HIPAA Breach News

BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach

Posted by HIPAA Journal

A Florida specialty pharmacy is facing a class action lawsuit over an October 2021 cyberattack in which the personally identifiable information (PII) and protected health information (PHI) of up to 350,000 patients were stolen.

Altamonte Springs, FL-based BioPlus Specialty Pharmacy Services said a hacker had access to its network from October 25, 2021, until November 11, 2021, and during that time viewed files containing sensitive patient data. A computer forensics firm investigated the breach and confirmed patient data had been accessed. Since it was not possible to determine how many patients had been affected, the decision was taken to send notification letters to all 350,000 patients on or around December 10, 2021, one month after the breach was discovered.

Data potentially compromised in the attack included names, contact information, dates of birth, medical record numbers, health insurance and claims information diagnoses, prescription information, and Social Security numbers. Affected individuals were offered a 12-month subscription to credit monitoring services at no cost.

In late December, BioPlus patient Bonnie Gilbert and her attorneys filed a lawsuit in the U.S. District Court of the Middle District of Florida alleging BioPlus had violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to ensure the confidentiality, integrity, and availability of the PHI of its patients.

The lawsuit alleges negligence for failing to maintain reasonable data security safeguards, failing to implement industry-standard data security practices, and failing to exercise reasonable care in the hiring and supervision of its employees and agents. The lawsuit also claims BioPlus failed to detect the attack and the exfiltration of sensitive data from its network, and delayed breach notifications. The lawsuit claims that if a reasonable amount of care had been taken and appropriate data security measures had been in place, the attack could have been detected sooner and/or prevented.

The lawsuit alleges the plaintiff and class members have suffered “numerous actual and imminent injuries” as a direct result of the data breach, including the theft of their PII and PHI, invasion of privacy, a reduction in the economic value of their PII and PHI, emotional distress and stress, and a significant present and future risk of identity theft and financial fraud, as well as incurring costs attempting to mitigate and deal with the consequences of the data breach.

The lawsuit seeks class action certification, a jury trial, injunctive relief, declaratory relief, and monetary damages. The plaintiff is represented by Morgan & Morgan and Markovits, Stock, & DeMarco LLC.

The post BioPlus Specialty Pharmacy Services Faces Class Action Lawsuit Over Data Breach appeared first on HIPAA Journal.

Almost 80,000 Patients Affected by Cyberattack on Fertility Centers of Illinois

Posted by HIPAA Journal

Fertility Centers of Illinois (FCI) has recently notified 79,943 current and former patients that some of their protected health information may have been viewed or obtained by unauthorized individuals.

FCI identified suspicious network activity on February 1, 2021, and took prompt action to secure its systems. Independent forensic investigators were then engaged to determine the nature and scope of the security breach.

FCI had implemented security measures to keep patient data secure, and those measures ensured its electronic medical record system could not be accessed; however, the attackers were found to have accessed administrative files and folders. A review of those files confirmed on August 27, 2021, that they contained a range of patient data including names in combination with one or more of the following types of information:

Social Security numbers, passport numbers, financial account information, payment card information, diagnoses, treatment information, medical record numbers, billing/claims information, prescription information, Medicare/Medicaid identification information, health insurance group numbers, health insurance subscriber numbers, patient account numbers, encounter numbers, referring physicians, usernames and passwords with PINs or account login information.

Employee information was also potentially compromised including names, employer-assigned identification numbers, ill-health/retirement information, occupational health-related information, medical benefits and entitlements information, patkeys/reason for absence, and sickness certificates.

FCI said it had strict security measures in place to prevent unauthorized data access, but the attackers were able to bypass those controls. Steps have since been taken to further secure its systems, data, and equipment, including implementing enterprise-class identity verification software and providing additional training to the workforce on security practices.

All affected individuals have been notified by mail and have been offered complimentary credit monitoring and identity theft protection services for 12 months through Equifax.

