HIPAA Breach News

Email Account Breaches Reported by Legacy Hospice, Live Oak Surgery Center, University of Miami Health

Posted by HIPAA Journal

Email accounts have been compromised at Legacy Hospice and Live Oak Surgery Center, and a University of Miami Health employee’s personal data breach also saw their work email account compromised, highlighting the risks of employees storing their work login credentials on personal devices.

Legacy Hospice Email Account Breach Affects 21,000 Patients

Legacy Operating Company, an Alabama-based operator of Legacy Hospice facilities in Alabama, Arkansas, Louisiana, Mississippi, Missouri, Oklahoma, and Tennessee, has confirmed that an unauthorized third party gained access to a limited number of employee email accounts on February 11, 2022, and between April 7, 2022, and April 21, 2022. Third-party cybersecurity professionals were engaged to investigate the breach, with the investigation concluding on November 7, 2022, that protected health information was present in the compromised email accounts and may have been accessed or obtained.

The breached information included names in combination with one or more of the following types of data: Social Security numbers, taxpayer identification numbers, dates of birth, dates of death, driver’s license numbers, government identification numbers, financial account information, credit or debit card information, passport numbers, dates of service, provider names, medical record numbers, patient numbers, general medical information, diagnostic/treatment information, surgical information, medication information, and/or insurance information.

No reports have been received about any attempted or actual misuse of patient data. Notification letters were mailed on December 23, 2022, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were affected.

Live Oak Surgery Center Email Account Brach Affects More Than 5,000 Patients

Live Oak Surgery Center in Plano, Texas, has confirmed that the email accounts of two employees were accessed by unauthorized individuals between August 10, 2022, and September 27, 2022. The forensic investigation and review of the affected email accounts concluded on November 17, 2022, when it was confirmed that the email accounts contained names, along with one or more types of the following data: financial account information, date of birth, payment card information, medical information, health insurance information, passport number, Social Security number, driver’s license number, state identification number, and/or username/password. Live Oak Surgery Center is unaware of any misuse of patient data.

Additional email security measures have been implemented to prevent further account breaches. The breach has been reported to the HHS’ Office for Civil Rights as affecting 5,264 patients.

Personal Data Breach Results in Impermissible Disclosure of PHI of University of Miami Health Patients

University of Miami Health System (UHealth) has recently announced that the protected health information of 973 patients has potentially been compromised as a result of an employee’s personal data breach. The employee in question was a victim of identity theft, with the third party responsible also stealing the credentials for the employee’s work email account. A review of the email account revealed it contained patient information such as names and medical record numbers. That information was found and forwarded to a third-party email account. UHealth said no evidence was found to indicate any Social Security numbers or financial information was compromised.

The post Email Account Breaches Reported by Legacy Hospice, Live Oak Surgery Center, University of Miami Health appeared first on HIPAA Journal.

Ransomware Attacks Announced by Maternal & Family Health Services and Retreat Behavioral Health

Posted by HIPAA Journal

Maternal & Family Health Services in Eastern Pennsylvania has recently notified certain patients about an April 4, 2022, ransomware attack in which sensitive patient data was exposed. When the attack was detected, systems were secured, and a third-party computer forensics firm was engaged to investigate and determine the nature and scope of the breach. The investigation confirmed that its systems were first accessed by the attackers on August 12, 2021, almost 8 months before ransomware was used to encrypt files. Its systems were secured on April 4, 2022, with the investigation, review of affected files, and the verification of contact information lasting until the end of the year. Notifications were sent to affected individuals on January 3, 2023.

Maternal & Family Health Services said the compromised files included information such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account/payment card information, usernames, passwords, medical information, and health insurance information. Complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security number or financial account/payment card information was involved. No evidence of misuse of patient data had been identified at the time of issuing notifications. Maternal & Family Health Services said it is strengthening security to prevent similar incidents in the future.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear have many individuals have been affected.

Retreat Behavioral Health Ransomware Attack Affects Up to 23,620 Patients

Retreat Behavioral Health, an operator of mental health and substance use treatment centers in Florida, Pennsylvania, and Connecticut, has confirmed that ransomware was used in a cyberattack that was detected and blocked on July 1, 2022.

