Legal News about HIPAA and Healthcare Compliance

MedStar Mobile Health Data Breach Settlement Proposed

Posted by Steve Alder

A settlement has been proposed by the Metropolitan Area EMS Authority to resolve a class action lawsuit that was filed by individuals affected by a 2022 cyberattack and data breach. Metropolitan Area EMS Authority is a Fort Worth, TX-based operator of an emergency and non-emergency ambulance service and does business as MedStar Mobile Healthcare. On October 20, 2022, unauthorized network activity was discovered, and the forensic investigation revealed unauthorized individuals had accessed parts of its network where patient data was stored. The hackers were able to access the protected health information of 612,000 individuals, including names, contact information, dates of birth, and limited medical information. The affected individuals were notified on December 19, 2022.

A class action lawsuit – Kaether v. Metropolitan Area EMS Authority d/b/a MedStar Mobile Healthcare – was filed in Texas District Court in response to the breach that alleged negligence for failing to secure sensitive patient data. The lawsuit also alleged breach of implied contract, negligence per se, breach of fiduciary duty, public disclosure of private facts, and unjust enrichment. Metropolitan Area EMS Authority chose to settle the lawsuit with no admission of liability or wrongdoing and will make an unspecified sum available to cover claims from individuals affected by the data breach, including a subclass of individuals who had HIPAA-covered protected health information exposed.

Under the terms of the settlement, individuals who were notified about the breach who have experienced unreimbursed out-of-pocket losses that are reasonably traceable to the data breach may submit claims for up to $3,000 to cover the losses, including travel expenses, long-distance phone calls, bank fees, credit costs, and any unreimbursed expenses and monetary losses from identity theft or fraud. Members of the HIPAA subclass may also claim up to four hours of lost time at $20 per hour. Claims must be accompanied by documented evidence that losses have been experienced. All class members will be entitled to a complimentary 12-month membership to a single-bureau credit monitoring service which includes a $1 million identity theft insurance policy. Metropolitan Area EMS Authority has also agreed to implement additional cybersecurity measures to better protect the sensitive data it stores and is providing its workforce with additional security awareness training. Measures that will be implemented by the end of the year include multifactor authentication and disabling Outlook Anywhere.

Individuals wishing to object to the settlement, or exclude themselves must do so by January 24, 2024, and claims must be submitted no later than February 23, 2024. The final fairness hearing has been scheduled for April 3, 2024. The plaintiff and class members were represented by Joe Kendall of the Kendall Law Group PLLC and Gary M Klinger
and Alexander Wolf of Milberg Coleman Bryson Phillips Grossman PLLC.

The post MedStar Mobile Health Data Breach Settlement Proposed appeared first on HIPAA Journal.

Horizon Actuarial Services Proposes $8.73M Settlement to Resolve Class Action Data Breach Lawsuit

Posted by Steve Alder

Horizon Actuarial Services has proposed a $8.73 million settlement to resolve all claims related to a hacking incident and data breach in 2022 that affected 227,953 individuals. Horizon Actuarial Services was contacted by a cyber actor in November 2022 who claimed to have stolen sensitive data in a cyberattack. The investigation confirmed there had been unauthorized access to two servers between November 10 and 11, 2021. The data stolen in the attack included names, dates of birth, Social Security numbers, and health plan information. Horizon Actuarial Services negotiated with the cyber actor and made a payment to prevent the stolen data from being sold, published, or misused.

A lawsuit – Sherwood, et al. v. Horizon Actuarial Services LLC – was filed in the U.S. District Court for the Northern District of Georgia on behalf of individuals affected by the data breach that alleged Horizon Actuarial Services had failed to implement reasonable and appropriate measures to protect the sensitive data stored on its servers. Horizon Actuarial Services has not admitted to any wrongdoing but chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, a $8,733,446.36 fund will be established to cover claims from individuals who have experienced unreimbursed losses as a result of the data breach.

Class members may submit claims for reimbursement for up to $5,000 to cover out-of-pocket expenses reasonably traceable to the data breach and up to 5 hours of lost time at $25 per hour. All claimants can submit a claim for a $50 payment, and individuals who were California residents at the time of the data breach will be able to claim an additional $50 ($100 in total). The payments may be lower depending on the number of claims and will be paid pro rata.

