Frederick Health Medical Group is facing several potential class action lawsuits over a recent data breach that affected more than 900,000 patients.  Frederick Health Medical Group, a Maryland-based healthcare group, announced on January 27, 2025, that it had fallen victim to a ransomware attack and had called in cybersecurity experts to investigate the incident. At the time, it was unclear to what extent patient data had been compromised in the incident, but it has now been confirmed that the electronic protected health information of 934,326 patients was stolen.

According to its March 28, 2025, substitute breach notice, the ransomware group stole data such as patient names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, medical record numbers, health insurance information, and/or clinical information related to patients’ care. The electronic medical record system was not compromised in the attack. The name of the ransomware group behind the attack was not disclosed, and no ransomware group is known to have claimed responsibility for the attack. It is also unclear if the ransom was paid. In late March, individual notification letters started to be mailed to the affected individuals, and complimentary credit monitoring and identity theft protection services have been made available. Frederick Health Medical Group said additional cybersecurity safeguards have been implemented to better protect patient data and monitor its systems for unauthorized access.

At least five class action lawsuits have already been filed in response to the data breach. The lawsuits all assert similar claims, including negligence for failing to implement reasonable and appropriate cybersecurity measures to safeguard patient data and a failure to follow industry-standard cybersecurity best practices. The lawsuits also claim that the breach notification letters failed to disclose adequate information about the data breach, including the steps taken to prevent further attacks and even the types of data compromised in the incident. The lawsuits name Frederick Health Medical Group patients Ernest Farkas, Joseph Kingsman, Jaquelyn Chaillet, James Shoemaker, Wesley Kibler, and Jennifer McCreary as plaintiffs.

The lawsuits claim patients have suffered harm from the data breach, including an elevated and ongoing risk of identity theft and fraud, and out-of-pocket costs mitigating the harmful effects of the data breach. The lawsuits seek a jury trial, attorneys’ fees, and compensatory and punitive damages.

The post Ransomware Attack on Frederick Health Medical Group Affects 934,000 Patients appeared first on The HIPAA Journal.

A settlement has been agreed to resolve litigation against Octapharma Plasma over its April 2024 ransomware attack and data breach. Octapharma Plasma operates more than 190 blood plasma donation centers in 35 states. On or around April 17, 2024, Octapharma detected suspicious activity within its computer systems. The investigation confirmed unauthorized access to parts of its network where sensitive personal information was stored, including names, dates of birth, Social Security numbers, health information, donor eligibility information, financial information, employee data, and business data.

On April 26, 2024, shortly after the cyberattack was announced, a class action lawsuit was filed by Bret Woodall against Octapharma. Several other lawsuits were subsequently filed over the data breach, and the lawsuits were consolidated into a single action – Woodall v. Octapharma Plasma Inc. – since they were materially and substantively identical and had overlapping claims. The consolidated lawsuit alleged that Octapharma failed to reasonably secure, monitor, and maintain personal information, and as a result of that failure, the plaintiffs and class members suffered injuries and damages, including identity theft, loss of value of their personal information, lost time, and out-of-pocket expenses mitigating the effects of the data breach.

The lawsuit asserted claims of negligence, breach of fiduciary duty, breach of implied contract, unjust enrichment, breach of confidence, invasion of privacy, declaratory judgment, and violations of the California Customer Records Act, California Unfair Competition Law, California Consumer Legal Remedies Act, California Consumer Privacy, California Confidentiality of Medical Information Act, Oregon Consumer Identity Theft Protection Act, Oregon Unlawful Trade Practices Act, Illinois Personal Information Protection Act, Illinois Consumer Fraud and Deceptive Business Practices Act, Illinois Uniform Deceptive Trade Practices Act, and the North Carolina Unfair and Deceptive Trade Practices Act

Octapharma disagrees with all claims and contentions in the lawsuit and maintains there was no wrongdoing. After considering the likely costs of continuing with the litigation and the uncertainty and risks associated with a jury trial, all parties agreed to settle the litigation. It has taken several months of negotiations; however, a settlement has been negotiated that is acceptable to all parties. The settlement has recently received preliminary approval from the court.

Under the terms of the settlement, Octapharma has agreed to establish a $2,550,000 settlement fund, from which attorneys’ fees and expenses, service awards, and settlement administration costs will be deducted. The remainder of the settlement fund will be used to make payments to class members who submit a valid claim.

