Planned Parenthood Los Angeles, a provider of reproductive healthcare services in Los Angeles County, has proposed a $6 million settlement to resolve all claims related to a 2021 data breach that exposed the personal information of more than 409,437 patients.

Between October 9, 2021, and October 17, 2021, hackers accessed the Planned Parenthood Los Angeles network, exfiltrated sensitive patient data, and used ransomware to encrypt files. Planned Parenthood discovered the ransomware attack on October 17, 2021, and confirmed on November 4, 2021, that the stolen files contained patient data. The stolen data included names, addresses, dates of birth, diagnoses, health insurance information, and medical information, including procedures and prescriptions.

A lawsuit – In re: Planned Parenthood Los Angeles Data Incident Litigation – was filed in the U.S. District Court of Central California over the data breach that alleged that Planned Parenthood Los Angeles was negligent by failing to implement reasonable and appropriate cybersecurity measures in line with industry standards, and had those measures been implemented, the ransomware attack and data breach could have been avoided. The lawsuit alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and the California Consumer Privacy Act (CCPA).

According to the lawsuit, the timing of the breach was such that patients would be more likely to suffer harm, as it coincided with Supreme Court debates on abortion. The stolen data also included highly sensitive health information such as abortion procedures, treatment of sexually transmitted diseases, emergency contraception prescriptions, and cancer screening information.

Planned Parenthood Los Angeles chose to settle the lawsuit with no admission of wrongdoing. Claims will be accepted up to a maximum of $10,000 to recover documented losses incurred as a result of the data breach, including bank costs, credit expenses, fraudulent charges, and losses to identity theft and fraud. Class members can also claim up to 7 hours of lost time at $30 per hour and three years of credit monitoring and identity theft protection services, which include a $1 million identity theft protection policy.

Class members will also be entitled to statutory damages, with the payments depending on participation rates. Statutory damages will be paid from the remainder of the $6 million fund after claims have been paid. If there is a 10% participation rate, statutory damages are estimated to be around $66 per class member. Class members are individuals who were notified about the data breach by Planned Parenthood Los Angeles in or around November 2021.

Key Dates:

• Deadline for objection/exclusion: June 6, 2024
• Deadline for claims: June 7, 2024
• Final Hearing: August 8, 2024

The post Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million appeared first on HIPAA Journal.

Planned Parenthood Los Angeles, a provider of reproductive healthcare services in Los Angeles County, has proposed a $6 million settlement to resolve all claims related to a 2021 data breach that exposed the personal information of more than 409,437 patients.

Between October 9, 2021, and October 17, 2021, hackers accessed the Planned Parenthood Los Angeles network, exfiltrated sensitive patient data, and used ransomware to encrypt files. Planned Parenthood discovered the ransomware attack on October 17, 2021, and confirmed on November 4, 2021, that the stolen files contained patient data. The stolen data included names, addresses, dates of birth, diagnoses, health insurance information, and medical information, including procedures and prescriptions.

A lawsuit – In re: Planned Parenthood Los Angeles Data Incident Litigation – was filed in the U.S. District Court of Central California over the data breach that alleged that Planned Parenthood Los Angeles was negligent by failing to implement reasonable and appropriate cybersecurity measures in line with industry standards, and had those measures been implemented, the ransomware attack and data breach could have been avoided. The lawsuit alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and the California Consumer Privacy Act (CCPA).

According to the lawsuit, the timing of the breach was such that patients would be more likely to suffer harm, as it coincided with Supreme Court debates on abortion. The stolen data also included highly sensitive health information such as abortion procedures, treatment of sexually transmitted diseases, emergency contraception prescriptions, and cancer screening information.

Planned Parenthood Los Angeles chose to settle the lawsuit with no admission of wrongdoing. Claims will be accepted up to a maximum of $10,000 to recover documented losses incurred as a result of the data breach, including bank costs, credit expenses, fraudulent charges, and losses to identity theft and fraud. Class members can also claim up to 7 hours of lost time at $30 per hour and three years of credit monitoring and identity theft protection services, which include a $1 million identity theft protection policy.

Class members will also be entitled to statutory damages, with the payments depending on participation rates. Statutory damages will be paid from the remainder of the $6 million fund after claims have been paid. If there is a 10% participation rate, statutory damages are estimated to be around $66 per class member. Class members are individuals who were notified about the data breach by Planned Parenthood Los Angeles in or around November 2021.

Key Dates:

• Deadline for objection/exclusion: June 6, 2024
• Deadline for claims: June 7, 2024
• Final Hearing: August 8, 2024

The post Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million appeared first on HIPAA Journal.

A lawsuit against CareFirst BlueCross BlueShield that was filed in response to a 2014 data breach has had a contract class certified by a federal judge, 9 years after legal action was initiated. The lawsuit can now proceed and more than 1 million plan members are a step closer to obtaining damages. In June 2014, hackers gained access to CareFirst systems, which contained the data of around 1.1 million plan members; however, the intrusion was not detected for several months. In response to major data breaches at Anthem Inc., Premera, Excellus, and Community Health Systems, CareFirst conducted a review of its systems which reviewed there had been unauthorized access to one of its databases.

