Peoria, Illinois-based Petersen Health Care, one of the largest operators of nursing homes in the United States, filed for Chapter 11 protection in a Delaware bankruptcy court on Wednesday following cyberattacks that led to defaults on government-backed loans. Petersen Health Care operates more than 90 nursing homes in Illinois, Missouri, and Iowa, employs almost 4,000 people, and has almost 6,800 residents. The company had more than $339 million in revenue in 2023 but has debts of more than $295 million, including $45 million owed on healthcare facility loans insured by the U.S. Department of Housing and Urban Development.

Petersen Health Care has had long-term financial difficulties. Like many other nursing home operators, Petersen Health Care has been struggling due to a decline in demand for nursing homes since the start of the pandemic, with many people favoring in-home care, and it has been difficult to attract qualified nursing staff due to increased competition. Petersen Health Care has also been struggling to be reimbursed for Medicaid costs and has a backlog of unpaid claims due to the 2015-2017 budget impasse in Illinois.

While in this precarious position, Petersen Health Care fell victim to a ransomware attack in October 2023. The Cactus ransomware group claimed responsibility for the attack and started leaking some of the data stolen in the attack when the ransom was not paid. Petersen Health Care said a substantial number of business records were lost, which made it incredibly difficult to bill customers and insurers, resulting in substantial delays in reimbursement for the services provided. Then in February 2024, another ransomware group, Blackcat, attacked Change Healthcare. The attack caused a prolonged outage that has affected healthcare providers across the country. As a result of the outages, payments to providers ground to a halt. Change Healthcare was a major payor for Petersen Health Care, adding to the company’s financial difficulties.

The cyberattacks could not have come at a worse time for Petersen Health Care causing it to default on repayments on its HUD loans. After defaulting on the loans, its lenders placed 19 of its locations into receivership, which caused further disruption to its operations. Petersen Health Care has been transitioning those locations to the receiver’s control but said it is facing demand after demand from the receiver while trying to address its ongoing financial problems. Petersen Health Care said that even with these problems it remains committed to providing quality care. The company has secured a $45 million loan to cover operational expenses during the Chapter 11 proceedings and is working on restructuring its debts to ensure a more sustainable future.

The post Petersen Health Care Files for Bankruptcy Following Ransomware Attacks appeared first on HIPAA Journal.

Lawsuits have started to be filed against UnitedHealth Group, Optum Inc., and Change Healthcare by healthcare providers that have been unable to access Change Healthcare’s services due to the shutdown of its computer networks after a Blackcat ransomware attack. Without access to those systems, healthcare providers have been unable to get paid for the medical services they have provided while Change Healthcare’s systems have been offline. Many of the affected healthcare providers have limited financial resources to cover payroll and operating expenses, which have been rapidly drained. The severe delays in processing claims and revenue cycle services have pushed many healthcare providers close to bankruptcy.

Last week, a class action lawsuit was filed on behalf of a women’s healthcare practice in Albany, MS, and other healthcare providers that have suffered delays processing claims and revenue cycle services. Like many healthcare providers, Advanced Obstetrics & Gynecology PC has limited liquidity and relies on the prompt payment of claims to keep the business afloat. The lawsuit explained that Advanced has received approximately $39,000 a week in paid claims from insurance companies over the past two years, and since the Change Healthcare cyberattack, Advanced has been unable to secure those payments. According to the lawsuit, between February 21, 2024, when the attack occurred and March 14, 2024, when the lawsuit was filed, Advanced was denied $132,000, and that amount is increasing each day. The lawsuit claims that hundreds if not thousands of healthcare providers are in a similar position and are facing bankruptcy, and that may have already happened with some healthcare providers.

