Legal News about HIPAA Compliance

Robeson Health Care Corp. Agrees to $750K Data Breach Settlement

Posted by Steve Alder

Robeson Health Care Corporation, a Pembroke, North Carolina-based integrated health system, has agreed to settle a class action lawsuit that alleged hackers compromised its network in a February 2023 cyberattack, exposing the protected health information of 62,627 individuals.

Hackers gained access to its network on or around February 21, 2023, and potentially accessed or acquired protected health information such as names, dates of birth, Social Security numbers, diagnosis and treatment information, medical record numbers, Medicare/Medicaid numbers, prescription information, health insurance information, and other sensitive data. The affected individuals started to be notified about the data breach on April 21, 2023.

In early to mid-May 2023, three lawsuits were filed against Robeson Health Care Corp. over the data breach by plaintiffs Julianna McKenzie, Judith Hammonds, and Ronnie McGriff in the United States District Court for the Eastern District of North Carolina. The plaintiffs asserted several claims, including negligence for failing to implement reasonable and appropriate safeguards to secure its network and protect patient data from unauthorized access. Robeson Health Care Corp. denies all claims and contentions in the lawsuit, including charges of wrongdoing and liability. Since continuing with the action would likely be expensive and protracted, all parties agreed to negotiate an appropriate settlement. That settlement has been determined to be fair by all parties and has received preliminary approval from the Superior Court of the State of North Carolina for the County of Robeson.

Under the terms of the settlement, Robeson Health Care Corp. has agreed to pay for benefits for class members, which will be capped at $750,000. Class members may submit a claim for up to $2,500 for reimbursement of documented, unreimbursed out-of-pocket losses that resulted from the data breach. Attorneys’ fees and costs have been capped at $250,000, and each of the three plaintiffs will receive a service award of $1,500.

Alternatively, class members may choose to receive a cash payment of $50, which will be paid pro rata after claims have been paid. The cash payments may be higher or lower depending on the number of claims received. In addition, class members can claim two years of single-bureau credit monitoring services. The deadline for exclusion from and objection to the settlement is June 23, 2025. The final approval hearing has been scheduled for July 21, 2025, and the deadline for submitting claims is August 6, 2025. Further information on the settlement can be found on the settlement website:  https://www.rhccdataincidentsettlement.com/

The post Robeson Health Care Corp. Agrees to $750K Data Breach Settlement appeared first on The HIPAA Journal.

Netgain Technology Agrees to $1.9 Million Settlement to Resolve Data Breach Litigation

Posted by Steve Alder

Netgain Technology has agreed to settle consumer data breach litigation filed in response to a 2020 ransomware attack and data breach. Netgain will establish a $1.9 million settlement fund to cover claims from class members.

Netgain is a Minnesota-based cloud hosting and managed IT service provider with many clients in the healthcare industry. A ransomware group gained access to Netgain’s environment between September and December 2020 and deployed ransomware on November 24, 2020. The attack affected thousands of Netgain’s servers and forced it to take some of its data servers offline. The ransomware group was able to exfiltrate data in the attack, including the data of patients of its healthcare provider clients.  Data stolen in the attack included names, contact information, dates of birth, Social Security numbers, medical information, and financial information.

On May 13, 2021, plaintiffs Misty Meier and Jane Doe filed a class action complaint against Netgain, alleging their personally identifiable information (PII) and protected health information (PHI) were stolen in the attack. Further lawsuits were filed by plaintiffs Susan Reichert, Mark Kalling, Sherman Moore, Robert Smithburg, Thomas Lindsay, and Robert Guertin. On August 24, 2021, a federal judge consolidated the lawsuits into a single class action complaint – In Re: Netgain Technology, LLC, Consumer Data Breach Litigation – in the United States District Court for the District of Minnesota.

The lawsuit asserted several causes of action, some of which were dismissed; however, the causes of action for negligence and declaratory judgment were allowed to proceed, and a settlement has been negotiated that has received preliminary approval from the court.  Under the terms of the settlement, class members may submit claims for documented losses and lost time up to a maximum of $5,000 per class member, and after all payments have been made, any remaining funds in the settlement fund will be distributed pro rata among the class members.

Netgain has also agreed to injunctive relief for three years from the effective date of the settlement. Netgain has agreed to adopt, continue, or implement firewall upgrades, geo-blocking, routing through secured gateways, virus prevention technology across its data environment, multi-factor authentication in its hosting environments, backup data protection, and configure its network in a secure and scalable manner.