Individuals wishing to object to or exclude themselves from the settlement must do so by January 22, 2024. Individuals wishing to submit a claim must do so by February 21, 2024. A final approval hearing has been scheduled for March 25, 2024. The plaintiffs and class members were represented by Terence R Coates of Markovits Stock & Demarco LLC, Gary M Klinger of Milberg Coleman Bryson Phillips Grossman PLLC, and Kenya J Ready of Morgan & Morgan.

The post Horizon Actuarial Services Proposes $8.73M Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

ALPHV/BlackCat Ransomware Operation Disrupted by FBI

Posted by Steve Alder

The ALPHV/BlackCat ransomware group has been disrupted by the Federal Bureau of Investigation, in partnership with Europol and law enforcement agencies in Denmark, Germany, Australia, Spain, Austria, the Netherlands, and the United Kingdom, in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

ALPHV/BlackCat ransomware group first emerged in November 2021 and became one of the most prolific ransomware groups of recent years, second only to the LockBit ransomware group. ALPHV/BlackCat is a ransomware-as-a-service operation that uses affiliates to conduct attacks for a cut of any ransoms they generate. In its 2 years of operation, the group has claimed more than 1,000 victims worldwide and has collected hundreds of millions of dollars in ransom payments.

In early December 2023, the group’s Tor negotiation and data leak sites were taken offline which led to several security researchers suggesting that the group may have been the subject of a law enforcement operation, although a spokesperson for the group refuted those claims and said the websites were down due to a hosting issue. However, the U.S. Department of Justice (DoJ) has now confirmed that the outage was due to a law enforcement operation that saw the FBI successfully gain access to ALPHV’s infrastructure.

The law enforcement operation has been ongoing for several months. After breaching the servers, the FBI silently monitored operations and was able to obtain decryption keys, which allowed the FBI to develop a decryption tool that has helped more than 500 ALPHV victims decrypt their data without paying the ransom. According to the DoJ, the decryption tool has prevented the payment of around $68 million in ransom payments. The FBI was also able to seize the ALPHV data leak site, which now displays a banner stating the domain has been seized as part of an international law enforcement operation. The FBI obtained 946 public and private key pairs for the group’s affiliate panel, communication sites, and Tor sites that supported its operations.

ALPHV/BlackCat started out under the name DarkSide in the summer of 2020 and was behind the ransomware attack on Colonial Pipeline in May 2021. The high-profile attack on a U.S. critical infrastructure organization attracted considerable attention from law enforcement, and the group promptly shut down its operation and reformed under the name BlackMatter. In June 2021, the Department of Justice announced that it had seized $2.3 million in cryptocurrency from the DarkSide affiliate responsible for the attack. The BlackMatter operation was short-lived and was shut down in November 2021 after a decryptor was developed and law enforcement seized its servers; and was immediately replaced with ALPHV/BlackCat, which has been highly active until the recent takedown.

“Today’s announcement highlights the Justice Department’s ability to take on even the most sophisticated and prolific cybercriminals,” said U.S. Attorney Markenzy Lapointe for the Southern District of Florida. “As a result of our office’s tireless efforts, alongside FBI Miami, U.S. Secret Service, and our foreign law enforcement partners, we have provided Blackcat’s victims, in the Southern District of Florida and around the world, the opportunity to get back on their feet and to fortify their digital defenses. We will continue to focus on holding the people behind the Blackcat ransomware group accountable for their crimes.”

While the law enforcement operation has been successful, the group is likely to rebrand as it has done in the past and continue its attacks under a different name. In the meantime, affiliates that have been working with ALPHV/BlackCat may choose to join other ransomware groups such as LockBit.

The post ALPHV/BlackCat Ransomware Operation Disrupted by FBI appeared first on HIPAA Journal.

