Legal News

New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty

A New Jersey infertility clinic accused of violating HIPAA and New Jersey laws by failing to implement appropriate cybersecurity measures has settled the investigation with the state and will pay a $495,000 penalty.

Millburn, NJ-based Diamond Institute for Infertility and Menopause, LLC (Diamond) operates two healthcare facilities in New Jersey, one in New York, and provides consultancy services in Bermuda. Providing those services involves the collection, storage, and use of personal and protected health information (PHI).

Between August 2016 and January 2017, at least one unauthorized individual accessed Diamond’s network which contained the PHI of 14,663 patients, 11,071 of which were New Jersey residents.

As a HIPAA covered entity, Diamond is required to implement technical, physical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI. Diamond is also subject to New Jersey laws and is similarly required to implement reasonable and adequate safeguards to protect medical data from unauthorized access.

Diamond Investigated for Compliance with Federal and State Laws

The State of New Jersey Department of Law and Public Safety Division of Consumer Affairs investigated Diamond over the data breach to determine compliance with federal and state laws. The investigation revealed Diamond had entered into a support contract with the managed service provider (MSP) Infoaxis Technologies in 2007, which including security and information technology services including maintaining its third-party server and workstations. The service agreement included third-party software for the management and reporting of audit logs intended to interpret triggers for event alerts.

Around March 2014, Diamond downgraded its support package with the MSP, resulting in a reduction in the services provided, although Diamond maintains there was no reduction in services between the two support agreements other than the amount of time included for on-site support services.

Prior to the breach occurring, Diamond’s HIPAA Privacy and Security Officer used a Remote Desktop Protocol (RDP) service with a VPN to access the Diamond network, but because the VPN was blocked from the Bermuda office, the MSP provided a different method of access that involved opening a port in the firewall to allow RDP access, instead of using the VPN for authentication.

Between August 28, 2016 and January 14, 2017, a workstation in the Millburn office was accessed by an unauthorized individual on several occasions from a foreign IP address. The unauthorized access was detected and blocked on January 14, 2017. During the time the workstation was accessible, data on the device was not encrypted. The intruder therefore potentially accessed patient data including names, dates of birth, Social Security numbers, and medical record numbers.

An investigation into the breach also revealed an intruder accessed Diamond’s third-party server which housed its electronic medical records within a password-protected SQL server using two compromised Diamond user accounts that had weak passwords. The investigation revealed weak security settings were in place for failed login attempts and password expiration.

While the EMR data was not compromised, the intruder was able to access PHI such as test results, ultrasound images, and clinical and post-operative notes. Diamond’s investigation was unable to confirm how access to the network was gained.

Multiple HIPAA Violations Uncovered

The state investigation into the data breach revealed business associate agreements were not in place prior to sharing ePHI with three business associates: Infoaxis, BMedTech, and Igenomix, in violation of the HIPAA Rules. Diamond was also alleged to have violated the CFA, HIPAA Security Rule, and HIPAA Privacy Rule by removing administrative and technological safeguards protecting PHI and ePHI, which allowed unauthorized individuals to gain access to its systems and ePHI for around five and a half months.

The CFA violations included misrepresentation of HIPAA practices in its privacy and security policy, a failure to secure its network leading to a data breach, and unconscionable commercial practices.

The settlement agreement lists failures to comply with twenty-nine provisions of the HIPAA Privacy and Security Rules. Alleged violations include the failure to conduct a comprehensive risk assessment, failure to encrypt ePHI, failure to modify security measures to ensure reasonable protections for ePHI were maintained, failure to implement procedures for creating, changing, and modifying passwords, and a failure to verify the identify of individuals seeking access to ePHI.

Diamond disputes many of the claims made by the state but agreed to settle the case and pay a $495,000 financial penalty, which consists of $412,300 in civil penalties and $82,700 in investigation fees.