The post Netgain Technology Agrees to $1.9 Million Settlement to Resolve Data Breach Litigation appeared first on The HIPAA Journal.

Somnia’s $2.4 Million Data Breach Settlement Receives Final Approval

Posted by Steve Alder

A $2.4 million settlement has received final approval from the court to resolve a class action lawsuit against Somnia Inc. and others over a 2022 cyberattack and data breach.

Somnia manages anesthesiology services at more than a hundred surgery centers across the country. In the summer of 2022, Somnia experienced a cyberattack that saw hackers access parts of its network where patient information was stored. The forensic investigation confirmed that names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, health insurance policy numbers, medical record numbers, Medicaid/Medicare IDs, and health information were potentially compromised. More than 450,000 individuals had their information exposed in the incident.

Several lawsuits were filed in response to the breach against Somnia, Anesthesia Services of San Joaquin, Palm Springs Anesthesia Services, Resource Anesthesiology Associates of IL, Resource Anesthesiology Association of NM, and Anesthesia Associates of El Paso. The lawsuits were consolidated into a single lawsuit as they all asserted similar claims and were based on the same facts.  The plaintiffs claimed that Somnia was negligent by failing to implement appropriate cybersecurity safeguards to ensure the privacy and confidentiality of the data stored on its network, did not follow industry security standards, and was not fully compliant with the HIPAA Rules.

The plaintiffs claimed they had suffered harm as a result of the data breach, including being placed at an elevated risk of identity theft and fraud. They also alleged that data breach notification letters were delayed and did not contain adequate information about the data breach, including the exact types of information that were stolen. The defendants denied and continue to deny any wrongdoing, and maintain the plaintiffs’ claims have no merit; however, the decision was taken to settle the litigation to prevent further legal costs and to avoid the risks and uncertainties associated with continuing to fight the litigation.

Under the terms of the settlement, a $2,425,000 settlement fund has been established to cover claims from class members for unreimbursed, documented out-of-pocket losses that are plausibly traceable to the data breach. $1 million of the settlement will be paid to the plaintiffs’ lawyers, $50,295 will be deducted to cover litigation expenses, and each of the 9 named plaintiffs will receive a $1,000 service award. The remainder of the settlement will cover class members’ claims, which were capped at $2,500 per class member. Any remaining funds in the settlement fund after claims and expenses have been paid will be paid pro rata to the class members.

The post Somnia’s $2.4 Million Data Breach Settlement Receives Final Approval appeared first on The HIPAA Journal.

AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

A settlement has been agreed to resolve litigation stemming from a 2022 data breach at AllCare Plus Pharmacy. The Northborough, MA-based pharmacy detected the security incident on June 21, 2022, when suspicious activity was identified in an employee’s email account.

The investigation confirmed that hackers gained access to the email account after the employee responded to a phishing email. The review of the account confirmed it contained names, addresses, birth dates, Social Security numbers, driver’s license and other ID numbers, financial information, and limited health and health insurance information related to treatment and prescriptions. The breach was reported to the Maine Attorney General as affecting 5,971 individuals.

A lawsuit – Celeste Brown, et al. v. AllCare Plus Pharmacy LLC – was filed in the Suffolk County Superior Court of the Commonwealth of Massachusetts over the data breach, claiming the data breach occurred due to the failure to implement appropriate cybersecurity measures and follow industry standard security best practices.

According to the lawsuit, had those measures been implemented, the data breach could have been prevented. AllCare Plus Pharmacy maintains that there was no wrongdoing and that it had meritorious defenses in place; however, the pharmacy chose to settle the litigation to prevent further legal costs and to avoid the risks and uncertainty associated with continuing to fight the litigation.

Under the terms of the settlement, individuals who were notified that their data was compromised may submit claims for reimbursement of documented out-of-pocket losses. Claims may be submitted for ordinary losses up to a maximum of $750 per class member, which can include communication costs, credit monitoring costs, attorneys’ fees, accountants’ fees, and miscellaneous expenses.

Claims may also be submitted for extraordinary losses, such as losses due to identity theft and fraud, up to a maximum of $5,000 per class member. Class members may also claim up to five hours of lost time dealing with the consequences of the data breach at $20 per hour. Class members have been offered two years of complimentary credit monitoring and identity theft protection services. Class members who do not wish to submit a claim or receive credit monitoring services may choose to receive a cash payment of $50.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 27, 2025. The deadline for exclusion from the settlement, objection to the settlement, and submitting claims is July 3, 2025. AllCare Plus Pharmacy said it has made security changes since the incident and will continue to review and update those security measures.