Missouri Attorney General Files Lawsuit in Response to WU Refusal to Provide Transgender Patients’ Records

Posted by Steve Alder

The Missouri Attorney General has filed a counterclaim in response to a lawsuit filed by Washington University (WU) over the legal basis of civil investigative demands for documentation about medical procedures performed on transgender patients. WU is refusing to provide records from its Transgender Center that contain patient information, which the Missouri Attorney General claims are essential to the investigation.

Missouri Attorney General, Andrew Bailey, issued civil investigative demands for documentation in February 2023 pursuant to an investigation of the Washington University Transgender Center, including records of patients who received treatment. The investigation was initiated in response to allegations by a whistleblower that the clinic had administered experimental drugs, puberty blockers, and cross-sex hormones without sufficient assessments and also pressured parents into giving consent. WU strongly denies the allegations.

Washington University complied with the investigative demand and provided documentation but did not provide patient records as it did not believe the Missouri Attorney General had the legal authority to demand the records. The Attorney General claimed that he had the authority to request the records under the Missouri Merchandising Practices Act (MMPA); however, WU argues that the MMPA is a consumer protection law concerning deceptive advertising and the investigation appears to be into medical decision-making at the Transgender Center. In its lawsuit, Washington University asked a St. Louis Circuit Court judge to confirm if the Attorney General has the authority to request the records and, if not, to narrow AG Bailey’s investigative demands.

In the counterclaim, AG Bailey claims that WU initially agreed to comply with the investigative demand and then later changed its position, claiming that the federal Health Insurance Portability and Accountability Act (HIPAA) prohibits the disclosure of patient data. In the counterclaim, AG Bailey asked for the court to rule on whether HIPAA prohibits the disclosure of PHI in response to civil investigative demands. With respect to the documentation sent by Washington University, the documents were not downloaded before the link expired, and after issuing requests to resend, received a file that could not be opened. When the file was resent it contained heavily redacted information, with patient data unviewable.

The counterclaim answers the question about the legality of the demand and claims that the investigation concerns whether the Transgender Center was “boosting patient volume by falsely advertising compliance with Endocrine Society, World Professional Association for Transgender Health (WPATH) and similar group guidelines while in fact sharply deviating from those guidelines,” and that “Inducing a person to purchase gender transition services through unfair or deceptive practices leads to life-altering physical consequences.”

The Attorney General claims that the consumer-protection statute grants “extraordinarily broad authority,” including investigating medical malpractice issues. The Attorney General claims the requested documents are essential to the investigation and will reveal whether children underwent irreversible procedures without proper parental consent. AG Bailey seeks an order from the court for the documentation to be provided within 20 days.

The Missouri Attorney General has also claimed that the Biden administration has been quietly interfering with the investigation and alleges that WU changed its position on providing the records after a federal probe. Initially, WU agreed to provide the records, then, after the probe, claimed providing those records violated HIPAA.

The post Missouri Attorney General Files Lawsuit in Response to WU Refusal to Provide Transgender Patients’ Records appeared first on HIPAA Journal.

Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000

Posted by Steve Alder

The New York Attorney General has agreed to settle alleged violations of New York’s data security and consumer protection laws with Healthplex, one of New York’s largest providers of dental insurance. Healthplex has agreed to pay a penalty of $400,000 to resolve the investigation with no admission of wrongdoing.

Attorney General Letitia James launched an investigation of Healthplex after being notified about a breach of the personal and protected health information of 89,955 individuals, including 62,922 New York residents to determine if Healthplex had complied with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and New York’s data security and consumer protection laws.

The data breach occurred on or around November 24, 2021, and was the result of an employee responding to a phishing email and disclosing her account credentials. The account contained more than 12 years of emails, some of which included customer enrolment information. Credentials alone should not be sufficient to gain access to email accounts; however, Healthplex had not implemented multi-factor authentication on its recently deployed Office 365 web interface.

The unauthorized individual used the account to send further phishing emails internally, and it was the reporting of those emails by employees that identified the attack. The attacker had access to the account for a period of almost 6 hours before access was terminated; however, during that time, the attacker could access emails dating from May 7, 2009, to November 24, 2022. The emails contained member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, driver’s license numbers, usernames and passwords for the member portal, email addresses, phone numbers, dates of service, provider names, billing information, procedure codes, diagnosis codes, prescription drug names, and plan affiliations. While unauthorized access was confirmed, insufficient logging capabilities meant it was not possible to determine which emails had been accessed or copied.