The post Almost 80,000 Patients Affected by Cyberattack on Fertility Centers of Illinois appeared first on HIPAA Journal.

Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General

Posted by HIPAA Journal

The Rhode Island Public Transit Authority (RIPTA) has recently notified the Department of Health and Human Services’ Office for Civil Rights about a data breach involving the protected health information (PHI) of 5,015 members of its group health plan.

RIPTA explained in a breach notice on its website that the cyberattack was detected and blocked on August 5, 2021, and the forensic investigation determined hackers had access to its network from August 3, 2021. A comprehensive review of files on the compromised parts of its network identified files related to the RIPTA health plan, which were found to contain the names, addresses, dates of birth, Social Security numbers, Medicare ID numbers, qualification information, health plan ID numbers, and claims information of health plan members. It was also confirmed that those files had been exfiltrated from its systems by the attackers.

RIPTA sent notification letters to affected individuals on December 22, 2021, and offered a complimentary membership to Equifax’s identity monitoring services. RIPTA also explained in its website breach notice that it has implemented additional security measures to prevent further data breaches.

In the days following the mailing of notification letters, the office of the Rhode Island attorney general received a high number of calls from individuals who had received a notification letter who had no direct connection to RIPTA informing them that their personal and health information had been compromised in the data breach. Several complaints were also made to the Rhode Island American Civil Liberties Union (ACLU).

On December 28, 2021, Steve Brown, Executive Director of the Rhode Island ACLU, wrote to Scott Avedisian, CEO of RIPTA seeking answers about the data breach and why the personal data of individuals with no relationship whatsoever with RIPTA had been notified about the breach. Brown also said in the letter that “The information that has been provided publicly by RIPTA about this security breach is, in many ways, significantly and materially different from the information RIPTA has provided the affected individuals about it.”

The public notice on the RIPTA website made two references to a breach of RIPTA health plan data, specifically stating the breach involved “the personal information of our health plan” and “files pertaining to RIPTA’s health plan.” Brown said the letters are “extremely misleading and seriously downplays the extensive nature of the breach.” Brown said all of the complainants said they had never been employed by RIPTA and some even said they had never even ridden on a RIPTA bus.

Further, the breach notice submitted to the HHS’ Office for Civil Rights indicates 5,015 health plan members were affected, when the notification letters stated the breach affected 17,378 individuals in Rhode Island, which raises the question of why RIPTA was storing the data of an additional 12,363 individuals.

Brown also pointed out that the notification letters explained the breach was detected on August 5, 2021, yet it took RIPTA two and a half months to identify the individuals that had been affected, and then a further two months for notification letters to be issued.

RIPTA senior executive Courtney Marciano explained to the Providence Journal that the files obtained by the hackers included the data of individuals with no connection to RIPTA because RIPTA’s previous health insurance provider had sent files that contained the personal and health data of individuals with no connection to RIPTA. RIPTA had previously used UnitedHealthcare for its group health plan but then switched to Horizon BlueCross/Blue Shield of Rhode Island. The files sent to RIPTA by UnitedHealthcare allegedly contained details of health claims of all state employees.

The reason for the delay in issuing notifications was explained as being due to the labor-intensive process of determining which individuals had been affected and verifying contact information, and also sorting through the files to determine which claims were for current or former RIPTA employees.

Rhode Island Attorney General Peter Neronha told The Providence Journal that he will be opening an investigation into the data breach to determine if any state laws have been violated, such as the Identity Theft Protection Act of 2015. The HHS’ Office for Civil Rights may also choose to investigate UnitedHealthcare over the apparent impermissible disclosure of the PHI of state employees to RIPTA. The OCR breach portal has no corresponding breach report from UnitedHealthcare.

The post Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General appeared first on HIPAA Journal.

Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach

Posted by HIPAA Journal

The year has started with a major breach report from Broward Health in Florida, which has recently started notifying more than 1.3 million patients and employees about a data breach that occurred on October 15, 2021. A hacker gained access to the Broward Health network through the office a third-party medical provider that had been granted access to the Broward Health network for providing healthcare services.

Broward Health discovered and blocked the intrusion on October 19, 2021, and a password reset was performed for all employees to prevent further unauthorized access. Assisted by a third-party cybersecurity company, Broward Health conducted a comprehensive investigation to determine the nature and scope of the breach.

The investigation confirmed the attacker had access to parts of the network where employee and patient information were stored, including sensitive data such as names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, financial/bank account information, health insurance information, medical histories, health conditions, treatment and diagnosis information, medical record numbers, and driver’s license numbers. Broward Health said some data was exfiltrated from its systems.

The cyberattack was reported to the Department of Justice which requested Broward Health delay sending breach notification letters to affected individuals so as not to interfere with the law enforcement investigation.

Broward Health has taken steps to improve security and prevent similar incidents in the future, which include implementing multifactor authentication for all users of its systems and setting minimum-security requirements for all devices not managed by Broward Health’s information technology department with access to its network. Those security requirements will take effect this January.

Broward Health has not received any reports that indicate patient or employee data have been misused, but as a precaution against identity theft and fraud, affected individuals have been offered a complimentary 2-year membership to the Experian IdentityWorksSM service, which includes identity theft protection, detection, and resolution services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal but has been reported to the Maine Attorney General as potentially affecting 1,357,879 patients.

The post Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach appeared first on HIPAA Journal.

Saltzer Health Alerts Patients About PHI Exposure in Email Account Breach

Posted by HIPAA Journal

Nampa, Idaho-based Saltzer Health has started notifying certain patients that some of their protected health information (PHI) has been exposed in an email account breach that was detected on June 1, 2021.

The investigation revealed an unauthorized individual had access to an employee’s email account between May 25, 2021, and June 1, 2021. Saltzer Health was unable to find evidence indicating the attacker viewed or exfiltrated emails from the account, but it was not possible to rule the possibility of unauthorized PHI access and data theft.

The investigation confirmed the breach was confined to a single email account and no other systems were affected. Assisted by third-party specialists, Saltzer Health conducted a comprehensive review of the email account to determine which patients had been affected.

The review was completed on September 21, 2021, and revealed the following types of patient data were stored in the account: Names, contact information, state identification numbers, driver’s license numbers, medical record numbers, medical histories, diagnoses, treatment information, physician information, prescription information, and health insurance information, along with limited Social Security numbers and financial account information.

Once the affected patients were identified, Saltzer Health conducted a manual review of internal records to verify patients’ contact information, hence the delay in issuing breach notification letters until December.

Saltzer Health has provided affected patients with information about the steps they can take to guard against identity theft and fraud, but there is no mention in the substitute breach notice about the provision of credit monitoring or identity theft protection services.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights, but it has yet to appear on the OCR breach portal, so it is currently unclear how many patients have been affected.

The post Saltzer Health Alerts Patients About PHI Exposure in Email Account Breach appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2021

Posted by HIPAA Journal

The largest healthcare data breaches of 2021 rank as some of the worst of all time. In this post, we summarize some of the most serious data breaches to be reported in what has turned out to be another record-breaking year.

The Department of Health and Human Services’ Office for Civil Rights’ breach portal shows 686 healthcare data breaches of 500 or more records in 2021, and that number is likely to grow over the next couple of weeks and could well exceed 700 data breaches. As it stands, 2021 is already the worst ever year for healthcare data breaches, beating last year’s record of 642 data breaches.

It has also been a particularly bad year in terms of the number of breached healthcare records. Across the 686 2021 healthcare data breaches, 44,993,618 healthcare records have been exposed or stolen, which makes 2021 the second-worst year in terms of breached healthcare records.