The post AllCare Plus Pharmacy Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Ransomware Attack on Frederick Health Medical Group Affects 934,000 Patients

Posted by Steve Alder

Frederick Health Medical Group is facing several potential class action lawsuits over a recent data breach that affected more than 900,000 patients.  Frederick Health Medical Group, a Maryland-based healthcare group, announced on January 27, 2025, that it had fallen victim to a ransomware attack and had called in cybersecurity experts to investigate the incident. At the time, it was unclear to what extent patient data had been compromised in the incident, but it has now been confirmed that the electronic protected health information of 934,326 patients was stolen.

According to its March 28, 2025, substitute breach notice, the ransomware group stole data such as patient names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, medical record numbers, health insurance information, and/or clinical information related to patients’ care. The electronic medical record system was not compromised in the attack. The name of the ransomware group behind the attack was not disclosed, and no ransomware group is known to have claimed responsibility for the attack. It is also unclear if the ransom was paid. In late March, individual notification letters started to be mailed to the affected individuals, and complimentary credit monitoring and identity theft protection services have been made available. Frederick Health Medical Group said additional cybersecurity safeguards have been implemented to better protect patient data and monitor its systems for unauthorized access.

At least five class action lawsuits have already been filed in response to the data breach. The lawsuits all assert similar claims, including negligence for failing to implement reasonable and appropriate cybersecurity measures to safeguard patient data and a failure to follow industry-standard cybersecurity best practices. The lawsuits also claim that the breach notification letters failed to disclose adequate information about the data breach, including the steps taken to prevent further attacks and even the types of data compromised in the incident. The lawsuits name Frederick Health Medical Group patients Ernest Farkas, Joseph Kingsman, Jaquelyn Chaillet, James Shoemaker, Wesley Kibler, and Jennifer McCreary as plaintiffs.

The lawsuits claim patients have suffered harm from the data breach, including an elevated and ongoing risk of identity theft and fraud, and out-of-pocket costs mitigating the harmful effects of the data breach. The lawsuits seek a jury trial, attorneys’ fees, and compensatory and punitive damages.

The post Ransomware Attack on Frederick Health Medical Group Affects 934,000 Patients appeared first on The HIPAA Journal.

Kaiser Permanente Agrees to Pay Up to $47.5 Million to Settle Web Tracker Litigation

Posted by Steve Alder

The Oakland, CA-based healthcare giant Kaiser Permanente has agreed to pay up to $47.5 million to settle class action litigation over its use of tracking technologies on its websites, patient portals, and mobile applications. This is one of the largest settlements to be agreed to resolve claims stemming from the use of tracking tools by a healthcare organization.

Kaiser disclosed the data breach last year following a voluntary internal investigation into its use of tracking technologies, which confirmed that up to 13.4 million individuals had potentially been affected – the second-largest healthcare data breach to be announced in 2024. Kaiser removed the tracking tools from its websites and mobile applications out of an abundance of caution and sent notifications to all potentially affected individuals. Kaiser also engaged experts and, based on their guidance, implemented additional safeguards to prevent similar privacy breaches in the future.

Website tracking technologies, such as pixels, are used extensively on websites to track user activity. They can provide website owners with valuable information on site usage, and that data can be used to improve the websites to benefit web visitors. Various studies have shown that these tools have been extensively used by healthcare organizations, with one study suggesting that 99% of hospitals in the United States had these tools on their websites. The problem with the use of these tools in healthcare is that they may transmit information protected under HIPAA – personally identifiable health information. In some cases, the data has been further disclosed and used to serve individuals with personalized ads based on the pages they visited on a healthcare website.

Since these data transfers are not expressly permitted by the HIPAA Privacy Rule, disclosures are only possible with patient consent or if a business associate agreement is entered into with the third party that receives the data (and disclosure is permitted by the HIPAA Privacy Rule). The HHS’ Office for Civil Rights issued guidance after learning that these tools were being used on healthcare providers’ websites, warning that the tools likely violate the HIPAA Rules. The guidance was challenged in court and was partially successful. While the tools can be used on healthcare websites, they must not be used on any authenticated pages, such as patient portals or other pages or mobile applications that require users to log in.