Retreat Behavioral Health said the forensic investigation concluded on December 9, 2022, and notifications have now been sent to affected patients. The investigation indicates a data set within its network was accessed by the third party behind the attack, with the potentially compromised data including names, addresses, and Social Security numbers. A subset of individuals also had date of birth and/or treatment information exposed. Retreat Behavioral Health said no evidence of attempted or actual misuse of patient data has been identified but as a precaution, Single Bureau Credit Monitoring Services have been offered to patients at no cost. Retreat Behavioral Health has also implemented additional monitoring tools on its network and will continue to enhance system security.

The breach was recently reported to the Maine Attorney General as affecting 23,620 patients.

Employee Benefits Plan Data Exposed in L. Knife & Son Hacking Incident

The alcoholic beverage wholesaler, L. Knife & Son, Inc., has recently announced that an unauthorized third party gained access to its network and copied files containing sensitive data. The security breach was detected on November 1, 2022, with the forensic investigation confirming unauthorized access to files and data theft occurred between October 13, 2022, and October 19, 2022. The review of the affected files was completed on December 8, 2022.

The breach was reported to the Maine Attorney General as involving the data of 14,377 individuals, and the HHS’ Office for Civil Rights as involving the protected health information of 4,082 members of its Employee Benefits Plan. Affected individuals have been offered complimentary 2-year memberships to an identity theft protection service, and additional security measures have been implemented to prevent further breaches in the future.

The post Ransomware Attacks Announced by Maternal & Family Health Services and Retreat Behavioral Health appeared first on HIPAA Journal.

Washington Attorney General Sues Plastic Surgery Provider for HIPAA Violations and Falsely Inflating Online Ratings

Posted by HIPAA Journal

Washington Attorney General Bob Ferguson is suing a plastic surgery provider for falsely inflating online ratings, bribing, and threatening patients, and alleges the actions of the practice violated the Health Insurance Portability and Accountability Act (HIPAA) Rules.

The lawsuit was filed in the U.S. District Court for the Western District of Washington against the Seattle plastic surgery clinic Allure Esthetic and its owner Dr. Javad Sajan after receiving multiple complaints from patients and former employees. The complaints alleged the practice was bribing and threatening patients to prevent them from posting negative reviews on platforms such as Yelp and Google, and that patients were made to sign non-disclosure agreements (NDAs) before receiving treatment prohibiting them from publishing online reviews that could in any way harm the practice. The practice considered any review under 4 stars to be a negative review. Attorney General Ferguson said these practices falsely inflated its online reviews.

According to the lawsuit, more than 10,000 patients were made to sign the NDAs stating legal action would be taken in response to negative reviews. Patients who posted negative reviews were allegedly intimidated into removing the reviews and were told they would be sued for monetary damages if the reviews were not deleted. In some cases, patients were offered bribes for removing negative reviews, including cash and free services. Patients that accepted the payments or free services were required to sign a second NDA that stipulated they would be liable for $250,000 in damages if they posted any further negative reviews. Patients were required to pay a $100 consultation fee before being told they would be required to sign an NDA.

The lawsuit also alleges employees were ordered to post fake positive reviews online that included altered before and after photographs that made it appear the treatments were more successful than they actually were. A VPN was used for posting fake reviews to conceal the IP addresses of the office computers. The practice is also alleged to also applied for rebates on behalf of its patients without obtaining their consent, then kept the rebates. Hundreds of fake email accounts were created to register for rebate programs intended for real patients, which resulted in thousands of dollars of fraudulent rebates being paid to the practice each month.

The lawsuit alleges that between 2017 and 2019, the NDAs required patients to contact the practice prior to publishing any online review under 4 stars, with the NDAs stating patients would be liable to “pay monetary damages to the practice for any losses” if negative reviews were not removed. The NDAs also stated that patients must waive their HIPAA privacy rights, stating consumers must “allow a response [to the review] from the practice with any personal health information” if they post a negative review. The HIPAA Privacy Rule prohibits covered entities from conditioning treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization to disclose protected health information. That wording was changed in 2019, but the NDAs continued to be required until March 2022.

In addition to the alleged HIPAA violations, the practice and owner are alleged to have violated the Washington State Consumer Protection Act (CPA) and the Consumer Review Fairness Act (CRFA). The lawsuit asks the court to invalidate the NDAs,  require the practice to write to all patients to inform them that the NDAs are invalid, and block the practice from using NDAs in the future. Monetary damages of up to $7,500 are sought per violation and the court has been asked to order the practice to pay restitution to patients for the $100 consultation fees and return any rebates that are owed to customers.