There have been 245 data breaches of 10,000 or more records, 68 breaches of the healthcare data of 100,000 or more individuals, 25 breaches that affected more than half a million individuals, and 10 breaches of the personal and protected health information of more than 1 million individuals. Almost three-fourths of the year’s breaches (73.9%) were hacking or other IT incidents.

The Largest Healthcare Data Breaches of 2021

Each of the data breaches below involved the personal and protected health information of more than 1,000,000 individuals. All of these data breaches were hacking incidents where unauthorized individuals gained access to healthcare networks where electronic healthcare data were stored.

Accellion FTA Hack – At Least 3.51 Million Records

The largest healthcare data breach was a hacking incident involving the firewall vendor Accellion. Four vulnerabilities in the legacy Accellion File Transfer Appliance (FTA) were exploited and more than 100 companies were affected, including at least 11 U.S. healthcare organizations. The Accellion FTAs were used for transferring files too large to be sent via email. The attack was conducted by a threat actor linked to the Clop ransomware gang.  Ransomware was not used in the attack, but sensitive data were stolen, ransom demands issued, and stolen data were leaked on the Clop ransomware gang’s leak site.

The Accellion FTA hack does not appear as a single incident on the HHS’ Office or Civil Rights breach portal as each affected healthcare organization reported the breach separately. In total, the protected health information of at least 3.51 million individuals is believed to have been stolen.

Florida Healthy Kids Corporation – 3.5 Million Records

The largest healthcare data breach of 2021 to be reported to the HHS’ Office for Civil Rights by a HIPAA-covered entity was a hacking incident at the Florida health plan, Florida Healthy Kids Corporation (FHKC). The breach was reported in January 2021 and was due to the failure of a security vendor to apply patches to fix multiple vulnerabilities on the FHKC website over a period of 7 years.

Hackers had access to the website for several years, and potentially stole highly sensitive information such as Social Security numbers and financial information. Some of the data on the website was also tampered with. The analysis of the breach revealed the personal and protected health information of 3.5 million individuals was exposed.

20/20 Eye Care Network, Inc – 3,253,822 Records

20/20 Eye Care Network, a Florida-based provider of eye and ear care services, exposed the personal and protected health information of 3,253,822 individuals as a result of a misconfigured Amazon Web Services S3 cloud storage bucket. In January 2021, 20/20 Eye Care Network discovered an unauthorized individual accessed the exposed storage bucket and downloaded some data, which may have included Social Security numbers, dates of birth, and health insurance information. The attacker then deleted the data in the bucket.

NEC Networks, LLC dba CaptureRx – At Least 2.42 Million Records

Texas-based NEC Networks, doing business as CaptureRx, was the victim of the largest healthcare ransomware attack of 2021. Prior to the use of ransomware to encrypt files, the attackers exfiltrated files containing the personal and protected health information of its healthcare provider clients. The breach was reported by NEC Networks as affecting 1,656,569 patients of its healthcare provider clients, but several clients reported the breach separately. In total, at least 2.42 million individuals were affected.

Forefront Dermatology, S.C. – 2,413,553 Records

The Wisconsin-based healthcare provider, Forefront Dermatology, discovered in June 2021 that unauthorized individuals had gained access to its network and potentially viewed and potentially obtained private and confidential employee and patient information, including names and Social Security numbers.

The investigation confirmed the personal and protected health information of 4,431 individuals had been compromised, but the systems accessed by the attacker contained the records of 2,413,553 individuals, all of whom may have been affected.

Eskenazi Health – 1,515,918 Records

The Indiana-based healthcare provider Eskenazi Health suffered a ransomware attack in August conducted by the Vice ransomware gang. Prior to encrypting files, the attackers exfiltrated files containing the personal and protected health information of 1,474,284 patients, including Social Security numbers, passport numbers, driver’s licenses, photographs, pharmacy records, and financial information, some of which were leaked on the group’s data leak site when the ransom was not paid.