Several patients filed lawsuits against the Kaiser companies Kaiser Foundation Health Plan, Kaiser Foundation Hospitals, and Kaiser Foundation Health Plan of Washington, over the data breach. The lawsuits alleged that the plaintiffs’ and class members’ personal and protected health information had been disclosed to third parties without their knowledge or consent, including Adobe, Microsoft, Google, and X (Twitter).

The lawsuits asserted claims of negligence, common law invasion of privacy-intrusion upon seclusion, breach of implied contract, breach of express contract, and violations of many state laws, including the California Confidentiality of Medical Information Act, District of Columbia Consumer Protection Procedures Act, Maryland Wiretapping and Electronic Surveillance Act, Virginia Insurance Information and Privacy Protection Act, Washington Health Care Information Act, and many other state laws. Kaiser was also alleged to have violated the federal Electronic Communications Privacy Act. The lawsuits were consolidated into a single complaint in the United States District Court for the Northern District of California, San Francisco Division.

Kaiser denies the material allegations in the litigation and also denies that the plaintiffs and class members are entitled to any relief, and that any damages have been suffered as a result of the data breach. While Kaiser has not identified any misuse of its members’ protected health information, nor determined that any of that information has been or will be at risk, after considering the likely cost of continuing with the litigation, and the uncertainties associated with any trial and related appeals, the decision was taken to settle the litigation, with no admission of liability or wrongdoing.

Under the terms of the settlement, Kaiser has agreed to pay $46 million to settle the litigation, with the settlement fund potentially being increased to no more than $47.5 million, should certain conditions be met. The settlement class consists of individuals who accessed authenticated Kaiser webpages (wa-member.kaiserpermanente.org, healthy.kaiserpermanente.org, or mydoctor.kaiserpermanente.org) or Kaiser mobile applications (Kaiser Permanente Washington App, Kaiser Permanente App, My Doctor Online (NCAL Only) App, My KP Meds App, or the KP Health Ally App) between November 2017 and May 2024. There are several subclasses for members residing in states such as California, Georgia, Maryland, Oregon, Washington, and the District of Columbia.

The settlement will cover attorneys’ fees (likely to be up to one-third of the settlement fund), attorneys’ expenses, settlement administration costs, and awards for the class representatives. The remainder of the settlement fund will be divided among the class members, with each settlement class member receiving an equal pro rata share. The settlement has received preliminary approval from the court. The deadline for submitting claims and the date of the final approval hearing have yet to be announced.

April 26, 2024: Kaiser Permanente Website Tracker Breach Affects 13.4 Million Individuals

Kaiser Foundation Health Plan Inc. is notifying 13.4 million individuals that some of their personal data has been disclosed to third parties such as Microsoft (Bing), Google, and X (Twitter) via tracking technologies on its websites and apps. This is the largest healthcare data breach to be reported so far in 2024 and the largest confirmed healthcare data breach to date involving website tracking technologies.

Kaiser said the tracking technologies were identified during a voluntary internal investigation and they have now been removed from its websites and mobile applications. Additional measures have been implemented to prevent similar occurrences in the future. Notifications are being sent to all individuals who have potentially been affected “out of an abundance of caution,” including current and former health plan members in all markets that Kaiser operates, and individuals who used its websites and mobile apps. Notifications are expected to be issued in May 2024.

The types of data potentially disclosed to tech companies included names, IP addresses, sign-in statuses, and information about users navigated through the websites and apps. Other information was potentially disclosed based on individuals’ usage of the websites and apps, including search terms when using its health encyclopedia such as symptoms, drugs, injuries, and exercises.  No highly sensitive information such as Social Security numbers, financial information, and usernames/passwords were disclosed. Kaiser said it is not aware of any misuse of the disclosed data; however, it is possible that individuals may have been served targeted ads based on their interactions on Kaiser’s websites and apps.

The privacy violation has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) as a breach of the Health Insurance Portability and Accountability Act (HIPAA). In December 2022, OCR published guidance on HIPAA and tracking technologies and recently updated its guidance to clarify when these technologies can be used and how they can be made HIPAA-compliant. OCR and the Federal Trade Commission (FTC) have been cracking down on the use of these technologies and sent around 130 warning letters to hospitals and telehealth companies last year reminding them of their obligations under HIPAA and the FTC Act, and the FTC has settled 5 complaints – Easy Healthcare (Premom), GoodRx, BetterHelp, Monument, and Cerebral – that alleged violations of the FTC Act related to the use of these technologies without consumers’ consent. State attorneys general have also investigated privacy violations related to the use of tracking technologies, including the New York Attorney General, who settled alleged violations of HIPAA and state laws with New York Presbyterian Hospital over the use of these tools.