The affected individuals were notified in April and Healthplex took steps to improve security, including extending multifactor authentication to the Office 365 web interface, implementing a 90-day email retention policy, enhancing its logging capabilities, and providing further training on phishing detection and avoidance to the workforce. The investigation determined that the measures implemented by Healthplex prior to the phishing attack did not meet the standards required by New York’s data security and consumer protection laws with respect to data retention, logging, and multifactor authentication, and its data security assessments failed to identify the risk from storing years of data in email accounts when there was no business purpose for retaining that information.

In addition to paying a financial penalty, Healthplex has agreed to maintain a comprehensive information security program, encrypt personal data, implement an email retention schedule for employee email accounts, enforce the use of complex passwords, and conduct penetration tests to identify vulnerabilities. “Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” said Attorney General James. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”

The post Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000 appeared first on HIPAA Journal.

Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000

Posted by Steve Alder

The New York Attorney General has agreed to settle alleged violations of New York’s data security and consumer protection laws with Healthplex, one of New York’s largest providers of dental insurance. Healthplex has agreed to pay a penalty of $400,000 to resolve the investigation with no admission of wrongdoing.

Attorney General Letitia James launched an investigation of Healthplex after being notified about a breach of the personal and protected health information of 89,955 individuals, including 62,922 New York residents to determine if Healthplex had complied with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and New York’s data security and consumer protection laws.

The data breach occurred on or around November 24, 2021, and was the result of an employee responding to a phishing email and disclosing her account credentials. The account contained more than 12 years of emails, some of which included customer enrolment information. Credentials alone should not be sufficient to gain access to email accounts; however, Healthplex had not implemented multi-factor authentication on its recently deployed Office 365 web interface.

The unauthorized individual used the account to send further phishing emails internally, and it was the reporting of those emails by employees that identified the attack. The attacker had access to the account for a period of almost 6 hours before access was terminated; however, during that time, the attacker could access emails dating from May 7, 2009, to November 24, 2022. The emails contained member identification numbers, insurance group names and numbers, addresses, dates of birth, credit card numbers, banking information, Social Security numbers, driver’s license numbers, usernames and passwords for the member portal, email addresses, phone numbers, dates of service, provider names, billing information, procedure codes, diagnosis codes, prescription drug names, and plan affiliations. While unauthorized access was confirmed, insufficient logging capabilities meant it was not possible to determine which emails had been accessed or copied.

The affected individuals were notified in April and Healthplex took steps to improve security, including extending multifactor authentication to the Office 365 web interface, implementing a 90-day email retention policy, enhancing its logging capabilities, and providing further training on phishing detection and avoidance to the workforce. The investigation determined that the measures implemented by Healthplex prior to the phishing attack did not meet the standards required by New York’s data security and consumer protection laws with respect to data retention, logging, and multifactor authentication, and its data security assessments failed to identify the risk from storing years of data in email accounts when there was no business purpose for retaining that information.

In addition to paying a financial penalty, Healthplex has agreed to maintain a comprehensive information security program, encrypt personal data, implement an email retention schedule for employee email accounts, enforce the use of complex passwords, and conduct penetration tests to identify vulnerabilities. “Visiting a dentist’s office can be a stressful experience without having the added concern that personal and medical data could be stolen by bad actors,” said Attorney General James. “Insurers, like all companies charged with holding on to sensitive information, have an obligation to ensure that data is safeguarded and doesn’t fall into the wrong hands. New Yorkers can rest assured that when my office is made aware of data breaches, we will drill down and get to the root of the problem.”

The post Healthplex Settles Data Breach Investigation with NY Attorney General for $400,000 appeared first on HIPAA Journal.

OCR Imposes First HIPAA Penalty for a Phishing Attack

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) has agreed to settle a landmark cyber investigation and has imposed its first financial penalty under the Health Insurance Portability and Accountability Act (HIPAA) for a phishing attack. Lafourche Medical Group, a Louisiana-based medical group specializing in emergency medicine, occupational medicine, and laboratory testing, reported a data breach to OCR on May 28, 2021, involving the protected health information (PHI) of up to 34,862 individuals.