The Kroger Co. – 1,474,284 Records

The Ohio-based grocery chain and pharmacy operator, the Kroger Company, was one of the companies worst affected by the exploitation of vulnerabilities in its Accellion File Transfer Appliance (FTA).  Kroger said the internal investigation revealed fewer than 1% of its customers were affected – 1,474,284 individuals. Names, contact information, Social Security numbers, insurance claim information, prescription information, and some medical history information was stolen in the attack. Lawsuits were filed in response to the breach, which Kroger settled for $5 million.

St. Joseph’s/Candler Health System, Inc. – 1,400,000 Records

Georgia-based St. Joseph Candler Health System was another 2021 healthcare ransomware attack victim. The ransomware attack occurred in June; however, hackers had first breached its network 6 months previously. During those 6 months, the attackers had access to the sensitive data of 1,400,000 patients, including names, date of birth, Social Security numbers, driver’s license numbers, financial information, health insurance information, and medical information. Two class action lawsuits were filed in the wake of the breach alleging negligence for failing to prevent the attack and for failing to discover the breach for 6 months.

University Medical Center Southern Nevada – 1,300,000 Records

The Nevada-based healthcare provider University Medical Center Southern Nevada suffered a ransomware attack conducted by the REvil ransomware gang. The attackers allegedly issued a ransom demand of $12 million for the keys to unlock encrypted files and to prevent any misuse of stolen data. The gang potentially stole the personal and protected health information of 1,300,000 patients, and some of that information was posted to the gang’s data leak site, including names, dates of birth, Social Security numbers, passports, and health histories.

American Anesthesiology, Inc. – 1,269,074 Records

New York-based American Anesthesiology, Inc. was affected by a phishing attack on one of its business associates, MEDNAX. Employees responded to the phishing emails and disclosed their credentials, which provided the attackers with access to email accounts containing the protected health information of 1,269,074 patients. The attack did not appear to have been conducted to steal patient data, instead, the attackers were trying to divert payroll to their accounts.

Professional Business Systems, Inc. dba Practicefirst Medical Management Solutions and PBS Medcode Corp – 1,210,688 Records

The New York practice management company, Professional Business Systems, doing business as Practicefirst Medical Management Solutions and PBS Medcode Corp., was the victim of an attempted ransomware attack. Prior to attempting to encrypt data, the attackers exfiltrated files containing the names, addresses, driver’s license numbers, Social Security numbers, email addresses, and tax identification numbers of employees and patients of its healthcare provider clients. In total, the protected health information of 1,210,688 individuals was potentially stolen.

Other Large Healthcare Data Breaches Reported in 2021

The table below shows the U.S. healthcare data breaches reported to the HHS’ Office for Civil Rights in 2021 that affected between 500,000 and 1,000,000 million individuals. At least 10 of the 15 breaches below are known to be ransomware attacks.

Name of Covered Entity State Entity Type Individuals Affected Type of Breach Breach Cause
Personal Touch Holding Corp. New York Business Associate 753,107 Hacking/IT Incident Ransomware
Oregon Anesthesiology Group, P.C. Oregon Healthcare Provider 750,500 Hacking/IT Incident Ransomware
UF Health Central Florida Florida Healthcare Provider 700,981 Hacking/IT Incident Ransomware
Sea Mar Community Health Centers Washington Healthcare Provider 688,000 Hacking/IT Incident Unspecified hacking incident involving data theft
Health Net Community Solutions California Health Plan 686,556 Hacking/IT Incident Accellion FTA data theft and extortion attack
Community Medical Centers, Inc. California Healthcare Provider 656,047 Hacking/IT Incident Unspecified hacking incident
DuPage Medical Group, Ltd. Illinois Healthcare Provider 655,384 Hacking/IT Incident Ransomware
Hendrick Health Texas Healthcare Provider 640,436 Hacking/IT Incident Ransomware
UNM Health New Mexico Healthcare Provider 637,252 Hacking/IT Incident Unspecified hacking incident involving data theft
Trinity Health Michigan Business Associate 586,869 Hacking/IT Incident Accellion FTA data theft and extortion attack
Utah Imaging Associates, Inc. Utah Healthcare Provider 582,170 Hacking/IT Incident Unspecified hacking incident
Texas ENT Specialists Texas Healthcare Provider 535,489 Hacking/IT Incident Ransomware
Wolfe Clinic, P.C. Iowa Healthcare Provider 527,378 Hacking/IT Incident Ransomware
Health Net of California California Health Plan 523,709 Hacking/IT Incident Accellion FTA data theft and extortion attack
State of Alaska Department of Health & Social Services Alaska Health Plan 500,000 Hacking/IT Incident Hack by nation-state espionage group