The post Kaiser Permanente Agrees to Pay Up to $47.5 Million to Settle Web Tracker Litigation appeared first on The HIPAA Journal.

City of Hope Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

City of Hope, a Duarte, California-based non-profit clinical research and cancer treatment center, has agreed to settle a class action lawsuit stemming from a 2023 data breach that affected more than 827,000 individuals. Hackers had access to the City of Hope network between September 2023 and October 2023, and exfiltrated sensitive data.

Several class action lawsuits were filed over the data breach, as detailed in previous coverage by The HIPAA Journal below. The lawsuits had overlapping claims and were consolidated – In re City of Hope Data Security Breach Litigation – in the Superior Court of the State of California for the County of Los Angeles. The consolidated lawsuit asserted claims of negligence, breach of fiduciary duty, breach of implied contract, and invasion of privacy. City of Hope maintains there was no wrongdoing or liability. Following mediation, all parties reached an agreement in principle to settle the lawsuit to avoid the cost, time, risks, and uncertainty associated with continuing with the litigation. The terms of the settlement have now been agreed, and the settlement has received preliminary approval from the court.

City of Hope has agreed to establish an $8,500,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards, and benefits for the class members. Class members may claim up to $5,000 in reimbursement for documented, unreimbursed losses fairly traceable to the data breach, which may include up to four hours of lost time at $25 per hour. Alternatively, class members may submit a claim for a cash payment estimated to be $100. The cash payments may be increased or decreased pro rata depending on the remaining funds after attorneys’ fees, expenses, administration costs, service awards, reimbursement claims, and credit monitoring costs have been paid.

All class members who submit a claim for reimbursement of documented losses or the alternative cash payment will receive a code that can be used to enroll in a medical information and protection service from CyEx, which includes single-bureau credit monitoring and protection against medical fraud. Class members who resided in California at any point between September 19, 2023, and January 13, 2026, are entitled to claim an additional cash payment of $250, which may also be adjusted pro rata.

Individuals who wish to object to or be excluded from the settlement have until December 15, 2025, to do so, and all claims must be submitted by January 13, 2026. The final approval hearing has been scheduled for February 20, 2026.

April 25, 2024: Multiple Class Action Lawsuits Filed Against City of Hope National Medical Center Over Data Breach

Several class action lawsuits have been filed against City of Hope National Medical Center, a National Cancer Institute (NCI)-designated cancer treatment and research center, over a recently disclosed data breach that exposed the protected health information of more than 827,000 individuals.

City of Hope National Medical Center identified suspicious activity within its network on October 13, 2023, and the forensic investigation confirmed there had been unauthorized access by a third party between September 19, 2023, and October 12, 2023. During that time, files containing patient data were exfiltrated from its network. The exposed and stolen data included contact information, Social Security numbers, driver’s license numbers, financial information, health insurance information, medical records, medical histories, diagnoses/conditions, and health insurance information. City of Hope National Medical Center issued notification letters on April 2, 2024, and offered the affected individuals complimentary credit monitoring services.

Class action lawsuits started to be filed soon after notification letters were mailed. The lawsuits make similar claims, that City of Hope National Medical Center failed to implement reasonable and appropriate cybersecurity safeguards, did not follow industry best practices for cybersecurity, and that the cyberattack that exposed their sensitive data could have been prevented. The plaintiffs allege that City of Hope National Medical Center should have been aware that it was a likely target for cybercriminals due to the high value of healthcare data on the black market and numerous warnings from federal agencies about the high risk of cyberattacks on the sector. The plaintiffs also allege an unnecessary delay in issuing notifications – five months after the cyberattack was detected.

The plaintiffs allege that injuries have been sustained as a result of the data breach. They face an imminent and increased risk of identity theft and fraud since their sensitive data is now in the hands of cybercriminals, and have and will continue to need to spend time and money protecting themselves from fraud, identity theft, and medical identity theft. At least 8 lawsuits have been filed to date in response to the data breach that make claims of negligence, breach of fiduciary duty, breach of implied contract, and invasion of privacy. The lawsuits seek class action certification, a jury trial, damages, and injunctive relief.