“Patients rely on reviews to determine if a healthcare provider is right for them and using legal threats and bribes to manipulate those reviews is deceptive and harms Washingtonians. We are taking action to stop these unethical and illegal practices,” said AG Ferguson. “Threatening and bribing customers to prevent them from sharing the truth about their experience isn’t just wrong — it’s illegal.”

The post Washington Attorney General Sues Plastic Surgery Provider for HIPAA Violations and Falsely Inflating Online Ratings appeared first on HIPAA Journal.

CommonSpirit Health Facing Class Action Lawsuit over Ransomware Attack and Data Breach

Posted by HIPAA Journal

The Chicago, IL-based health system, CommonSpirit Health, is facing a class action lawsuit over its October 2022 ransomware attack. Malicious actors gained access to its IT systems on September 16, 2022, and deployed ransomware on October 2, 2022. The attack forced the shutdown of its electronic medical record system and caused considerable disruption over several weeks, with the catholic health system having to cancel many appointments. The forensic investigation determined the protected health information of patients of Virginia Mason Franciscan Health was potentially compromised in the attack. Virginia Mason Franciscan Health operates St. Anne Hospital, St. Elizabeth Hospital, St. Anthony Hospital, St. Clare Hospital, St. Francis Hospital, St. Joseph Hospital, and St. Michael Medical Center. CommonSpirit Health said the information compromised in the attack was limited to names, addresses, phone numbers, dates of birth, and unique ID numbers, and reported the data breach to the HHS’ Office for Civil Rights as affecting 623,774 individuals.

In late December, a lawsuit was filed in the District Court for the Northern District of Illinois on behalf of Virginia Mason Franciscan Health patient, Leeroy Perkins, and other similarly affected patients. The lawsuit alleges CommonSpirit Health was negligent for failing to implement and follow basic cybersecurity procedures and industry cybersecurity best practices which allowed unauthorized individuals to gain access to patients’ sensitive data, placing affected patients at risk of identity theft and fraud.

Perkins claims to have had to spend valuable time monitoring his accounts and changing passwords, and now faces an increased risk of identity theft and fraud as a result of the data breach. He also claims costs will be incurred paying for credit monitoring and identity theft protection for years to come, and his credit score is likely to be lowered. The lawsuit seeks class action status, damages exceeding $5 million, and injunctive relief, including CommonSpirit Health implementing more robust cybersecurity measures to protect patient data.

It is now common for lawsuits to be filed against healthcare providers that have suffered ransomware and other cyberattacks, especially when the data breaches affect many thousands of patients; however, in order for the lawsuits to succeed, the plaintiffs must demonstrate they have been harmed as a result of a data breach. Lawsuits often fail when they are based solely on an elevated risk of identity theft and fraud.

In 2021, a lawsuit filed against Brandywine Urology Consultants was dismissed by a Delaware Superior Court judge when the plaintiffs failed to provide sufficient evidence that they had been harmed by the breach. “A plaintiff alleging that it will suffer future injuries from a defendant’s allegedly improper conduct must show that such injuries are certainly impending,” and must demonstrate “a likelihood that the injury will be redressed by a favorable decision,” said the Honorable Mary M. Johnston in the ruling dismissing the lawsuit. The plaintiffs claimed to have incurred expenses as a result of the breach, but the judge ruled that costs incurred in response to a speculative threat are not sufficient to confer standing.

The post CommonSpirit Health Facing Class Action Lawsuit over Ransomware Attack and Data Breach appeared first on HIPAA Journal.

Cyberattacks Reported by Heartland Alliance and CentraState Medical Center

Posted by HIPAA Journal

The Chicago, IL-based social justice and human rights organization, Heartland Alliance, announced on December 15, 2022, that it was the victim of a cyberattack. The security breach was discovered on January 26, 2022, and prompt action was taken to secure its systems to prevent further unauthorized access. A leading third-party cybersecurity firm was engaged to investigate the incident.

On April 27, 2022, Heartland Alliance confirmed that an unauthorized individual had gained access to its network and potentially accessed or obtained files containing sensitive personal information. A lengthy review process was then initiated to determine the extent of the data breach and to obtain up-to-date contact information for the affected individuals. That process was completed in December 2022.

