been reported to the HHS’ Office for Civil Rights by Reiter Affiliated Companies, LLC as affecting 45,000 individuals, and by the Reiter Affiliated Health and Welfare Plan as affecting 45,000 individuals.

SERV Behavioral Health System Confirms May 2022 Cyberattack

SERV Behavioral Health System in New Jersey has recently announced that it was the victim of a cyberattack in which the protected health information of 8,110 individuals was potentially compromised. The health system said the attack was detected on May 27, 2022, with the forensic analysis concluding on August 4, 2022. SERV said it found no evidence that any patient information was viewed or obtained in the attack, but it was not possible to rule out the possibility of data theft. The review of all files potentially accessed included names, contact information, Social Security numbers, driver’s license numbers, and health information.

Affected individuals have now been notified by mail and steps have been taken to improve security to prevent further attacks of this nature. The Hive ransomware gang claimed responsibility for the attack.

The post Cyberattacks Reported by Wolfe Clinic, Reiter Affiliated Companies, & SERV Behavioral Health System appeared first on HIPAA Journal.

Lubbock Heart & Surgical Hospital and NorthStar Healthcare Consulting Disclose Cyberattacks

Posted by HIPAA Journal

Lubbock Heart & Surgical Hospital in Texas has recently announced it was the victim of a hacking incident that resulted in disruption to the operations of some of its IT systems. The cyberattack was detected by the hospital on July 12, 2022, and immediate action was taken to contain the incident and prevent further unauthorized access, and forensics experts were engaged to determine the nature and scope of the attack. The investigation confirmed its systems were accessed by the attackers between July 11 and July 12, but it was not possible to determine if any files containing patient information had been accessed or copied from its systems.

The files potentially accessed included patient information such as names, contact information, demographic information, dates of birth, Social Security numbers, diagnosis and treatment information, prescription information, medical record numbers, provider names, dates of service, and health insurance information.

Lubbock Heart & Surgical Hospital said security safeguards and technical measures have been enhanced to prevent further security incidents. Notification letters were sent to the 23,379 affected individuals on September 9, 2022. Complimentary credit monitoring and identity theft protection services have been offered to individuals who had their Social Security numbers exposed.

NorthStar Healthcare Consulting Data Breach Affects 18,354 Patients

Alpharetta, GA-based NorthStar Healthcare Consulting, a business associate supporting Optum Rx, which provides pharmacy benefit management services to the Georgia Department of Community Health, Medical Assistance Plans Division, has reported a breach of an employee email account and the exposure of sensitive patient information.

According to the breach notice submitted to the Vermont Attorney General, suspicious activity was detected in the email account on April 20, 2022. Third-party forensic investigators were engaged to investigate the incident which confirmed the email account had been accessed by an unauthorized individual, but it was not possible to confirm which, if any, emails containing protected health information had been accessed, or if emails had been copied. The investigation concluded on July 15, 2022, and work began on obtaining up-to-date contact information to issue notifications.

NorthStar Healthcare Consulting said the emails contained names, addresses, birth dates, Medicaid numbers, medication names, prescriber names, and appeal numbers, and for a limited number of patients, brief notes on diagnosis and related symptoms. NorthStar Healthcare Consulting said steps have been taken to improve email security and complimentary credit monitoring and identity theft protection services have been offered to affected individuals.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 18,354 individuals.

The post Lubbock Heart & Surgical Hospital and NorthStar Healthcare Consulting Disclose Cyberattacks appeared first on HIPAA Journal.

Data Breaches Reported by Physicians’ Spine and Rehabilitation Specialists of Georgia and One Medical Inc.

Posted by HIPAA Journal

The Physicians’ Spine and Rehabilitation Specialists of Georgia (PSRSG) has notified 38,765 patients that some of their protected health information has potentially been compromised in a cyberattack that occurred on or around July 11, 2022. A team of external cybersecurity experts was engaged to assist with the investigation and remediation efforts, and its systems were successfully restored within a few days without causing any material delays to clinical care.

PSRSG said numerous security measures had been implemented prior to the attack, but the attackers were able to circumvent those defenses. Steps have since been taken to enhance security to prevent similar breaches in the future. The forensic investigation confirmed the attacker had access to its systems for around a week before the intrusion was detected and blocked.

