Lawsuits have started to be filed against UnitedHealth Group, Optum Inc., and Change Healthcare by healthcare providers that have been unable to access Change Healthcare’s services due to the shutdown of its computer networks after a Blackcat ransomware attack. Without access to those systems, healthcare providers have been unable to get paid for the medical services they have provided while Change Healthcare’s systems have been offline. Many of the affected healthcare providers have limited financial resources to cover payroll and operating expenses, which have been rapidly drained. The severe delays in processing claims and revenue cycle services have pushed many healthcare providers close to bankruptcy.

Last week, a class action lawsuit was filed on behalf of a women’s healthcare practice in Albany, MS, and other healthcare providers that have suffered delays processing claims and revenue cycle services. Like many healthcare providers, Advanced Obstetrics & Gynecology PC has limited liquidity and relies on the prompt payment of claims to keep the business afloat. The lawsuit explained that Advanced has received approximately $39,000 a week in paid claims from insurance companies over the past two years, and since the Change Healthcare cyberattack, Advanced has been unable to secure those payments. According to the lawsuit, between February 21, 2024, when the attack occurred and March 14, 2024, when the lawsuit was filed, Advanced was denied $132,000, and that amount is increasing each day. The lawsuit claims that hundreds if not thousands of healthcare providers are in a similar position and are facing bankruptcy, and that may have already happened with some healthcare providers.

One of the problems with such a large company is that an outage can have massive implications. Change Healthcare processes around half of all medical payments to the fallout from the prolonged outage has been severe. Healthcare providers in Massachusetts alone are estimated to be losing around $24 million per day. Because of the implications of any cyberattack, Change Healthcare needs to have excellent security and contingency plans to keep its services available in the event of a cyberattack, but the lawsuit claims that the security measures were lacking and its breach response hasn’t been good enough. The lawsuit alleges that Change Healthcare failed to implement reasonable and appropriate security measures, policies, and practices to ensure that sensitive data and its systems were protected from attacks. The lawsuit also claims that despite knowing that only certain systems were affected, Change Healthcare took all of its systems offline, resulting in massive disruption to the healthcare providers that rely on those systems, thus guaranteeing that they would experience severe financial difficulties.

Another class action lawsuit was filed on behalf of affected providers by Gibbs Law Group on March 18, 2024, to try to recover providers’ losses. “We are hearing from healthcare providers throughout the country who are distraught and concerned that they may not be able to buy medical supplies, make payroll, or pay rent as a result of this crippling disruption to the nation’s healthcare infrastructure,” said Rosemary Rivas, a lead attorney with Gibbs Law Group. “Change Healthcare has touted itself as a ‘trusted partner’ to providers and payors, but the company’s failure to protect its networks and safeguard critical health information has resulted in widespread harms, and deeply eroded trust.”

Many lawsuits have already been filed against UnitedHealth Group and Change Healthcare on behalf of individuals who had their personal and health data compromised in the attack. The BlackCat ransomware affiliate behind the attack claims to have stolen 6GB of data, including sensitive patient data, although the extent of any data breach has yet to be confirmed by UnitedHealth Group. The HHS’ Office for Civil Rights has also launched an investigation into Change Healthcare to determine if the company was compliant with the HIPAA Rules.

UnitedHealth Group confirmed on March 15, 2024, that Change Healthcare’s electronic payment system had been restored and 99% of its pharmacy network services are up and running, although some Change Healthcare systems remain offline. UnitedHealthcare has also set up a financial assistance program through Optum and has so far advanced more than $2 billion to healthcare providers to help ease the financial strain.

The post Healthcare Providers Sue UnitedHealth Group Over Change Healthcare Ransomware Attack appeared first on HIPAA Journal.

Knoxville, TN-based Tennessee Orthopaedic Clinics has agreed to settle a class action lawsuit that was filed in response to a March 2023 cyberattack and data breach that affected 46,679 individuals. The information exposed included names, contact information, dates of birth, diagnosis and treatment information, provider names, dates of service, cost of services, prescription information, and/or health insurance information.