Class members are entitled to claim the following benefits:

• Reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member
• A flat cash payment estimated to be $100
• Three years of credit monitoring services
• Individuals residing in California at the time of the data breach will be able to claim an additional flat cash payment of $50

The cash payments will be adjusted pro rata and may be higher or lower, depending on the number of valid claims received. Individuals wishing to exclude themselves or object to the settlement must do so by October 29, 2025. Claims must be submitted by November 14, 2025, and the final approval hearing has been scheduled for December 4, 2025.

September 24, 2024: Octapharma Plasma Notifies Individuals Affected by April 2024 Ransomware Attack

Octapharma Plasma, the U.S. arm of the Swiss pharmaceutical company Octapharma, has notified the California Attorney General about an April 2024 cyberattack that involved unauthorized access to personal information on its network.

Unauthorized network activity was identified on April 17, 2024, consistent with a cyberattack, and an investigation was launched with assistance provided by third-party cybersecurity experts. The attack forced Octapharma Plasma to temporarily close all of its plasma donation centers due to the inability to access IT systems. The investigation confirmed that on April 17, 2024, a threat actor accessed the network and exfiltrated files containing personal information. The incident was reported to the FBI, technical safeguards have been reviewed, and steps have been taken to strengthen its security controls to prevent similar incidents in the future.

The review of the affected files was completed on August 2, 2024, and the affected individuals are now being notified and have been offered complimentary credit monitoring and identity theft protection services for 24 months. The notice to the California Attorney General does not state what types of data were involved, but that information is detailed in the individual notification letters.

The BlackSuit ransomware group claimed responsibility for the attack and said it stole donor data, including names, addresses, dates of birth, and Social Security numbers, and employee data such as passports, contracts, contact information, family information, and medical examination information. It is currently unclear how many individuals have been affected by the ransomware attack and data breach.

At least two class action lawsuits have been filed against Octapharma Plasma over the data breach. The lawsuits allege that outdated and insecure computer systems and software were used and insufficient cybersecurity measures were in place, which allowed its network to be breached.

The lawsuits assert claims of negligence, negligence per se, unjust enrichment, breach of confidence, breach of fiduciary duty, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and violations of the California Confidentiality of Medical Information Act and the North Carolina Unfair and Deceptive Trade Practices Act.

April 22, 2024: Octapharma Plasma Closes Donation Centers While It Deals with Suspected Ransomware Attack

The Swiss pharmaceutical firm, Octapharma Plasma, is dealing with a cyberattack that has affected systems at 190 plasma donation centers in 35 U.S. states. Those centers have been temporarily closed while the company responds to the attack and works on bringing the affected systems back online.

Octapharma identified suspicious activity within its network on April 17, 2024, and confirmed that an unauthorized third party had breached its network and disrupted certain parts of its operations. An investigation has been launched, and third-party cybersecurity experts have been engaged to investigate the attack and determine its impact. At this stage, Octapharma has yet to provide any further details about the attack, such as whether ransomware was used to encrypt files, and said further information will be released as the investigation progresses.

Without access to critical IT systems, donors are unable to visit its plasma donation centers. The plasma collected at its U.S. facilities is shipped to its European manufacturing plants and is used to create life-saving therapies. The disruption to plasma supplies threatens production at its EU-based facilities, given that 75% of the plasma used in its therapies is collected from donors in the United States.

A reporter at The Register spoke with a source familiar with the incident who claimed the attack occurred on Monday, April 15, 2024, and the BlackSuit ransomware group was responsible. BlackSuit is a relatively new ransomware operation that was discovered in May 2023. The group has significant similarities with the Royal ransomware group, which was a successor of the Conti ransomware operation.  The Register’s source claimed that vulnerabilities were exploited to gain access to Octapharma’s VMware systems, with BlackSuit ransomware used to encrypt files.

In November 2023, the Health Sector Cybersecurity Coordination Center (HC3) warned the healthcare and public health sector about BlackSuit ransomware. HC3 said the group appears to conduct indiscriminate attacks on a variety of industry sectors, including healthcare, manufacturing, business technology, business retail, and government sectors, and that the group engages in double extortion tactics, where stolen data is added to its data leak site if the ransom is not paid. As of April 22, 2024, Octapharma is not showing on the group’s data leak site.