The post City of Hope Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

$2.55M Settlement Agreed to Resolve Octapharma Plasma Data Breach Lawsuit

Posted by Steve Alder

A settlement has been agreed to resolve litigation against Octapharma Plasma over its April 2024 ransomware attack and data breach. Octapharma Plasma operates more than 190 blood plasma donation centers in 35 states. On or around April 17, 2024, Octapharma detected suspicious activity within its computer systems. The investigation confirmed unauthorized access to parts of its network where sensitive personal information was stored, including names, dates of birth, Social Security numbers, health information, donor eligibility information, financial information, employee data, and business data.

On April 26, 2024, shortly after the cyberattack was announced, a class action lawsuit was filed by Bret Woodall against Octapharma. Several other lawsuits were subsequently filed over the data breach, and the lawsuits were consolidated into a single action – Woodall v. Octapharma Plasma Inc. – since they were materially and substantively identical and had overlapping claims. The consolidated lawsuit alleged that Octapharma failed to reasonably secure, monitor, and maintain personal information, and as a result of that failure, the plaintiffs and class members suffered injuries and damages, including identity theft, loss of value of their personal information, lost time, and out-of-pocket expenses mitigating the effects of the data breach.

The lawsuit asserted claims of negligence, breach of fiduciary duty, breach of implied contract, unjust enrichment, breach of confidence, invasion of privacy, declaratory judgment, and violations of the California Customer Records Act, California Unfair Competition Law, California Consumer Legal Remedies Act, California Consumer Privacy, California Confidentiality of Medical Information Act, Oregon Consumer Identity Theft Protection Act, Oregon Unlawful Trade Practices Act, Illinois Personal Information Protection Act, Illinois Consumer Fraud and Deceptive Business Practices Act, Illinois Uniform Deceptive Trade Practices Act, and the North Carolina Unfair and Deceptive Trade Practices Act

Octapharma disagrees with all claims and contentions in the lawsuit and maintains there was no wrongdoing. After considering the likely costs of continuing with the litigation and the uncertainty and risks associated with a jury trial, all parties agreed to settle the litigation. It has taken several months of negotiations; however, a settlement has been negotiated that is acceptable to all parties. The settlement has recently received preliminary approval from the court.

Under the terms of the settlement, Octapharma has agreed to establish a $2,550,000 settlement fund, from which attorneys’ fees and expenses, service awards, and settlement administration costs will be deducted. The remainder of the settlement fund will be used to make payments to class members who submit a valid claim.

Class members are entitled to claim the following benefits:

  • Reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member
  • A flat cash payment estimated to be $100
  • Three years of credit monitoring services
  • Individuals residing in California at the time of the data breach will be able to claim an additional flat cash payment of $50

The cash payments will be adjusted pro rata and may be higher or lower, depending on the number of valid claims received. Individuals wishing to exclude themselves or object to the settlement must do so by October 29, 2025. Claims must be submitted by November 14, 2025, and the final approval hearing has been scheduled for December 4, 2025.

September 24, 2024: Octapharma Plasma Notifies Individuals Affected by April 2024 Ransomware Attack

Octapharma Plasma, the U.S. arm of the Swiss pharmaceutical company Octapharma, has notified the California Attorney General about an April 2024 cyberattack that involved unauthorized access to personal information on its network.

Unauthorized network activity was identified on April 17, 2024, consistent with a cyberattack, and an investigation was launched with assistance provided by third-party cybersecurity experts. The attack forced Octapharma Plasma to temporarily close all of its plasma donation centers due to the inability to access IT systems. The investigation confirmed that on April 17, 2024, a threat actor accessed the network and exfiltrated files containing personal information. The incident was reported to the FBI, technical safeguards have been reviewed, and steps have been taken to strengthen its security controls to prevent similar incidents in the future.

The review of the affected files was completed on August 2, 2024, and the affected individuals are now being notified and have been offered complimentary credit monitoring and identity theft protection services for 24 months. The notice to the California Attorney General does not state what types of data were involved, but that information is detailed in the individual notification letters.

The BlackSuit ransomware group claimed responsibility for the attack and said it stole donor data, including names, addresses, dates of birth, and Social Security numbers, and employee data such as passports, contracts, contact information, family information, and medical examination information. It is currently unclear how many individuals have been affected by the ransomware attack and data breach.