The affected individuals were notified about the breach in early May, and a class action lawsuit was rapidly filed that claimed Tennessee Orthopaedic Clinics was negligent by failing to implement reasonable and appropriate cybersecurity measures. According to the lawsuit, the data breach could have been prevented if those measures had been implemented.  Tennessee Orthopaedic Clinics chose to settle the lawsuit with no admission of wrongdoing to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, individuals who were notified about the data breach may submit claims for ordinary expenses such as communication charges, credit expenses, bank fees, and lost time (max 3 hours at $20 per hour) up to a maximum of $1,500.

Claims of up to $4,000 may also be submitted for documented extraordinary expenses such as losses due to fraud or identity theft between March 20, 2023, and April 8, 2024, provided the claimant made reasonable efforts to avoid those losses and those losses have not already been reimbursed. All class members are also entitled to two years of single bureau credit monitoring and identity theft protection services. The deadline for exclusion or objection to the settlement has passed, and the final approval hearing was scheduled for March 14, 2024. Class members wishing to submit claims must do so by April 8, 2024.

The post Tennessee Orthopaedic Clinics Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

An affiliate of the notorious LockBit ransomware group has been sentenced in Canada to almost four years in jail and has been ordered to pay more than $860,000 in restitution. Mikhail Vasiliev, 34, is a Russian-Canadian national who was born in Moscow and moved to Canada more than 20 years ago. During the COVID-19 pandemic, Vasiliev became an affiliate of the LockBit ransomware operation, one of the most prolific ransomware-as-a-service groups over the past few years. Around 18 months ago, Vasiliev was arrested following a raid of his home in Bradford, Ontario. The search of his property uncovered a list of prospective and historical victims, instructions on how to deploy LockBit ransomware, the source code of the ransomware, the control panel used to deliver the ransomware, and screenshots of conversations with a core member of the LockBit Group – LockBitSupp – on the Tox messaging platform.

Vasiliev admitted to being an affiliate of the LockBit group between 2021 and 2022 and having conducted attacks on businesses in Saskatchewan, Montreal, and Newfoundland, from whom he stole data, encrypted files, and demanded ransom payments. Vasiliev pleaded guilty to eight counts, including cyber extortion, mischief, and weapons charges. Vasiliev has also been under investigation by law enforcement in the United States for around two years, and last month, the U.S. Department of Justice charged Vasiliev with conspiracy to intentionally damage protected computers and to transmit ransom demands. Vasiliev has consented to extradition to the United States and his extradition is pending. If convicted in the United States, Vasiliev faces a maximum sentence of five years in jail. The DOJ also announced charges against four other individuals suspected of working with the LockBit group.

The LockBit group is alleged to have conducted over 2,000 ransomware attacks in the United States alone and generated more than $144 million in ransom payments in its four years of operation. Several healthcare organizations have fallen victim to LockBit ransomware attacks including Capital Health in New Jersey, Saint Anthony Hospital in Chicago, and Varian Medical Systems in California. In February 2024, the group’s infrastructure was seized as part of an international law enforcement operation, and three individuals suspected of involvement with the operation were arrested in Poland and Ukraine. A few days later, the U.S. State Department announced rewards of up to $15 million for information about the leaders of the group and any information that could lead to the arrest of any individual who participated in the LockBit operation. The LockBit group restored its data leak site within a week of the takedown, set up new infrastructure, and started listing new victims on its data leak site.

The post LockBit Affiliate Sentenced to 4 Years in Jail and Ordered to Pay $860,000 in Restitution appeared first on HIPAA Journal.

Class action lawsuits are stacking up against Medical Management Resource Group LLC (MMRC), which does business as American Vision Partners, over a major data breach that was announced in early February. MMRC discovered a breach of its systems on November 14, 2023, and the investigation confirmed that the protected health information of 2,350,236 individuals was stored on the compromised parts of its network.  The individuals affected by the data breach had their names, contact information, dates of birth, medical information, clinical records, Social Security numbers, and health insurance information exposed.  Notification letters were sent to those individuals last month and they were offered complimentary credit monitoring services.