One of the problems with such a large company is that an outage can have massive implications. Change Healthcare processes around half of all medical payments to the fallout from the prolonged outage has been severe. Healthcare providers in Massachusetts alone are estimated to be losing around $24 million per day. Because of the implications of any cyberattack, Change Healthcare needs to have excellent security and contingency plans to keep its services available in the event of a cyberattack, but the lawsuit claims that the security measures were lacking and its breach response hasn’t been good enough. The lawsuit alleges that Change Healthcare failed to implement reasonable and appropriate security measures, policies, and practices to ensure that sensitive data and its systems were protected from attacks. The lawsuit also claims that despite knowing that only certain systems were affected, Change Healthcare took all of its systems offline, resulting in massive disruption to the healthcare providers that rely on those systems, thus guaranteeing that they would experience severe financial difficulties.

Another class action lawsuit was filed on behalf of affected providers by Gibbs Law Group on March 18, 2024, to try to recover providers’ losses. “We are hearing from healthcare providers throughout the country who are distraught and concerned that they may not be able to buy medical supplies, make payroll, or pay rent as a result of this crippling disruption to the nation’s healthcare infrastructure,” said Rosemary Rivas, a lead attorney with Gibbs Law Group. “Change Healthcare has touted itself as a ‘trusted partner’ to providers and payors, but the company’s failure to protect its networks and safeguard critical health information has resulted in widespread harms, and deeply eroded trust.”

Many lawsuits have already been filed against UnitedHealth Group and Change Healthcare on behalf of individuals who had their personal and health data compromised in the attack. The BlackCat ransomware affiliate behind the attack claims to have stolen 6GB of data, including sensitive patient data, although the extent of any data breach has yet to be confirmed by UnitedHealth Group. The HHS’ Office for Civil Rights has also launched an investigation into Change Healthcare to determine if the company was compliant with the HIPAA Rules.

UnitedHealth Group confirmed on March 15, 2024, that Change Healthcare’s electronic payment system had been restored and 99% of its pharmacy network services are up and running, although some Change Healthcare systems remain offline. UnitedHealthcare has also set up a financial assistance program through Optum and has so far advanced more than $2 billion to healthcare providers to help ease the financial strain.

The post Healthcare Providers Sue UnitedHealth Group Over Change Healthcare Ransomware Attack appeared first on HIPAA Journal.

Knoxville, TN-based Tennessee Orthopaedic Clinics has agreed to settle a class action lawsuit that was filed in response to a March 2023 cyberattack and data breach that affected 46,679 individuals. The information exposed included names, contact information, dates of birth, diagnosis and treatment information, provider names, dates of service, cost of services, prescription information, and/or health insurance information.

The affected individuals were notified about the breach in early May, and a class action lawsuit was rapidly filed that claimed Tennessee Orthopaedic Clinics was negligent by failing to implement reasonable and appropriate cybersecurity measures. According to the lawsuit, the data breach could have been prevented if those measures had been implemented.  Tennessee Orthopaedic Clinics chose to settle the lawsuit with no admission of wrongdoing to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, individuals who were notified about the data breach may submit claims for ordinary expenses such as communication charges, credit expenses, bank fees, and lost time (max 3 hours at $20 per hour) up to a maximum of $1,500.

Claims of up to $4,000 may also be submitted for documented extraordinary expenses such as losses due to fraud or identity theft between March 20, 2023, and April 8, 2024, provided the claimant made reasonable efforts to avoid those losses and those losses have not already been reimbursed. All class members are also entitled to two years of single bureau credit monitoring and identity theft protection services. The deadline for exclusion or objection to the settlement has passed, and the final approval hearing was scheduled for March 14, 2024. Class members wishing to submit claims must do so by April 8, 2024.

The post Tennessee Orthopaedic Clinics Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

An affiliate of the notorious LockBit ransomware group has been sentenced in Canada to almost four years in jail and has been ordered to pay more than $860,000 in restitution. Mikhail Vasiliev, 34, is a Russian-Canadian national who was born in Moscow and moved to Canada more than 20 years ago. During the COVID-19 pandemic, Vasiliev became an affiliate of the LockBit ransomware operation, one of the most prolific ransomware-as-a-service groups over the past few years. Around 18 months ago, Vasiliev was arrested following a raid of his home in Bradford, Ontario. The search of his property uncovered a list of prospective and historical victims, instructions on how to deploy LockBit ransomware, the source code of the ransomware, the control panel used to deliver the ransomware, and screenshots of conversations with a core member of the LockBit Group – LockBitSupp – on the Tox messaging platform.