According to the breach notification, a hacker gained access to the email account of one of its owners on March 30, 2021, following a response to a phishing email that spoofed one of the medical group’s owners. The threat actor gained access to the Microsoft 365 environment, which contained patient data. Lafourche Medical Group said that because of the size of the email system, it was not possible to determine all patient information that had been exposed so notification letters were mailed to all patients. The exposed data included names, addresses, dates of birth, dates of service, e-mail addresses, telephone numbers, medical record numbers, insurance and health plan beneficiary numbers, guarantor names, diagnoses, treating practitioner names, and lab test results.

OCR launched an investigation into the incident to determine whether a failure to comply with the HIPAA Rules led to or contributed to the security breach. OCR’s investigators discovered Lafourche Medical Group had not conducted a security risk analysis prior to the phishing attack. The HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information. OCR also determined that Lafourche Medical Group had not implemented procedures to regularly review records of information system activity prior to the phishing attack. This is also a required implementation specification of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(D).

Lafourche Medical Group agreed to settle the investigation with no admission of liability or wrongdoing. In addition to paying a sizeable financial penalty, Lafourche Medical Group has agreed to implement a robust corrective action plan (CAP) which includes establishing and implementing security measures to reduce security risks and vulnerabilities to ePHI, developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA Rules, and providing HIPAA training to all staff members who have access to PHI. OCR will also monitor Lafourche Medical Group for two years to ensure compliance with the HIPAA Rules.

“Phishing is the most common way that hackers gain access to health care systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the health care industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our health care system safe and taking preventive steps against phishing attacks.”

This is the 12th HIPAA violation penalty imposed by OCR in 2023 and the second-largest of the year. So far this year, OCR has imposed HIPAA penalties totaling $4,016,500

 

The post OCR Imposes First HIPAA Penalty for a Phishing Attack appeared first on HIPAA Journal.

CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General

Posted by Steve Alder

In late September 2023, Indiana Attorney General Todd Rokita filed a lawsuit against CarePointe ENT over a ransomware attack and data breach that affected 48,742 individuals. A settlement has been reached that will see CarePointe pay $125,000 to resolve alleged violations of the Health Insurance Portability and Accountability (HIPAA) Act and state data privacy and security laws.

CarePointe ENT operates three ear, nose, throat, sinus, and hearing centers in Merrillville, Munster & Hobart in Northwest Indiana. On June 25, 2021, CarePointe ENT experienced a ransomware attack which resulted in files being encrypted and data being exfiltrated. The stolen data included names, addresses, dates of birth, Social Security numbers, medical insurance information, and health information. Affected individuals were notified about the data breach in August 2021.

AG Rokita launched an investigation into the attack to determine if CarePointe ENT had complied with its obligations under HIPAA and state laws. Despite claiming that it was committed to safeguarding patient information, CarePointe ENT was determined to have failed to implement appropriate security policies, conduct appropriate risk analyses, and address known security risks in a reasonable amount of time.

CarePointe ENT hired a third-party IT vendor that conducted a HIPAA risk analysis and identified security concerns in January 2021. The vendor was hired in March to address the identified vulnerabilities, but they were not fixed in a reasonable time frame. In June 2021, some of the unaddressed vulnerabilities were exploited in a ransomware attack. In addition to the failure to address known security issues, CarePointe ENT failed to enter into a business associate agreement with the vendor, even though the vendor was provided with access to systems containing protected health information.

AG Rokita’s lawsuit alleged one count of a failure to comply with the HIPAA Privacy Rule, one count of failing to comply with the HIPAA Security Rule, one count of failing to comply with the Indiana Disclosure of Security Breach Act (DSBA), and one count of failing to comply with the Indiana Deceptive Consumer Sales Act (DCSA). CarePointe ENT chose to settle the alleged violations of HIPAA and state laws with no admission of wrongdoing. Under the terms of the settlement, a financial penalty of $125,000 will be paid to the state and CarePointe ENT has agreed to ensure full compliance with the HIPAA Privacy and Security Rules and the DCSA and DSBA with respect to the safeguarding of personal information (PI), protected health information (PHI), and electronic protected health information (ePHI). CarePointe ENT has also agreed not to make misrepresentations about the extent to which it ensures the privacy, security, confidentiality, and integrity of PI, PHI, and ePHI.