It was not possible to determine which files were accessed or if any sensitive information was stolen in the attack, but the attacker claimed to have stolen sensitive data from its systems and threatened to release that information publicly. A review of the files on the compromised systems confirmed they contained protected health information, which included names, birth dates, contact information, Social Security numbers, driver’s license numbers, treatment information, guarantor information, and insurance information. The types of data in the files varied from individual to individual. PSRSG said affected individuals have been notified and offered free credit monitoring and identity theft insurance through Experian, “solely to give patients peace of mind.”

One Medical, Inc. Confirms Hacking Incident and Potential Data Breach

The Sherman, TX-based healthcare provider, One Medical Inc., has recently confirmed that it was the victim of a cyberattack in which names, addresses, medical information, and Social Security numbers were potentially compromised. The data breach was reported to the Attorney General of Texas on September 9, 2022, as a hacking incident. Limited information is currently available, but the breach appears to have affected at least 964 Texas residents.

This is the second data breach to have hit the firm in the past year or so. In July 2021, One Medical reported an email error in which the PHI of 1,009 individuals was impermissibly disclosed.

The post Data Breaches Reported by Physicians’ Spine and Rehabilitation Specialists of Georgia and One Medical Inc. appeared first on HIPAA Journal.

August 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

For the third successive month, the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights has fallen, with 49 breaches of 500 or more records reported in August– well below the 12-month average of 58 breaches per month. The 25.75% percentage decrease from July 2022 was accompanied by a significant reduction in breached records, which dropped almost 30% month over month.

healthcare data breaches in the past 12 months

Across the 45 data breaches, 3,741,385 healthcare records were exposed or impermissibly disclosed – well below the 5,135,953 records that were breached in August 2021, although slightly more than the 12-month average of 3,382,815 breached healthcare records per month.

Breached healthcare records over the past 12 months

Largest Healthcare Data Breaches Reported in August 2022

18 healthcare data breaches of 10,000 or more records were reported to the HHS’ Office for Civil Rights in August 2022, which have been summarized in the table below. It should be noted that the exact nature of the data breach is not always reported by the breached entity, such as if ransomware was used to encrypt files.

As the table below shows, the largest reported data breach of the month occurred at Novant Health and was due to the use of the third-party JavaScript code snippet – Meta Pixel on the healthcare provider’s website. The code snippet is used on websites to track visitor activity but can send PHI to Meta (Facebook), which can then be used to serve targeted ads. Novant Health said there had been a misconfiguration that saw the code added behind the login on the patient portal.

So far, Novant Health is the only healthcare provider to report such a breach, even though investigations have revealed many other healthcare organizations have used the code snippet on their websites, several of which added the code to their patient portals. Multiple lawsuits have been filed over these privacy breaches.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Business Associate Present
Novant Health Inc. on behalf of Novant Health ACE & as contractor for NMG Services Inc. NC Business Associate 1,362,296 Electronic Medical Record Unauthorized disclosure to Meta through Meta Pixel code snippet on website
Practice Resources, LLC NY Business Associate 942,138 Network Server Ransomware attack
Warner Norcross and Judd, LLP MI Business Associate 255,160 Network Server Hacking and data theft incident
California Department of Corrections and Rehabilitation CA Healthcare Provider 236,000 Network Server Hacking incident
Conifer Revenue Cycle Solutions, LLC TX Business Associate 134,948 Email Hacking of Microsoft 365 Environment
Common Ground Healthcare Cooperative WI Health Plan 133,714 Network Server Ransomware attack on a business associate (OneTouchPoint)
Methodist McKinney Hospital TX Healthcare Provider 110,244 Network Server Hacking and data theft incident
First Choice Community Health Care, Inc. NM Healthcare Provider 101,541 Network Server Hacking incident
Onyx Technology LLC MD Business Associate 96,814 Network Server Hacking incident
EmergeOrtho NC Healthcare Provider 68,661 Network Server Ransomware attack
Lamoille Health Partners VT Healthcare Provider 59,381 Network Server Ransomware attack
Henderson & Walton Women’s Center, P.C. AL Healthcare Provider 34,306 Email Hacking incident
St. Luke’s Health System, Ltd. ID Healthcare Provider 31,573 Network Server Hacking incident at billing vendor
San Diego American Indian Health Center CA Healthcare Provider 27,367 Network Server Hacking and data theft incident
Rock County Human Services Department WI Healthcare Provider 25,610 Email Unauthorized access to email accounts
NorthStar HealthCare Consulting LLC GA Business Associate 18,354 Email Unauthorized access to email accounts
Methodist Craig Ranch Surgical Center TX Healthcare Provider 15,157 Network Server Hacking and data theft incident (Methodist McKinney)
Valley Baptist Medical Center – Harlingen TX Healthcare Provider 11,137 Network Server Ransomware attack (Practice Resources)

Causes of August 2022 Data Breaches

The above table shows hacking incidents continue to be a major problem for the healthcare industry, with ransomware often used in the attacks. There has been a growing trend for attackers to conduct data theft and extortion attacks, without using ransomware. While the consequences for patients may still be severe, the failure to encrypt files causes less disruption; however, a recent study by Proofpoint suggests that patient safety issues are still experienced after cyberattacks when ransomware is not used. Around 22% of healthcare providers reported seeing an increase in mortality rate following a major cyberattack and 57% reported poorer patient outcomes.