The post Largest Healthcare Data Breaches of 2021 appeared first on HIPAA Journal.

Over 212,500 Patients Affected by 2020 Email Account Breach at Florida Digestive Health Specialists

Posted by HIPAA Journal

The Bradenton, FL-based gastroenterology healthcare provider Florida Digestive Health Specialists (FDHS) has recently started notifying more than 212,000 patients that some of their protected health information has been exposed in a December 2020 cyberattack.

Notification letters were sent to affected individuals on December 27, 2021, by attorney Jason M. Schwent of Clark Hill. The letters explain that suspicious activity was detected in an employee email account on December 16, 2020, which involved an unauthorized individual sending emails from that account.

This was a business email compromise attack where access to an internal email account is gained, usually via a phishing email, and the account is then used to impersonate an employee to convince other individuals to make fraudulent wire transfers. In this case, on December 21, 2020, FDHS determined a fraudulent transfer of funds had been made to an unknown bank account.

FDHS engaged the services of Clark Hill and a third-party cybersecurity firm to investigate the cyberattack. The investigation confirmed a limited number of employee email accounts had been accessed by unauthorized individuals. Those accounts were described as “voluminous” and contained the personal and protected health information of 212,509 patients. In attacks such as this, the aim of the attack is to obtain payments through fraudulent wire transfers rather than to obtain patient data; however, data theft could not be ruled out.

The amount of data present in the compromised email accounts was provided as a reason for a 12-month delay in issuing notification letters to affected patients. FDHS said the review of the email accounts was time-consuming and only concluded on November 19, 2021.

In response to the breach, several changes were made to its IT systems to improve security. Those measures include a password reset across its IT environment, implementation of multifactor authentication, strengthening password protocols, and reconfiguring its firewall.

Affected individuals have been offered 12-months of complimentary credit monitoring and identity theft protection services.

The post Over 212,500 Patients Affected by 2020 Email Account Breach at Florida Digestive Health Specialists appeared first on HIPAA Journal.

Patient Data Stolen in Cyberattack on the Medical Review Institute of America

Posted by HIPAA Journal

The Medical Review Institute of America (MRoiA) suffered a suspected ransomware attack in November 2021 in which sensitive patient data were stolen.

MRoiA is provided with patient data by HIPAA-covered entities as part of the clinical peer review process of healthcare services. In a data breach notice provided to the Vermont attorney general, MRoiA said it was the victim of a sophisticated cyberattack that was detected on November 9, 2021. Third-party cybersecurity experts were immediately engaged to conduct a forensic investigation to determine the nature and scope of the attack and to assist with its remediation efforts, including restoring its systems and operations.

On November 12, 2021, MRoiA discovered the attackers had exfiltrated sensitive data, including patients’ electronic protected health information (ePHI). MRoiA did not state in the breach notification letter whether ransomware was involved, although the attack has the hallmarks of a double-extortion ransomware attack.

MRoiA said on November 16, 2021, it received assurances that the stolen data were retrieved and copies of the data have been deleted, which suggests the ransom demand was paid, although that has not been confirmed.