The post $2.55M Settlement Agreed to Resolve Octapharma Plasma Data Breach Lawsuit appeared first on The HIPAA Journal.

A $49.99 million settlement has received preliminary approval from the court to resolve class action litigation against Heritage Provider Network, Regal Medical Group, and eight co-defendants over a December 2022 data breach that affected approximately 3,413,000 individuals.

California-based Heritage Provider Network (Heritage) and the affiliated defendants operate as one of the largest physician-owned integrated healthcare networks in the United States. Heritage, arranged to provide medical services for the plaintiffs and class members through affiliates such as Regal Medical Group. On or around December 1, 2022, hackers gained access to servers containing patient data and exfiltrated sensitive data such as names, addresses, dates of birth, Social Security numbers, and healthcare information. The investigation revealed the hackers had access to those servers until the attack was discovered on December 8, 2022, and between December 1 and 2, 2022, they are alleged to have exfiltrated personally identifiable information (PII) and protected health information (PHI). The defendants started sending notification letters to the affected individuals on February 2, 2023.

The first class action lawsuit over the data breach was filed on February 9, 2023, and it was followed by a further 25 lawsuits. The court designated Head v. Regal Medical Group, Inc., et al as the lead case and stayed all remaining actions, with all actions consolidated into the lawsuit Head, et al. v. Regal Medical Group, Inc., et al.  The other defendants named in the consolidated lawsuit are Lakeside Medical Group, ADOC Medical Group, Greater Covina Medical Group, Affiliated Doctors of Orange County Medical Group, Arizona Priority Care, Community Surgery Center of Glendale, Pacific Family Hospice, and Valley’s Best Hospice.

The lawsuit alleges the defendants were negligent for failing to implement reasonable and appropriate security measures to protect their IT infrastructure and sensitive patient data. The lawsuit also asserted claims of breach of implied contract, unjust enrichment, unfair business practices, and violations of the California Consumer Privacy Act of 2018, the California Confidentiality of Medical Information Act, Unfair Competition Law, the FTC Act, and the Health Insurance Portability and Accountability Act.

The defendants maintain there was no wrongdoing and there is no liability, while the plaintiffs believe they have made valid claims. To prevent further costs, protracted litigation, and to avoid the risks and uncertainty of trial, all parties engaged in discussions to resolve the litigation. It took three mediation sessions for all parties to agree on a settlement in principle to resolve the litigation. The terms of the settlement have now been finalized, and the settlement has received preliminary approval from Superior Court Judge Timothy P. Dillon of the Superior Court of the State of California, County of Los Angeles.

Under the terms of the settlement, the defendants will establish a $49,995,000 settlement fund from which attorneys’ fees and expenses, settlement administration costs, and service awards for the seven named plaintiffs will be paid. The remainder of the settlement will be used to pay benefits to the plaintiffs and class members. All plaintiffs are entitled to claim three years of comprehensive identity monitoring services. Claims may also be submitted for reimbursement of documented, unreimbursed out-of-pocket losses up to a maximum of $10,000 per class member, capped at $2,000,000. If that total is reached, claims will be paid pro rata. A claim may also be submitted for reimbursement of documented lost time dealing with issues arising from the data breach. Up to seven hours can be claimed at $30 per hour, or a maximum of $210. These claims will be capped at $1,000,000 and will be paid pro rata if that total is reached.

All plaintiffs are also entitled to claim a cash payment. The cash payments will be paid from the remainder of the settlement fund after costs, expenses, credit monitoring costs, and claims have been paid. The cash payments are expected to be between $68.72 and $357.97, depending on participation rates and the number of approved claims. The deadline for objection to and exclusion from the settlement is November 24, 2025. The deadline for submitting a claim is December 22, 2025, and the final approval hearing has been scheduled for January 28, 2025.

February 23, 2023: Multiple Lawsuits Filed Against Regal Medical Group Over 3.3 Million-Record Ransomware Attack

Several class action lawsuits have been filed against Regal Medical Group and affiliated healthcare providers following the February 1, 2023, announcement a HIPAA compliance breach where the protected health information (PHI) of up to 3,300,638 individuals had potentially been stolen in a December 2022 ransomware attack.

The attack affected Regal Medical Group, the Heritage Provider Network, and several affiliated healthcare providers, including Lakeside Medical Organization, A Medical Group, Inc., ADOC Acquisition Co., Greater Covina Medical Group Inc., and Affiliated Doctors of Orange County. The attack was detected on December 2, when employees started experiencing difficulty accessing data.