At least two class action lawsuits have been filed against Octapharma Plasma over the data breach. The lawsuits allege that outdated and insecure computer systems and software were used and insufficient cybersecurity measures were in place, which allowed its network to be breached.

The lawsuits assert claims of negligence, negligence per se, unjust enrichment, breach of confidence, breach of fiduciary duty, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and violations of the California Confidentiality of Medical Information Act and the North Carolina Unfair and Deceptive Trade Practices Act.

April 22, 2024: Octapharma Plasma Closes Donation Centers While It Deals with Suspected Ransomware Attack

The Swiss pharmaceutical firm, Octapharma Plasma, is dealing with a cyberattack that has affected systems at 190 plasma donation centers in 35 U.S. states. Those centers have been temporarily closed while the company responds to the attack and works on bringing the affected systems back online.

Octapharma identified suspicious activity within its network on April 17, 2024, and confirmed that an unauthorized third party had breached its network and disrupted certain parts of its operations. An investigation has been launched, and third-party cybersecurity experts have been engaged to investigate the attack and determine its impact. At this stage, Octapharma has yet to provide any further details about the attack, such as whether ransomware was used to encrypt files, and said further information will be released as the investigation progresses.

Without access to critical IT systems, donors are unable to visit its plasma donation centers. The plasma collected at its U.S. facilities is shipped to its European manufacturing plants and is used to create life-saving therapies. The disruption to plasma supplies threatens production at its EU-based facilities, given that 75% of the plasma used in its therapies is collected from donors in the United States.

A reporter at The Register spoke with a source familiar with the incident who claimed the attack occurred on Monday, April 15, 2024, and the BlackSuit ransomware group was responsible. BlackSuit is a relatively new ransomware operation that was discovered in May 2023. The group has significant similarities with the Royal ransomware group, which was a successor of the Conti ransomware operation.  The Register’s source claimed that vulnerabilities were exploited to gain access to Octapharma’s VMware systems, with BlackSuit ransomware used to encrypt files.

In November 2023, the Health Sector Cybersecurity Coordination Center (HC3) warned the healthcare and public health sector about BlackSuit ransomware. HC3 said the group appears to conduct indiscriminate attacks on a variety of industry sectors, including healthcare, manufacturing, business technology, business retail, and government sectors, and that the group engages in double extortion tactics, where stolen data is added to its data leak site if the ransom is not paid. As of April 22, 2024, Octapharma is not showing on the group’s data leak site.

The post $2.55M Settlement Agreed to Resolve Octapharma Plasma Data Breach Lawsuit appeared first on The HIPAA Journal.

Proliance Surgeons Settles Data Breach Litigation for $4,450,000

Posted by Steve Alder

The Seattle, Washington-based surgical group, Proliance Surgeons, has agreed to a settlement to resolve class action litigation over a February 2023 cyberattack and data breach.

Hackers gained access to the surgical group’s network on February 11, 2023, and exfiltrated files containing patient information. Notification letters were mailed to the 437,392 affected individuals in November 2023. Shortly thereafter, class action lawsuits started to be filed. The HIPAA Journal reported on one of those lawsuits in December 2023 (see below). That lawsuit was one of eleven class action complaints filed by victims of the data breach. Due to overlapping claims, and to conserve resources, the lawsuits were consolidated into a single complaint – In re: Proliance Surgeons Data Breach Litigation – in the Superior Court of the State of Washington in and for King County.

The consolidated lawsuit alleged that Proliance Surgeons failed to implement the necessary safeguards to protect private personal and protected health information on its network and as a direct consequence of that failure, hackers were able to obtain unauthorized access to patient data such as names, Social Security numbers, dates of birth, telephone numbers, medical information, diagnosis and treatment information, health insurance information, and medical record numbers. The lawsuit also took issue with the length of time it took to issue notification letters to the affected individuals, who received notification letters more than 280 days after the data breach was discovered.

While Proliance Surgeons offered the affected individuals a complimentary 12-month membership to a credit monitoring service, the plaintiffs claimed the offer was woefully inadequate, and that the data breach had “caused irreparable harm to their personal, financial, reputational, and future well-being.” The lawsuit asserted claims for negligence, breach of implied contract, unjust enrichment, and a violation of the Washington Consumer Protection Act.