Heartland Alliance has confirmed that the protected health information of individuals who sought health care or participated in other Heartland programs was potentially compromised, along with the personal information of employees, directors, and independent contractors. The data involved varied from individual to individual and may have included one or more of the following data types: names, dates of birth, Social Security numbers, driver’s license numbers, bank account numbers, and medical/health information. Heartland Alliance said it is unaware of any actual or attempted misuse of that information.

Notification letters were sent to affected individuals on December 15, 2022, and a one-year membership to an identity and credit monitoring service has been offered. Heartland Alliance has also confirmed that it has upgraded its IT security systems to prevent similar security breaches in the future.

CentraState Medical Center Facing Ongoing Disruption Following Late December Cyberattack

CentraState Medical Center in Freehold, NJ, has been dealing with a cyberattack that occurred on or around December 30, 2022. The cyberattack was detected during a shift change around 7 am when computer systems started to malfunction. As a precaution, the medical center went on full diversion, with ambulances directed to alternative facilities while the cause of the IT system outage was investigated.

Tom Scott, President, and CEO of CentraState Medical Center, has confirmed that the disruption was due to a cyberattack that affected certain IT systems. Systems were promptly isolated to contain the attack and an investigation was launched to determine the nature and scope of the breach. Employees have been recording patient data manually while IT systems are out of action, and extra staff has been brought in to deal with the increased workload.

CentraState Medical Center issued an update on January 3, 2023, confirming that the usual high standards of patient care are being maintained, but some services at the medical center continue to be affected, including outpatient radiology, radiation treatment, mammography, labs, and catheterization lab services. Scheduled inpatient procedures are continuing as normal, but some outpatient appointments have been postponed or rescheduled.

No timescale has been provided on when systems will be fully restored, and no information has been disclosed on the exact nature of the attack. It is also unclear at this early stage of the investigation if, and to what extent, patient data was involved.

The post Cyberattacks Reported by Heartland Alliance and CentraState Medical Center appeared first on HIPAA Journal.

Ransomware Attack at Fitzgibbon Hospital Affects 112,000 Patients

Posted by HIPAA Journal

Back in June 2022, HIPAA Journal reported on a cyberattack on Fitzgibbon Hospital in Marshall, MO, after being contacted directly by a spokesperson for a threat group called DAIXIN Team, who claimed responsibility for the attack. That individual said the hospital’s systems had been compromised and 40GB of data had been exfiltrated, which included files containing patient names, dates of birth, medical record numbers, patient account numbers, Social Security numbers, and medical and treatment information. Some of that information was released on the group’s dark web data leak site.

6 months after the attack, the hospital has now confirmed that a data breach occurred involving the protected health information of 112,072 patients. According to Fitzgibbon Hospital, the attack was detected on June 6, and an investigation was immediately launched to determine the nature and scope of the breach. Third-party cybersecurity professionals were engaged to investigate and, according to the December 2022 breach notice, that investigation is still ongoing. Fitzgibbon Hospital said it discovered on December 1, 2022, that some patient data had been compromised in the attack including “full names, Social Security numbers, driver’s license numbers, financial account numbers, health insurance information, and/or medical information,” with the data involved varying from individual to individual.

Fitzgibbon Hospital said it is unaware of any misuse of the stolen data at the time of issuing notifications to patients, which were sent on December 30, 2022, and that, “out of an abundance of caution,” individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. Fitzgibbon Hospital confirmed that it had taken many steps to protect patient information prior to the cyberattack and continually evaluates and modifies its practices to enhance the security and privacy of its patients’ information. This includes the education and counseling of its workforce regarding patient privacy matters.

Howard Memorial Hospital Announces December 2022 Cyberattack

Howard Memorial Hospital in Nashville, AR, has recently announced that it detected suspicious activity within its computer network on December 4, 2022. Prompt action was taken to secure the network and investigate to determine the nature and scope of the incident, with third-party cybersecurity professionals engaged to assist with that process. On December 29, 2022, the hospital confirmed that unauthorized individuals had gained access to its network on November 14, 2022, and access remained possible until December 4, 2022, when its network was secured.

During that time the threat actor had access to and exfiltrated certain files, some of which contained patient information. It is unclear how many individuals have been affected as the review of the affected files is ongoing, but it has been confirmed that information such as names, contact information, dates of birth, and Social Security numbers have been affected, along with employee data that may also have included direct deposit bank account information. Notification letters will be sent to affected individuals when they have been identified and up-to-date contact information has been obtained.

The post Ransomware Attack at Fitzgibbon Hospital Affects 112,000 Patients appeared first on HIPAA Journal.