MRoiA said the investigation into the attack is ongoing and a review of the compromised files has been completed. Individuals affected by the attack have had their full names compromised in addition to one or more of the following data elements: Gender, home address, phone number, email address, date of birth, Social Security number, medical history, diagnosis, treatment information, dates of service, lab test results, prescription information, provider name, medical account number (and other data stored in medical files/records), health insurance information, and claims information.

MRoiA said that prior to the breach it had adopted the HITRUST Common Security Framework (CSF), was compliant with the requirements of HIPAA and the HITECH Act, and had secured its systems to prevent unauthorized access. In response to the breach, additional cybersecurity safeguards are being implemented. These include constant monitoring of systems using advanced threat hunting and detection software, implementing additional authentication procedures, hardening its backup environment, and enhancing employee cybersecurity training.

New servers were built from the ground up to ensure no further unauthorized access was possible and MRoiA is working with third-party cybersecurity experts to further improve its security posture. Affected individuals have been offered complimentary identity monitoring services.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Patient Data Stolen in Cyberattack on the Medical Review Institute of America appeared first on HIPAA Journal.

Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures

Posted by HIPAA Journal

The Chicago, IN-based certified public accounting firm Bansley & Kiener LLP is facing a class action lawsuit over a data breach that was reported to regulators this December.

The breach in question occurred in the second half of 2020, with the investigation indicating hackers accessed its systems between August 20, 2020, and December 1, 2020. Bansley & Kiener discovered the breach on December 10, 2020, when ransomware was used to encrypt files. Bansley & Kiener explained in its breach notification letters that it was confirmed on May 24, 2021, that the attackers had exfiltrated data from its systems prior to encrypting files.

Bansley & Kiener manages payroll, health insurance, and pension plans for its clients. In total, the sensitive information of 274,000 individuals was exposed or compromised, including names, dates of birth, Social Security numbers, passport numbers, tax IDs, military IDs, driver’s license numbers, financial account information, payment card numbers, health information, and complaint claims.

While the attack was detected in December 2020, it took until December 2021 for notification letters to be issued to affected individuals and for state attorneys general and the HHS’ Office for Civil Rights to be notified about the breach, 6 months after it was confirmed that sensitive data was stolen in the attack.

The lawsuit was filed by Mason Lietz & Klinger LLP in the Circuit Court, First Judicial Circuit of Cook County, Illinois on behalf of plaintiff Gregg Nelson. The lawsuit alleges Bansley & Kiener failed to safeguard the sensitive data of its clients and failed to provide timely, accurate, and adequate notice of the data breach to individuals whose sensitive information was stolen.

According to the lawsuit, Bansley & Kiener unnecessarily delayed the issuing of notifications about the data breach, even though the individuals whose data was stolen were placed at significant risk of identity theft and various other forms of personal, social, and financial harm. When the notifications were sent, they failed to fully explain the nature of the breach. They did not explain that this was a ransomware attack and referred to the incident as an unauthorized person gaining access to its network that resulted in the encryption of systems.

The lawsuit also takes issue with the response to the data breach. After discovering the attack, files were restored from backups and normal business operations were resumed, and it was only when it was discovered that data had been exfiltrated from its systems, 5 months after the attack, that cybersecurity experts were retained to investigate the breach.

The lawsuit alleges Bansley & Kiener suffered a data breach due to “negligent and/or careless acts and omissions” relating to the safeguarding of sensitive data, and failed to monitor its systems for security vulnerabilities. The lawsuit alleges victims of the breach have incurred out-of-pocket expenses related to the prevention, detection, and resolution of identity theft and/or unauthorized use of their data, have spent time trying to mitigate the effects of the data breach, and have suffered from the lost or diminished value of their personal data.

The lawsuit seeks actual, nominal, and consequential damages, punitive damages, injunctive relief, legal costs, and a jury trial.

The post Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures appeared first on HIPAA Journal.