The defendant denied and continues to deny all allegations in the litigation, all charges of wrongdoing or liability, and claims that the plaintiffs and class members suffered any cognizable damage or harm as a result of the incident. However, despite that position, the decision was taken to settle the litigation to avoid the uncertainty, risk, expense, and burden involved with defending the litigation. Class counsel and the class representatives believe that the negotiated settlement is fair and in the best interests of the class members.

Under the terms of the settlement, Proliance Surgeons has agreed to establish a $4,450,000 common settlement fund to cover benefits to the class members, after attorneys’ fees and expenses, settlement administration and notice costs, and service awards for the class representatives have been deducted. Class members may claim a two-year membership to the CyEx Medical Shield Complete medical information protection and monitoring service. Class members who have experienced out-of-pocket losses due to the incident may submit a claim for reimbursement of documented, unreimbursed losses. Claims for reimbursement have been capped at $5,000 per class member.

Regardless of whether a claim is submitted for reimbursement of losses, a pro rata cash payment of up to $599 may be claimed. The cash payments will depend on the number of individuals electing to receive credit monitoring services, cash payments, and reimbursement of losses. The cash payments may be substantially lower than the $599 maximum. The deadline for exclusion from the settlement and objection is April 28, 2026. Claims must be submitted by May 28, 2026, and the final fairness hearing has been scheduled for June 26, 2026.

December 5, 2023: Proliance Surgeons Sued Over Ransomware Attack and Data Breach

A class action lawsuit has been filed against Proliance Surgeons, a Seattle, Washington-based surgery group, over a recently disclosed ransomware attack and data breach that has affected almost 437,400 individuals.

The group operates around 100 surgery centers in the state and treats more than 800,000 patients each year. On May 24, 2023, a third-party forensic investigation into a cyberattack confirmed that hackers had access to files containing patient data and that they had removed “a limited number of files” from its network on February 11, 2023.  The data compromised in the attack included names, contact information, Social Security numbers, financial information, treatment information, driver’s license numbers, and usernames and passwords. Notifications were issued on November 21, 2023.

A lawsuit has been filed in federal court in Seattle by plaintiff and former patient, Alicia Berend, and similarly situated individuals whose sensitive information was compromised in the cyberattack. The lawsuit alleges Proliance Surgeons failed to adequately protect patient data as required by federal and state law and in accordance with its internal security policies, and that the data security failures constituted a violation of the Health Insurance Portability and Accountability Act (HIPAA).

The lawsuit also references an earlier security breach where unauthorized individuals had access to its online payment system for seven months between November 2019 and June 2020, allowing access to names, zip codes, and payment card information. Following that incident, Proliance Surgeons said it would be enhancing its security measures to prevent similar incidents in the future. The earlier security breach is not shown on the HHS’ Office for Civil Rights (OCR) website, which indicates either the breach was not reported to OCR, that Proliance Surgeons determined protected health information had not been compromised, or the breach affected fewer than 500 individuals. The lawsuit claims that two major security breaches in a little over 3 years demonstrate a pattern of negligence with respect to data security.

The lawsuit also takes issue with the length of time taken to discover that patient data was involved, which occurred 102 days after the security breach was detected, and Proliance Surgeons then failed to issue notification letters to the affected individuals until November 21, 2023 – 283 days after the data breach occurred. The lawsuit claims that the plaintiff and class were kept in the dark about the breach, thus depriving them of the opportunity to mitigate their injuries in a timely manner.

The lawsuit claims the plaintiff and class have suffered widespread injury and monetary damages, and that the plaintiff has already suffered from identity theft and fraud. She has received emails indicating someone has used her identity for various out-of-state activities, including inquiries into properties in Florida, and has also received an increased number of spam messages and phone calls, and now fears for her personal and financial security. The plaintiff claims that she has suffered anxiety, sleep disruption, stress, fear, and frustration, and that these injuries go far beyond mere worry or inconvenience.

The lawsuit alleges negligence, breach of implied contract, breach of fiduciary duty, invasion of privacy, unjust enrichment, and violations of the Washington Consumer Protection Act, Washington Data Breach Disclosure Law, and Washington Uniform Health Care Information Act (UHCIA). The lawsuit seeks class action certification, a jury trial, compensatory, exemplary, punitive, and statutory damages, and attorneys’ fees and legal costs. The plaintiff and class are represented by Samuel J. Strauss of the law firm, Turke & Strauss LLP.

The post Proliance Surgeons Settles Data Breach Litigation for $4,450,000 appeared first on The HIPAA Journal.