Between February 23 and February 28, three class action lawsuits were filed in the US District Court for the District of Arizona by patients whose protected health information was compromised in the breach. The lawsuits allege negligence and claim that MMRC/American Vision Partners failed to implement reasonable and appropriate cybersecurity measures to protect the sensitive data stored on their networks and failed to follow industry best practices for cybersecurity despite being aware of the high risk of cyberattacks on the healthcare sector.

The lawsuits, Yaeger v. Medical Management Resource Group LLC d/b/a American Vision Partners, Daley v. Medical Management Resource Group LLC d/b/a American Vision Partners, and Moudgal v. Medical Management Resource Group LLC d/b/a American Vision Partners, all make similar allegations and seek class certification, a jury trial, and damages. The plaintiffs claim that they have suffered injuries and have incurred out-of-pocket expenses as a result of the data breach and face an imminent and ongoing threat of identity theft and fraud as a direct result of the data breach.

David Yaeger and the class are represented by Cristina Perez Hesano of Perez Law Group PLLC and Kenneth J. Grunfeld of Kopelowitz Ostrow Ferguson Weiselberg Gilbert; Steven Daley and the class are represented by Perez Hesano, Bryan L. Bleichner, and Philip J. Krzeski of Chestnut Cambronne; Pal and Lakshminarasimha Moudgal and the class are represented by Perez Hesano, Terence R. Coates and Jonathan T. Deters of Markovits, Stock and DeMarco LLC.

The post Class Action Lawsuits Filed Against American Vision Partners Over Data Breach appeared first on HIPAA Journal.

A Ukrainian man accused of leading racketeering groups who conspired to infect thousands of business computers with malware has pleaded guilty in federal court in Nebraska to one count of conspiracy to commit wire fraud and one count of conspiracy to break U.S. anti-racketeering laws. One of the victims, the University of Vermont Medical Center, was infected with ransomware resulting in IT systems being taken offline for more than two weeks. The attack prevented the medical center from providing critical patient services for more than two weeks. The Department of Justice said the attack on the medical center created a risk of death or serious bodily injury for patients and cost the medical center more than $30 million.

Vyacheslav Igorevich Penchukov, 37, aka Vyacheslav Igoravich Andreev and known online as Tank and Father, was accused of leading two cybercriminal groups, JabberZeus and IcedID, between 2009 and 2021. JabberZeus distributed the Zeus banking trojan and IcedID distributed the IcedID banking trojan. Both of these popular malware variants were used to steal usernames, passwords, and other information that allowed access to be gained to online bank accounts.

According to the Department of Justice, “Penchukov and his co-conspirators then falsely represented to banks that they were employees of the victims and authorized to make transfers of funds from the victims’ bank accounts, causing the banks to make unauthorized transfers of funds from the victims’ accounts, resulting in millions of dollars in losses to the victims.” The groups then hired money mules in the United States to receive the fraudulent transfers, withdraw the funds, and then wire the money to overseas accounts under the control of Penchukov and his co-conspirators.

Penchukov was indicted in 2012 for his role in the JabberZeus group and was placed on the Federal Bureau of Investigation’s (FBI) Most Wanted List, where he remained for almost a decade. While on the FBI’s Most Wanted List, Penchukov led the IcedID gang from November 2018 to February 2021. IcedID also infected devices with malware to steal banking information. The IcedID trojan could also be used to deliver other malware payloads, including ransomware, as was the case with the attack on the University of Vermont Medical Center in October 2020.

Penchukov was arrested in Switzerland in 2022 and was extradited to the United States in 2023. On February 15, 2024, Penchukov appeared in court in Lincoln, Nebraska, and pleaded guilty to one count of conspiracy to commit a Racketeer Influenced and Corrupt Organizations (RICO) Act offense for his role in the JabberZeus gang, and one count of conspiracy to commit wire fraud for his role in the IcedID group. Penchukov faces a maximum of 40 years in jail – up to 20 years for each count – and will be sentenced on May 9, 2024.

The post Boss of Gang Behind Attack on University of Vermont Medical Center Facing 40 Years in Jail appeared first on HIPAA Journal.