CareFirst announced the data breach in May 2015 and explained that a single database was compromised that stored data that members and other individuals enter to access CareFirst’s websites and online services. The compromised data included names, birth dates, email addresses, and subscriber ID numbers, but no highly sensitive information such as Social Security numbers, financial information, or health information.

A lawsuit – Chantal Attias, et al. vs. CareFirst  – was filed in the U.S. District Court for the District of Columbia shortly after the notification letters were mailed that alleged injuries had been suffered as a result of the breach. The lawsuit, which named seven policyholders as plaintiffs, alleged breach of contract and violations of the Consumer Protection Acts in Maryland and Virginia. The lawsuit was dismissed in 2016 due to a lack of standing, as the plaintiffs failed to allege a concrete, identifiable injury had been sustained as a result of the breach. The ruling was appealed, and the District Court’s ruling was overturned. In 2018, the Supreme Court declined a review of the case, which was referred back to the District Court, then followed several years of back-and-forth litigation. In 2022, the plaintiffs moved to certify three classes, one for each cause of action; however, in March 2023, District Court Judge Christopher Cooper denied the plaintiffs’ motion to certify two consumer classes and one contract class without prejudice, allowing the plaintiffs to file a renewed and modified motion which they did.

In late 2023, CareFirst’s motion for summary judgment was partially granted, and the claims under the consumer protection statutes in Maryland and Virginia were dismissed. The court found that the plaintiffs could not show there had been any identity theft, and under Washington D.C. law, mitigation expenses incurred to abate the risk of future fraud do not qualify as actual damages, therefore the plaintiffs would only be able to recover nominal damages.

On March 29, 2023, after careful consideration and a hearing on the matter, Judge Cooper found that certification of a contract class was warranted. “The standing issue that prevented the Court from certifying the last go around has since dissolved because, as all sides agree, each member of the proposed class has allegedly suffered a concrete injury based on CareFirst’s supposed breach of its contractual obligation to safeguard its customers’ data—regardless of whether they sustained an additional, tangible injury due to the data breach,” wrote Judge Cooper in his ruling.

The contract class consists of all individuals in the District of Columbia, Maryland, or Virginia who purchased or possessed health insurance from CareFirst, had their sensitive data exposed in the data breach, and were notified about that breach by CareFirst in May 2015.

The post Contract Class Certified in CareFirst Data Breach Lawsuit 9 Years After Legal Action was Initiated appeared first on HIPAA Journal.

Lamoille Health Partners, a Vermont health system serving patients in Lamoille County, has agreed to settle a lawsuit that was filed in response to a June 2022 ransomware attack in which the protected health information of 59,381 patients was exposed and potentially stolen. Hackers gained access to the Lamoille Health Partners network between June 12, 2022, and June 13, 2022, and used ransomware to encrypt files. The attack exposed names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment information. The affected individuals were notified about the breach in August 2022 and individuals who had their Social Security numbers exposed were offered complimentary identity protection and credit monitoring services.

A lawsuit – Marshall v Lamoille Health Partners Inc. – was filed in the U.S. District Court for the District of Vermont on September 1, 2022, in response to the breach that alleged Lamoille Health Partners was negligent by failing to implement reasonable and appropriate cybersecurity measures and follow security best practices. The lawsuit also alleged there was an unnecessary delay in notifying the affected individuals and that Lamoille Health Partners was not compliant with the HIPAA Rules. The lawsuit claimed the plaintiff, Patricia Marshall, and the class faced an imminent and ongoing risk of identity theft and fraud due to their sensitive information being in the hands of cybercriminals.

Lamoille Health Partners has not admitted to any wrongdoing and disagrees with the claims; however, a settlement was proposed to bring the legal action to an end. Under the terms of the proposed settlement, a $540,000 fund will be created to cover claims from individuals who were affected by the breach. Class members can submit claims of up to $5,000 to cover unreimbursed, documented out-of-pocket expenses incurred as a result of the breach, including bank fees, credit expenses, travel expenses, costs of credit monitoring services, and unauthorized charges. In addition, all class members will be entitled to a pro-rata payment which will be distributed after attorneys’ fees and legal costs have been deducted and claims have been paid. The payment is anticipated to be around $50 per class member.

Important Dates:

• Deadline for exclusion/objection: May 30, 2024
• Deadline for submitting claims: June 20, 2024
• Final approval hearing: September 30, 2024

The post Lamoille Health Partners Settles Class Action Data Breach Lawsuit for $540,000 appeared first on HIPAA Journal.

The Spring, TX-based revenue cycle management company Med-Data has agreed to a $7 million settlement to resolve all claims stemming from a data breach between 2018 and 2019 that involved the protected health information of approximately 136,000 individuals.