Diagnostic Lab Settles Medical Record Access Case for $16,500

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has announced its first HIPAA enforcement action of 2023, which serves as a reminder that individuals and their personal representatives must be provided with timely access to their medical records. Life Hope Labs, LLC, has agreed to settle the case and will pay a $16,500 penalty.

43 Enforcement Actions for HIPAA Right of Access Failures

The HIPAA Right of Access requires covered entities to provide a copy of an individual’s protected health information that is maintained in a designated record set within 30 days of receipt of that request. In certain circumstances, a delay of up to 30 days is permitted, provided the individual is notified about the reason for the delay and the individual is informed in that response when the request will be satisfied.

OCR launched a new HIPAA compliance initiative in the fall of 2019 targeting organizations that were not providing individuals and their personal representatives with a copy of the requested medical records in a timely manner, and organizations that were charging unreasonable fees for providing those records. Including the latest settlement, OCR has imposed financial penalties on 43 healthcare organizations for potential HIPAA Right of Access violations.

Life Hope Labs Enforcement Action

Life Hope Labs is a Sandy Springs, GA-based full-service diagnostic laboratory. On August 24, 2021, OCR received a complaint from the personal representative of a patient’s estate for the medical records of the decedent. The complainant alleged a request had been made with Life Hope Labs on July 7, 2021, but the records were not provided. It took Life Hope Labs seven months (225 days) from the initial request to provide those records. The complainant – the daughter of the decedent – received the complete set of records on February 16, 2022. OCR confirmed that the delay in providing the requested records was a violation of the HIPAA Right of Access, as detailed in 45 C.F.R. § 164.524.

Life Hope Labs agreed to settle the case with OCR and paid a $16,500 penalty to settle the potential HIPAA Right of Access violation, with no admission of wrongdoing. Under the terms of the settlement, Life Hope Labs is required to adopt a corrective action plan that includes the requirement to develop, maintain, and revise, as necessary, written policies regarding the HIPAA Privacy Rule, including the right of patients to access and obtain a copy of their PHI and to distribute those policies to all members of the workforce. HIPAA training on those policies must also be provided to all new staff members within 30 days of commencing employment. The settlement also includes two years of monitoring.

“Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories,” said OCR Director Melanie Fontes Rainer. “Laboratories covered by HIPAA must follow the law and ensure that they are responding timely to records access requests.”

The post Diagnostic Lab Settles Medical Record Access Case for $16,500 appeared first on HIPAA Journal.

Avalon Healthcare Settles HIPAA Case with Oregon and Utah State AGs and Pays $200,000 Penalty

Posted by HIPAA Journal

Avalon Healthcare has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws with the Oregon and Utah Attorneys General that were uncovered during an investigation of a 2019 breach of the personal and protected health information of 14,500 of its employees and patients.

Avalon Healthcare is part of the Avalon Health Care Group and provides skilled nursing, therapy, senior living, assisted living, and other medical services throughout Oregon, Utah, California, Nevada, Washington, and Hawaii. In July 2019, an employee responded to a phishing email and disclosed credentials that allowed an email account to be accessed by unauthorized individuals. The account contained sensitive information such as names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, and some financial information. It took 10 months from the date of the breach for the incident to be reported to the HHS and state attorneys general, and for affected individuals to be notified.

Oregon Attorney General Ellen Rosenblum and Utah Attorney General Sean Reyes launched an investigation into the data breach that focused on the email security practices at Avalon Healthcare and compliance with the HIPAA Security and Breach Notification Rules and state data breach notification statutes. The HIPAA Breach Notification Rule requires notifications to be issued about breaches of protected health information without undue delay and no more than 60 days from the date of the breach. In Oregon, data breach notifications must be issued in the most expeditious manner, and no later than 45 days after the date of discovery of the breach. The investigation uncovered potential violations of the Oregon Unlawful Trade Practices Act and HIPAA with respect to breach notifications and data security. Avalon Healthcare agreed to settle the case to avoid further controversy and expense.