The settlement agreement includes a comprehensive list of privacy and security measures. These include implementing a comprehensive information security program, appointing a HIPAA Security Officer to oversee that program, implementing technical safeguards and controls to ensure the privacy and security of patient data, developing an incident response plan and testing that plan through table-top exercises, developing policies and procedures regarding business associate agreements, and providing privacy and security training to all members of the workforce with access to PI, PHI, or ePHI,

The post CarePointe ENT Settles HIPAA Lawsuit with Indiana Attorney General appeared first on HIPAA Journal.

Proliance Surgeons Sued Over Ransomware Attack and Data Breach

Posted by Steve Alder

A class action lawsuit has been filed against Proliance Surgeons, a Seattle, Washington-based surgery group over a recently disclosed ransomware attack and data breach that has affected almost 437,400 individuals.

The group operates around 100 surgery centers in the state and treats more than 800,000 patients each year. On May 24, 2023, a third-party forensic investigation into a cyberattack confirmed that hackers had access to files containing patient data and that they had removed “a limited number of files” from its network on February 11, 2023.  The data compromised in the attack included names, contact information, Social Security numbers, financial information, treatment information, driver’s license numbers, and usernames and passwords. Notifications were issued on November 21, 2023.

A lawsuit has been filed in federal court in Seattle by plaintiff and former patient, Alicia Berend, and similarly situated individuals whose sensitive information was compromised in the cyberattack. The lawsuit alleges Proliance Surgeons failed to adequately protect patient data as required by federal and state law and in accordance with its internal security policies, and that the data security failures constituted a violation of the Health Insurance Portability and Accountability Act (HIPAA).

The lawsuit also references an earlier security breach where unauthorized individuals had access to its online payment system for seven months between November 2019 and June 2020, allowing access to be gained to names, zip codes, and payment card information. Following that incident Proliance Surgeons said it would be enhancing its security measures to prevent similar incidents in the future. The earlier security breach is not shown on the HHS’ Office for Civil Rights (OCR) website, which indicates either the breach was not reported to OCR, that Proliance Surgeons determined protected health information had not been compromised, or the breach affected fewer than 500 individuals. The lawsuit claims that two major security breaches in a little over 3 years demonstrates a pattern of negligence with respect to data security.

The lawsuit also takes issue with the length of time taken to discover that patient data was involved, which occurred 102 days after the security breach was detected, and Proliance Surgeons then failed to issue notification letters to the affected individuals until November 21, 2023 – 283 days after the data breach occurred. The lawsuit claims that the plaintiff and class were kept in the dark about the breach, thus depriving them of the opportunity to mitigate their injuries in a timely manner.

The lawsuit claims the plaintiff and class have suffered widespread injury and monetary damages, and that the plaintiff has already suffered from identity theft and fraud. She has received emails indicating someone has used her identity for various out-of-state activities, including inquiries into properties in Florida, and has also received an increased number of spam messages and phone calls and now fears for her personal and financial security. The plaintiff claims that she has suffered anxiety, sleep disruption, stress, fear, and frustration and that these injuries go far beyond mere worry or inconvenience.

The lawsuit alleges negligence, breach of implied contract, breach of fiduciary duty, invasion of privacy, unjust enrichment, and violations of the Washington Consumer Protection Act, Washington Data Breach Disclosure Law, and Washington Uniform Health Care Information Act (UHCIA). The lawsuit seeks class action certification, a jury trial, compensatory, exemplary, punitive, and statutory damages, and attorneys’ fees and legal costs.

The plaintiff and class are represented by Samuel J. Strauss of the law firm, Turke & Strauss LLP.

The post Proliance Surgeons Sued Over Ransomware Attack and Data Breach appeared first on HIPAA Journal.