Healthcare organizations are vulnerable to email attacks, with phishing attacks a common cause of data breaches. There has also been an increase in the use of reverse proxies in attacks, which allow threat actors to steal credentials and bypass multifactor authentication to gain access to Microsoft (Office) 365 environments.

Causes of August 2022 Healthcare Data Breaches

35 of the month’s breaches (71.4%) were attributed to hacking/IT incidents and involved the exposure or theft of 2,337,485 healthcare records – 62.48% of the month’s reported breached records. The mean breach size was 66,785 records and the median breach size was 7,496 records.

There were 10 reported unauthorized access/disclosure incidents involving 1,398,595 records – 37.38% of the month’s breached records. The mean breach size was 139,860 records and the median breach size was 1,375 records. 1,362,296 of those records were breached in the Novant Health incident. There were 4 loss/theft incidents (2 losses; 2 theft) involving 5,305 records. The mean breach size was 1,326 records and the median breach size was 1,357 records.

The number of hacking incidents is reflected in the location of breached PHI, as shown in the chart below.

Location of Breached PHI in August

Data Breached by HIPAA Regulated Entity

Health plans were the worst affected HIPAA-regulated entity, with 35 data breaches reported. 9 breaches were reported by business associates, and 5 breaches were reported by health plans. Data breaches are not always reported by business associates directly, with some HIPAA-covered entities choosing to report breaches at their business associates. The chart below takes this into account and shows data breaches based on where they occurred. While 14 data breaches occurred at business associates in August, this is a notable reduction from the previous few months. In July there were 36 data breaches at business associates, and 40 in June.

August 2022 healthcare data breaches - HIPAA-regulated entity type

Geographic Distribution of Data Breaches

Healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August by HIPAA-regulated entities in 26 states, with Texas the worst affected with 8 reported data breaches.

State Breaches
Texas 8
North Carolina 4
Arkansas, California, & Michigan 3
Colorado, Florida, Illinois, New York, Vermont, Washington, & Wisconsin 2
Alabama, Arizona, Georgia, Idaho, Indiana, Louisiana, Maryland, Mississippi, New Hampshire, New Jersey, New Mexico, Ohio, Pennsylvania, & Virginia 1

HIPAA Enforcement Activity in August 2022

There was one HIPAA enforcement activity announced by OCR in August, and somewhat unusually given the focus on the HIPAA Right of Access over the past three years, it related to the improper disposal of PHI. Out of the past 25 enforcement actions that have resulted in financial penalties, only 5 have been for non-HIPAA Right of Access violations.

OCR launched an investigation of New England Dermatology and Laser Center after receiving a report on March 11, 2021, about the improper disposal of the PHI of 58,106 patients. In addition to failing to render PHI unreadable and indecipherable, OCR determined there was a failure to maintain appropriate administrative safeguards. The improper disposal of empty specimen containers with patient labels spanned from 2011 to 2021. New England Dermatology and Laser Center agreed to settle the case and paid a $300,640 penalty.

Lisa J Pino stepped down as OCR Director in July 2022 and has now been replaced by Melanie Fontes Rainer. It remains to be seen where she will lead the department regarding the enforcement of HIPAA compliance, although HHS Secretary Xavier Becerra has stated that HIPAA Privacy Rule violations with respect to unauthorized disclosures of PHI related to abortion care and other forms of sexual and reproductive health care will be an enforcement priority of OCR.

The post August 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

New York Ambulance Service Discloses Ransomware Attack and 318K-Record Data Breach

Posted by HIPAA Journal

The New York Ambulance Service, Empress EMS (Emergency Medical Services), has confirmed it was the victim of a ransomware attack. The attack was detected on July 14, 2022, and resulted in files on certain systems being encrypted. According to the company’s website notification, steps were immediately taken to contain the incident and third-party forensics experts were engaged to investigate the attack.