Under the terms of the settlement, Avalon Healthcare has agreed to comply with the requirements of state laws and HIPAA and will develop, implement, and maintain an information security program that includes reasonable data security practices to ensure all personal information and protected health information is adequately protected. An individual will be designated as having overall control of the information security program and a HIPAA compliance officer will be appointed. The information security program will include logging and monitoring of the network, multi-factor authentication, email filtering, and at least twice-yearly security awareness training for the workforce. Security awareness training must cover phishing and social engineering, and include phishing simulation exercises. Avalon Healthcare has also agreed to develop, implement, maintain, and test a data incident response plan and to implement and maintain a risk assessment and risk management program. Avalon Healthcare will also revise its email data retention policies to ensure that data is only kept in email accounts for as long as there is a legal basis to retain the information and all emails containing PHI will be encrypted.

In addition to the commitment to compliance with HIPAA and state laws, Avalon Healthcare will pay a $200,000 financial penalty, which will be split equally between the Oregon and Utah state attorneys general and will be used to pay for legal fees, investigation costs, and the future enforcement of compliance with HIPAA and state laws.

“Companies, like Avalon, that retain consumers’ protected health information, have a duty to keep this data safe from unauthorized access,” said Attorney General Rosenblum. “Avalon dealt with the personal health-related information of some of our most vulnerable residents. Close to 2,000 Oregonians assumed—incorrectly—their information was safe with Avalon. Data breaches continue to be a problem in Oregon, and we are committed to working with companies to make sure they have the highest data privacy safeguards in place.”

The post Avalon Healthcare Settles HIPAA Case with Oregon and Utah State AGs and Pays $200,000 Penalty appeared first on HIPAA Journal.

Fertility Centers of Illinois Proposes $450,000 Settlement to Resolve Data Breach Lawsuit

Posted by HIPAA Journal

Fertility Centers of Illinois has proposed a $450,000 settlement to resolve a lawsuit filed on behalf of patients and employees who were affected by its February 2021 data breach.

On February 1, 2021, hackers gained access to the network where sensitive employee and patient information was stored, including names, employee ID numbers, Social Security numbers, passport numbers, financial account and payment information, diagnoses, treatment information, medical record numbers, billings and claims information, occupational health information, Medicare/Medicaid information, and usernames and passwords with PINs or account login information.

The investigation of the breach took six months, but it then took a further four months for affected individuals to be notified. Notification letters were finally sent in December 2021 and the data breach was reported to the HHS’ Office for Civil Rights on December 27, 2021, as affecting 79,943 patients. It should be noted that the HIPAA Breach Notification Rule requires the HHS and affected individuals to be notified about breaches of protected health information within 60 days of the discovery of a data breach.

The lawsuit – Monegato, et al. v. Fertility Centers of Illinois PLLC – was filed in the Circuit Court of Cook County, IL, and takes issue with the length of time it took to issue notifications, alleging Fertility Centers of Illinois unnecessarily delayed notifications, attempted to conceal the severity of the breach, and misrepresented the nature of the breach and the threat posed to affected individuals. The lawsuit also alleges Fertility Centers of Illinois failed to adequately protect patient data, with the alleged lack of safeguards and breach notification delay in violation of Illinois law.

The alleged security failures include storing protected health information (PHI) and personally identifiable information (PII) in multiple locations, each with different security safeguards; a failure to adequately train employees on security protocols; and inadequate security measures for protecting PHI/PII. The lawsuit also alleges an ineffective breach response that took 6 months to determine hackers accessed PHI/PII. Also, the breach notification letters stated, in bold and underlined text, that electronic medical records had not been accessed when the next paragraph made it clear that the information contained in medical records had in fact been accessed.

The lawsuit claims victims of the data breach now face a lifetime risk of identity theft and fraud, they will continue to suffer damages, including monetary losses, lost time, anxiety, and emotional distress, and have lost the opportunity to control how their PHI/PII is used, suffered a diminution in value of their PII and PHI, and will have to deal with the continuing publication of their PII and PHI. Despite these risks, only 12-24 months of identity theft protection services were provided.

Fertility Centers of Illinois has not admitted any wrongdoing and chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, individuals affected are entitled to submit a claim for up to $450 for ordinary losses such as out-of-pocket expenses incurred as a result of the data breach, and reimbursement for up to four hours of lost time at $20 per hour. Claims up to the value of $5,000 are permitted for documented extraordinary losses incurred between February 1, 2021, and June 5, 2023, that are not covered under ordinary losses. The settlement is capped at $450,000 and claims will be paid pro rata if that amount is reached. In addition, all affected individuals are entitled to claim an additional 24 months of credit monitoring services (via Pango) from the effective date of the settlement.

The post Fertility Centers of Illinois Proposes $450,000 Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.