The forensic investigation revealed the attack started on or before December 1, with sensitive data exfiltrated from its servers on December 1. The stolen files included PHI such as names, phone numbers, addresses, dates of birth, diagnosis and treatment information, laboratory test results, prescription data, radiology reports, health plan member numbers, and Social Security numbers. Affected individuals were offered a 12-month membership to a credit monitoring service.

It is now common for multiple lawsuits to be filed after healthcare data breaches, so it is no surprise that so many lawsuits have been filed after an attack of this magnitude. One of the biggest concerns raised in the lawsuits was how the attackers were able to gain access to so much data, much of which was highly sensitive and could be misused in many different ways. The lawsuits were filed in the California superior state court and federal court, and each makes similar claims against Regal Medical Group and the Heritage Provider Network, including negligence, negligence per se, breach of implied contract, unjust enrichment, and unfair business practices. The lawsuits allege violations of the California Consumer Privacy Act of 2018, the California Confidentiality of Medical Information Act, Unfair Competition Law, the FTC Act, and the Health Insurance Portability and Accountability Act.

The lawsuits also take issue with the time taken to issue notifications about the breach, which started to be issued on February 1, 2022, when the data breach occurred on December 1, 2022. While the notifications were issued within the time frame allowed by the HIPAA Breach Notification Rule, that Rule also states that notifications should be issued without undue delay. One of the lawsuits also takes issue with the information provided in the notifications, which failed to provide full information on the nature of the breach, such as for how long the attackers had access to the stolen data.

One of the lawsuits, Timothy Head vs. Regal Medical Group Inc, Heritage Provider Network Inc. (Cole & Van Note), claims the defendants intentionally, willfully, recklessly, or negligently failed to take and implement adequate and reasonable measures to ensure that representative plaintiff(s)’ and class members PHI/PII was safeguarded,” also claims the defendants were negligent for failing to encrypt data.

Sam Abedi And Farnaz Doroodian v. Heritage Provider Network, Inc. and Regal Medical Group, Inc. (Zimmerman Reed LLP/ The Johnson Firm) and David Rodriguez v. Regal Medical Group (Wucetich & Korovilas LLP) make similar claims, including the defendants were well aware of the high prevalence of data breaches and had the resources available to protect data but failed to invest sufficiently in data security, the remediation of vulnerabilities, staff training, and testing security controls.

Lynn Austin vs. Regal Medical Group, Inc. (Parker & Minnie, LLP & Mason LLP) claims the plaintiffs have suffered actual and concrete injury, including out-of-pocket expenses, loss of valuable rights and protections, heightened stress, fear, anxiety, and risk of future invasions of privacy, and mental and emotional distress.

The lawsuits seek class action certification, a jury trial, actual and punitive damages, and injunctive relief, including an order from the courts to prohibit the defendants from engaging in unlawful acts and deceptive business practices and to ensure that a comprehensive information security program is implemented to protect against future data breaches.

The post $49.99M Settlement Agreed to Resolve Class Action Data Breach Lawsuit Against Heritage Provider Network et al appeared first on The HIPAA Journal.

The Christ Hospital in Cincinnati, Ohio, has agreed to pay up to $7 million to settle a consolidated class action complaint lawsuit over its use of tracking tools on its MyChart patient portal. Tracking tools are added to websites and record user data that can be used to improve the websites; however, these tools often transmit the collected data to third parties. The information can be linked with individual users and is often used for marketing and advertising purposes.

These tools are commonly used on websites and apps, but when used by healthcare providers, especially on websites that require users to log in, they can collect sensitive health data. If that information is transmitted to a third party without a valid business associate agreement in place, or if consent is not obtained to share the data with a third party, these tools violate HIPAA. Several class action lawsuits against healthcare providers have been resolved in recent weeks that alleged violations of federal and state laws related to the use of website tracking technologies, and Meta was found liable by a California Jury in one of the few such lawsuits to go to trial.

Three lawsuits were filed against The Christ Hospital over the use of these tracking tools, which were consolidated into a single action – In Re The Christ Hospital Pixel Litigation – in the Court of Common Pleas, Hamilton County, Ohio, as they had overlapping claims and were based on similar facts. The consolidated lawsuit alleged that The Christ Hospital encouraged its patients to use its website to book appointments, locate facilities, communicate symptoms, search for medical information and treatment options, sign up for classes, and access the patient portal to review health records, fill prescription refills, and complete medical forms.