Between December 2018 and September 2019, an employee of Med-Data uploaded patient data to the public-facing software development hosting platform GitHub. The files were added to personal folders on GitHub Arctic Code Vault and contained the protected health information of patients of several of its clients. The exposed data included names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, claims information, dates of service, subscriber IDs, medical procedure codes, provider names, and health insurance policy numbers. Med-Data removed the files when it was alerted to the data exposure and offered the affected individuals complimentary credit monitoring and identity protection services.

A lawsuit was filed in response to the data breach that claimed Med-Data failed to adequately protect the sensitive data it obtained from its clients and did not issue timely notifications when the breach was discovered. Med-Data chose to settle the lawsuit and the settlement has received preliminary court approval. There are two tiers to the settlement. The first tier allows affected individuals to claim up to $5,000 to cover documented, unreimbursed losses incurred due to the data breach, including out-of-pocket expenses such as bank fees, credit costs, and communication expenses, up to five hours of lost time at $25 per hour, and losses due to identity theft, identity theft, and medical identity theft.

Alternatively, class members can opt for the second tier, which will provide a cash payment of up to $500 to cover time spent in response to the data breach, including monitoring credit reports, signing up for credit monitoring services, changing passwords, and other actions. Claims will be paid pro rata, depending on the number of claims received.

Regardless of the tier chosen, class members can also claim a 3-year membership to a health data and fraud monitoring service (Medical Shield Premium), which includes a $1 million identity theft insurance policy (Pango). Class members have until April 26, 2024, to object to or exclude themselves from the settlement, and the final approval hearing has been scheduled for September 11, 2024.

The post Med-Data Settles Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.

Roper St. Francis Healthcare has agreed to a $1.5 million settlement to resolve a class action lawsuit that was filed in response to a data breach in 2020. Roper St. Francis Healthcare is a South Carolina-based healthcare system with 4 hospitals and more than 117 healthcare facilities in the state. In late October 2020, Roper St. Francis Healthcare discovered three email accounts had been compromised after employees responded to phishing emails. The email accounts were accessed by unauthorized individuals between October 14 and October 29, 2020. The compromised accounts contained the protected health information of 89,761 patients, including names, medical record numbers, patient account numbers, dates of birth, and limited treatment and clinical information, such as dates of service, locations of service, providers’ names, and billing information.

A lawsuit was filed in response to the breach that claimed Roper St. Francis Healthcare was negligent by failing to implement reasonable and appropriate cybersecurity measures, and that Roper St. Francis Healthcare should have been aware that it was vulnerable to cyberattacks as it had experienced multiple data breaches in the past. Roper St. Francis Healthcare disagreed with the plaintiffs’ claims and chose to settle the lawsuit with no admission of wrongdoing.

Under the terms of the settlement, individuals who were notified about the data breach by Roper St. Francis Healthcare may claim up to $325 as reimbursement for data breach-related expenses, including credit costs and bank fees, and up to four hours of lost time at $20 per hour. If extraordinary losses have been incurred due to identity theft and fraud, claims may be submitted up to a maximum of $3,250. All class members are entitled to one year of credit monitoring services, in addition to those already offered in the individual notifications about the data breach. The deadline for exclusion from and objection to the settlement is April 30, 2024, and the final approval hearing has been scheduled for May 2, 2024.

The post Roper St. Francis Healthcare Settles Data Breach Lawsuit for $1.5 Million appeared first on HIPAA Journal.

A $1.45 million settlement has been agreed by Avem Health Partners to resolve claims related to a 2022 data breach involving the protected health information of 271,303 individuals. Avem Health Partners is an Oklahoma City-based provider of administrative and technology services to healthcare organizations. On May 16, 2022, hackers were found to have gained access to the servers of one of its vendors, 365 Data Centers. The unauthorized access occurred on May 14, 2022, and Avem Health Partners was notified about the data breach on September 9, 2022.

The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and diagnosis and treatment information, and the affected individuals were notified by Avem Health Partners in December 2022. Legal action – Bingaman, et al. v. Avem Health Partners Inc. – was taken over the breach with the plaintiffs alleging their protected health information was negligently maintained and had appropriate cybersecurity measures been implemented, the breach could have been prevented. Avem Health Partners chose to settle the lawsuit with no admission of wrongdoing.

Claims will be accepted from individuals who were notified about the data breach by Avem Health Partners. Claims may be submitted for up to $7,000 to cover out-of-pocket expenses incurred due to the data breach, including credit expenses, bank fees, losses to identity theft and fraud, and up to five hours of lost time at $25 per hour. Individuals who do not submit claims to cover losses will be eligible to receive a cash payment of up to $100, although that amount may be reduced depending on the number of claims received.

Regardless of the option chosen, class members will be eligible to receive three years of identity theft protection and credit monitoring services, which include a $1 million identity theft insurance policy. The deadline for objection to and exclusion from the settlement is April 25, 2024, and the final approval hearing has been scheduled for May 10, 2024.

The post Avem Health Partners Agrees $1.45 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.