Vasiliev admitted to being an affiliate of the LockBit group between 2021 and 2022 and having conducted attacks on businesses in Saskatchewan, Montreal, and Newfoundland, from whom he stole data, encrypted files, and demanded ransom payments. Vasiliev pleaded guilty to eight counts, including cyber extortion, mischief, and weapons charges. Vasiliev has also been under investigation by law enforcement in the United States for around two years, and last month, the U.S. Department of Justice charged Vasiliev with conspiracy to intentionally damage protected computers and to transmit ransom demands. Vasiliev has consented to extradition to the United States and his extradition is pending. If convicted in the United States, Vasiliev faces a maximum sentence of five years in jail. The DOJ also announced charges against four other individuals suspected of working with the LockBit group.

The LockBit group is alleged to have conducted over 2,000 ransomware attacks in the United States alone and generated more than $144 million in ransom payments in its four years of operation. Several healthcare organizations have fallen victim to LockBit ransomware attacks including Capital Health in New Jersey, Saint Anthony Hospital in Chicago, and Varian Medical Systems in California. In February 2024, the group’s infrastructure was seized as part of an international law enforcement operation, and three individuals suspected of involvement with the operation were arrested in Poland and Ukraine. A few days later, the U.S. State Department announced rewards of up to $15 million for information about the leaders of the group and any information that could lead to the arrest of any individual who participated in the LockBit operation. The LockBit group restored its data leak site within a week of the takedown, set up new infrastructure, and started listing new victims on its data leak site.

The post LockBit Affiliate Sentenced to 4 Years in Jail and Ordered to Pay $860,000 in Restitution appeared first on HIPAA Journal.

Class action lawsuits are stacking up against Medical Management Resource Group LLC (MMRC), which does business as American Vision Partners, over a major data breach that was announced in early February. MMRC discovered a breach of its systems on November 14, 2023, and the investigation confirmed that the protected health information of 2,350,236 individuals was stored on the compromised parts of its network.  The individuals affected by the data breach had their names, contact information, dates of birth, medical information, clinical records, Social Security numbers, and health insurance information exposed.  Notification letters were sent to those individuals last month and they were offered complimentary credit monitoring services.

Between February 23 and February 28, three class action lawsuits were filed in the US District Court for the District of Arizona by patients whose protected health information was compromised in the breach. The lawsuits allege negligence and claim that MMRC/American Vision Partners failed to implement reasonable and appropriate cybersecurity measures to protect the sensitive data stored on their networks and failed to follow industry best practices for cybersecurity despite being aware of the high risk of cyberattacks on the healthcare sector.

The lawsuits, Yaeger v. Medical Management Resource Group LLC d/b/a American Vision Partners, Daley v. Medical Management Resource Group LLC d/b/a American Vision Partners, and Moudgal v. Medical Management Resource Group LLC d/b/a American Vision Partners, all make similar allegations and seek class certification, a jury trial, and damages. The plaintiffs claim that they have suffered injuries and have incurred out-of-pocket expenses as a result of the data breach and face an imminent and ongoing threat of identity theft and fraud as a direct result of the data breach.

David Yaeger and the class are represented by Cristina Perez Hesano of Perez Law Group PLLC and Kenneth J. Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert; Steven Daley and the class are represented by Perez Hesano, Bryan L. Bleichner, and Philip J. Krzeski of Chestnut Cambronne; Pal and Lakshminarasimha Moudgal and the class are represented by Perez Hesano, Terence R. Coates and Jonathan T. Deters of Markovits, Stock and DeMarco LLC.

The post Class Action Lawsuits Filed Against American Vision Partners Over Data Breach appeared first on HIPAA Journal.