The website included tracking tools such as pixels, web beacons, and cookies that collected sensitive data and disclosed it to Meta and Google. The information disclosed on the website could allow third parties to reasonably infer that a patient was being treated for a specific health condition, including cancer, pregnancy, or addiction. The plaintiffs allege that these tools were added to the website, collected data, and transmitted that information to third parties without their knowledge or consent.

The data collected by Meta Pixel was tied to individuals by their Facebook ID, and Google was sent data from Google Analytics code and could identify individuals via the Chrome Browser and Google devices, which made the intercepted data personally identifiable. The lawsuit claimed the use of the tools violated federal (HIPAA & the FTC Act) and state law (Ohio Wiretapping law, and the Ohio Consumer Sales Practices Act). The lawsuit also asserted claims of breach of confidence, invasion of privacy, breach of implied contract, unjust enrichment, and negligence.

The Christ Hospital maintains there was no wrongdoing; however, it chose to settle the litigation to avoid the risks and uncertainties associated with a trial. Under the terms of the settlement, The Christ Hospital will establish a $4,500,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for class representatives, CyEx’s Privacy Shield Pro memberships, and cash payments. If, after covering all of those costs and expenses, there are insufficient funds remaining to pay class members a minimum of $37.50, then a further $2,500,000 will be added to the settlement fund. Should the $7 million total be exceeded, then claims will be subject to a pro rata reduction.

The Christ Hospital has also agreed to injunctive relief and will not transmit or otherwise permit Facebook to view or access individually identifiable health information and demographic information covered by HIPAA. That means any information related to past, present, or future physical or mental health or condition of an individual, which identifies that individual or could be used to identify that individual. The injunctive relief will apply to the Patient Portal, including forms and Health Risk Assessments, for a period of two years.

January 27, 2023: Lawsuit Alleges Christ Hospital Website Sent Patient Data to Meta

Earlier this month, a lawsuit was filed against The Christ Hospital in Cincinnati, OH, alleging third-party tracking code had been added to its website that was transmitting sensitive patient data to Meta and other third parties without obtaining authorization from patients.

An investigation by The Markup last summer revealed that one-third of the top 100 hospitals in the United States had Meta pixel tracking code on their websites, several of which were confirmed as having added the code to their password-protected patient portals. In some instances, the code was transmitting patient data to Meta, such as if website visitors were logged into their Facebook accounts while browsing the hospital websites. Tracking code is also provided by others, such as Google, which can similarly transmit data based on the interactions of users on websites.

Following the investigation, several healthcare organizations announced data breaches related to tracking technologies that have resulted in the impermissible disclosure of patient information. The HHS’ Office for Civil Rights recently issued guidance on the use of tracking technologies on hospital websites, confirming that these technologies have the potential to violate the HIPAA Rules, and the use of these technologies without patient authorizations or a business associate agreement is likely to be a reportable data breach. The Christ Hospital does not appear to have announced any such breach to date.

The lawsuit – Doe v. The Christ Hospital – was filed on January 10, 2023, by attorney James Eugene Burke III in Hamilton County Court but has since been moved to federal court. According to the lawsuit, The Christ Hospital website has a search engine that patients are encouraged to use to find physicians within its network, and patients can schedule appointments with those physicians online. The hospital website allegedly includes Meta Pixel and other third-party code, which collects information about the activities of website users and transmits that information to Meta and others, with the information potentially used to serve patients with targeted adverts on Facebook and other Meta platforms.

The lawsuit alleges patients who searched for cancer transmits, mental health care, and even sexually transmitted infections could be targeted with adverts related to their searches on the site. The lawsuit also alleges that third-party code was included on the MyChart patient portal, which could potentially transmit communications with physicians to third parties without patient authorization, in violation of the HIPAA Rules.

The lawsuit names Jane Doe as plaintiff and seeks class action status to cover all similarly affected patients. The lawsuit seeks a jury trial and damages in excess of $25,000. The Christ Hospital maintains it is not selling patient data to Meta or other third parties and is investigating the claims made in the lawsuit.

The post The Christ Hospital Agrees to Pay up to $7 Million to Resolve Pixel Litigation appeared first on The HIPAA Journal.