Dozens of lawsuits that were filed in response to the mass exploitation of a vulnerability in Fortra’s GoAnywhere MFT file transfer solution have recently been consolidated into a single lawsuit that will be heard in the Southern District of Florida.

The lawsuits stem from the mass exploitation of a vulnerability by the Clop group. The Clop group, aka Cl0p, is a financially motivated threat actor known for ransomware and extortion-only attacks, which has a history of exploiting vulnerabilities in file transfer solutions. Clop exploited flaws in the Accellion File Transfer Appliance in December 2020, SolarWinds Serv-U Managed File Transfer and Secure FTC software in November 2021, and Fortra’s GoAnywhere MFT solution between January and February 2023. Later in the year, Clop went on to exploit a zero-day vulnerability in Progress Software’s MoveIT Transfer solution.

More than 2,700 users of MOVEit software suffered attacks, the Fortra GoAnywhere vulnerability was exploited to attack around 130 organizations, and Accellion attacks affected more than two dozen organizations. In these attacks, Clop opted for data theft and extortion and chose not to encrypt files, even though the group claimed that it could have done so. Without encryption, attacks are faster and more efficient and there were no apparent attempts at wider compromises. The attacks have certainly proven to be profitable for Clop, which has raked in over $100 million in ransom payments this year from its mass exploitation attacks.

While these mass hacking incidents were similar and the subsequent lawsuits in each made similar claims, the U.S. Judicial Panel on Multidistrict Litigation opted not to consolidate the lawsuits against Accellion and its customers but did consolidate lawsuits related to the GoAnywhere and MoveIT hacking incidents. Organizations that were against consolidation in the Fortra lawsuits argued that the Judicial Panel on Multidistrict Litigation should similarly rule against consolidation as it did with the Accellion actions.

The decision to deny centralization in the Accellion actions, of which there were 26, was due to most parties opposing centralization organizing the litigation and preferring to cooperate informally, and because there were likely to be allegations specific to each defendant’s role in the breach of plaintiffs’ data since the vulnerability was present in a legacy file transfer solution that Accellion had been encouraging customers to migrate away from. The Fortra GoAnywhere solution is actively used by more than 100 organizations and is not a legacy product, therefore, there are likely to be significant questions about Fortra’s role in the ultimate exploitation of the vulnerability.

All of the GoAnywhere lawsuits are expected to share common and complex factual questions surrounding how the vulnerability occurred, the unauthorized access and data exfiltration, Fortra’s role in the vulnerability and the response to it, and the plaintiffs bringing largely overlapping putative nationwide class actions. Centralization of the actions offers substantial opportunities to streamline pretrial proceedings, reduce duplicative discovery and conflicting pretrial obligations, prevent inconsistent rulings on common evidentiary challenges and summary judgment motions, and conserve the resources of the parties, their counsel, and the judiciary.

The decision to centralize 46 actions across seven districts was supported by several of the organizations named in the lawsuits, including Aetna, Community Health Systems, Brightline, and Fortra. Anthem Insurance Companies Inc. was named in a single action and was against centralization, and plaintiffs in the District of Minnesota held no position on consolidation, although favored Minnesota if consolidated. The Judicial Panel on Multidistrict Litigation chose the Southern District of Florida to hear the case as that is where 18 of the lawsuits were filed, more than in any other appropriate transferee district.

The consolidated data breach litigation includes 18 actions against NationBenefits LLC/NationBenefits Holdings in the Southern District of Florida, 8 against Community Health Systems Inc./CHSPSC LLC in the Middle District of Tennessee, 7 against Intellihartx in the Northern District of Ohio, 4 actions against Brightline Inc in the Northern District of California, 4 against Aetna Inc/Aetna International and 3 against NationBenefits LLC in the District of Connecticut, 1 against Anthen Insurance Companies Inc in the Southern District of Indiana, and 1 against Fortra LLC in the District of Minnesota.

The post Fortra GoAnywhere Hacking Lawsuits Consolidated in the Southern District of Florida appeared first on HIPAA Journal.