The forensic investigation revealed the attackers first gained access to its network on May 26, 2022, and copied “a small subset of files “on July 13, 2022. Ransomware was then deployed to encrypted files on the network. A comprehensive review of the affected files confirmed they contained protected health information such as names, insurance information, dates of service, and, for some individuals, Social Security numbers. Empress EMS has reported the data breach to the HHS’ Office for Civil Rights as affecting up to 318,558 patients. Empress EMS has notified all affected individuals and has advised them to monitor their healthcare statements for accuracy and said credit monitoring services will be offered to certain individuals.  Empress EMS said steps have been taken to strengthen system security to prevent similar incidents in the future.

Empress EMS did not confirm which group was behind the attack; however, the Hive ransomware gang has claimed responsibility for the attack. Databreaches.net obtained a copy of the ransom note and a sample of the stolen data and reports that the files appear to contain the protected health information of Empress EMS patients. The Hive gang claims to have obtained the Social Security numbers of more than 100,000 patients, and customer information such as email addresses, addresses, passport numbers, phone numbers, payments, and working hours. Employee data was also compromised, along with contracts, NDAs, and other private company information.

At the time of publication, the stolen data is not listed on the Hive group’s data leak site, although some data was briefly uploaded. Typically, if the ransom is not paid the group follows through on its threat and publishes the stolen data.

The post New York Ambulance Service Discloses Ransomware Attack and 318K-Record Data Breach appeared first on HIPAA Journal.

Ambry Genetics Settles Class Action Data Breach Lawsuit for $12.25 Million

Posted by HIPAA Journal

Ambry Genetics has agreed to settle a class action lawsuit that stemmed from a breach of the protected health information of 232,772 patients. In April 2020, Ambry Genetics notified patients that some of their protected health information was stored in an email account that was accessed by an unauthorized individual over a two-day period in January 2020. Emails and attachments contained sensitive patient data such as names, diagnoses, and other medical information, with a subset of patients also having their Social Security numbers exposed. The investigation was not able to determine whether any information in the email account was exfiltrated by the attackers.

A lawsuit was filed in the US District Court for the Central District of California shortly after notifications were issued that alleged Ambry Genetics had failed to implement reasonable safeguards to protect patient information and had not followed industry best practices for cybersecurity and, as a direct consequence of those failures, the protected health information of patients was compromised. The lawsuit also took issue with the delay in issuing notification letters to affected individuals.  The HIPAA Breach Notification Rule requires HIPAA-covered entities to issue notification letters within 60 days of the discovery of a data breach, but it took almost 4 months for notification letters to be issued. The lawsuit also alleged invasion of privacy, breach of contract, and violations of state privacy and business laws.

The lawsuit had been dismissed, amended, and refiled on multiple occasions over the past two years, with the latest complaint filed in December 2021. The settlement was proposed to prevent further legal costs and the uncertainty of trial, and is intended to fully resolve, discharge, and settle all claims made by the plaintiffs and class members. Ambry Genetics has not admitted to any wrongdoing and accepts no liability for the data breach.

Under the terms of the settlement, Ambry Genetics has agreed to create a $12.25 million fund, $2.25 million of which will cover the costs of notifications, administrative costs, and three years of identity theft protection and credit monitoring services to the class members.

Individuals affected by the data breach will be entitled to submit claims of up to $10,000 for reimbursement of documented out-of-pocket expenses incurred due to the data breach, up to 10 hours of documented time at $30 per hour, and up to 3 hours of ‘default time’ at $30 an hour. Individuals who were residents of California or Illinois at the time of the data breach are entitled to claim $150 compensation, in addition to any other claims, to resolve potential violations of the California Confidentiality of Medical Information Act and the Illinois Genetic Information Privacy Act. Class representatives will be entitled to claim a service award of $2,500.

In addition to the settlement, Ambry Genetics said it has spent in excess of $800,000 on issuing notifications and paying for credit monitoring services, with those costs potentially increasing to $1.4 million. Ambry Genetics said the total settlement amount is likely to increase to more than $14 million, and potentially more than $20 million when all remedial actions have been taken.

Those actions include changes to its business practices and additional security measures, including providing further security awareness training for staff members, adding warnings to external emails, and placing more stringent restrictions on access to patients’ protected health information. Ambry Genetics has also strengthened vendor management and requires all vendors to have SOC-2 certification, perform third-party risk assessments, and conduct penetration tests and phishing simulations on employees.

The post Ambry Genetics Settles Class Action Data Breach Lawsuit for $12.25 Million appeared first on HIPAA Journal.