“Patients seeking fertility treatment rightly expect their healthcare providers to protect their privacy,” said Acting Attorney General Bruck. “Major cybersecurity lapses like the ones leading up to this data breach are unacceptable. Today’s settlement sends the message that such privacy lapses come with significant consequences.”

In addition to the financial penalty, Diamond is required to implement additional measures to improve data security, including the use of encryption to prevent unauthorized access to ePHI, implementing a comprehensive information security program, appointing a new HIPAA officer, providing additional training to staff on security policies, developing a written incident response plan, and improving logging, monitoring, access controls, password management, and implementing a risk assessment program.

“Inadequate data systems and protocols are every hacker’s dream,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Companies that fail to comply with basic security requirements are an easy target, and we will not stand by as they violate our laws and expose clients’ sensitive information and make them vulnerable to identity theft.”

The post New Jersey Infertility Clinic Settles Data Breach Investigation with State and Pays $495,000 Penalty appeared first on HIPAA Journal.

Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours

A new bill has been introduced that requires victims of ransomware attacks to disclose any payments made to the attackers to the Department of Homeland Security (DHS) within 48 hours of the ransom being paid.

The Ransom Disclosure Act was introduced by Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) and aims to provide the DHS with the data it needs to investigate ransomware attacks and improve understanding of how cybercriminal enterprises operate, thus allowing the DHS to gain a much better picture of the ransomware threat facing the United States.

Between 2019 and 2020 ransomware attacks increased by 62% worldwide, and by 158% in the United States. The Federal Bureau of Investigation (FBI) received 2,500 complaints about ransomware attacks in 2020, up 20% from the previous year and there were more than $29 million in reported losses to ransomware attacks in 2020. Not all ransomware attacks are reported. Many victims choose to quietly pay the attackers for the keys to decrypt their data and prevent the public disclosure of any data stolen in the attack.

Chainalysis believes almost $350 million in cryptocurrency was paid to ransomware gangs globally in 2020, which is a year-over-year increase of 311%. Attacks have continued to increase in 2021. According to Check Point’s mid-year security report, in the first half of 2021, there were 93% more ransomware attacks than the corresponding period last year.

As the ransomware attack on Colonial Pipeline demonstrated, the gangs behind these attacks pose a significant national security threat. That attack resulted in the closure of a major fuel pipeline for around a week. The attack on JPS Foods threatened food production, and the huge number of attacks on the healthcare industry has affected the ability of healthcare providers to provide care to patients. This year, CISA said ransomware attacks delay care and affect patient outcomes, and there has already been a death in the United States which is alleged to have been due to a ransomware attack.

Ransomware attacks are continuing to increase because they are profitable and give ransomware gangs and their affiliates a good return on investment. There is also little risk of being caught and brought to justice. Unfortunately, investigations of ransomware gangs can be hampered by a lack of data, hence the introduction of the Ransom Disclosure Act.

“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” said Senator Warren. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises – and help us go after them.”

While the FBI encourages the reporting of ransomware attacks to assist with its investigations, reporting attacks is not mandatory. “Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions,” sad Congresswoman Ross. “I’m proud to introduce this legislation with Senator Warren which will implement important reporting requirements, including the amount of ransom demanded and paid, and the type of currency used. The U.S. cannot continue to fight ransomware attacks with one hand tied behind our back.”

The Ransom Disclosure Act will require:

  • Ransomware victims (except individuals) to disclose any ransom payments within 48 hours of the date of payment, including the amount, currency used, and any information that has been gathered on the entity demanding the ransom.
  • The DHS will be required to publish information disclosed during the previous year about the ransoms paid, excluding identifying information about the entities who paid.
  • The DHS will be required to set up a website for individuals to voluntarily report ransom payments.
  • The Secretary of Homeland Security will be required to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated the attacks, and make recommendations for protecting information systems and strengthening cybersecurity.

The post Ransom Disclosure Act Requires Disclosure of Payments to Ransomware Gangs Within 48 Hours appeared first on HIPAA Journal.

Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach

A lawsuit has been filed on behalf of a former patient of Northwestern Memorial HealthCare (NMHC) against Elekta Inc. over its April 2021 ransomware attack and data breach.

Elekta, a Swedish provider of radiation medical therapies and related equipment data services, is a business associate of many U.S. healthcare providers. Hackers targeted the company’s cloud-based platform that is used to store and transmit healthcare data and were able to access the platform between April 2 and April 20, 2021. The breach was detected when the hackers deployed ransomware.

Elekta reported the attack as affecting a small percentage of its cloud customers in the United States, including NMHC. The entire oncology database of NMHC was compromised in the attack. The database contained the protected health information of 201,197 cancer patients including names, dates of birth, Social Security numbers, and healthcare data. In total, the attack affected 170 of its healthcare clients.

The lawsuit was filed in the U. S. District Court for the Northern District of Georgia on behalf of Deborah Harrington and others similarly affected by the ransomware attack. The lawsuit alleges the disclosure of protected health information was preventable, with the data breach occurring as a result of Elekta failing to implement sufficient cybersecurity policies and procedures. As a result, hackers were able to gain access to its platform and copy the sensitive data of patients.

The lawsuit alleges Elekta was negligent and failed to honor its duties to maintain adequate data security systems to reduce the risk of data breaches, adequately protect PHI on its systems, and properly monitor its data security systems for existing intrusions. It is also alleged that Elekta did not ensure agents, employees, and others with access to sensitive information employed reasonable security procedures.

The lawsuit claims Harrington and the class members have suffered damages and actual harm as a direct result of the cyberattack and they now face an increased risk of identity theft and fraud and must undertake additional security measures to protect themselves against harm.

The alleged harm suffered by Harrington and the class members includes imminent risk of future identity theft, lost time and money expended to mitigate the threat of identity theft, diminished value of personal information, and loss of privacy.

The lawsuit seeks damages, reimbursement of out-of-pocket expenses, legal costs, injunctive relief, and other and further relief as deemed appropriate by the courts.

The post Elekta Faces Class Action Lawsuit over Ransomware Attack and Data Breach appeared first on HIPAA Journal.

Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death

A medical malpractice lawsuit has been filed against an Alabama Hospital alleging vital information that could have prevented the death of a baby was not available due to a ransomware attack.

Springhill Medical Center in Mobile, AL suffered a ransomware attack in 2019 which caused widespread encryption of files and a major IT system outage. Computer systems were taken offline for 8 days, during which time care continued to be provided to patients with staff operating under the hospital’s emergency protocol during the downtime. With no access to computer systems patient information was recorded on paper charts.

Following the attack, Springhill Medical Center issued a statement about the incident and said it had no impact on patient care, “We’d like to assure our patients and the community that patient safety is always our top priority and we would never allow our staff to operate in an unsafe environment.”

During the system downtime, Teiranni Kidd arrived at the hospital to have her baby delivered. Her baby was born on July 17, 2019 but tragically the umbilical cord had become wrapped around the baby’s neck resulting in severe brain damage. Following the birth, Kidd’s daughter Nicko was transferred to a neonatal intensive care unit. Due to the brain damage, Nicko required frequent oxygen supplementation, had to be fed through a gastrointestinal tube, and needed around the clock medical care. Nicko died 9 months later on April 16, 2020.

In January 2020, a lawsuit was filed in the Circuit Court of Mobile County, AL on behalf of Teiranni Kidd, as mother and next friend of Nicko Silar. The lawsuit alleges the hospital failed to inform the plaintiff about the cyberattack and outage, and had the hospital done so, she would have chosen a different hospital for labor and delivery.

The lawsuit alleges physicians and nurses at Springhill Medical Center failed to conduct multiple tests prior to the birth which would have revealed the umbilical cord had wrapped around the baby’s neck and that those tests were not conducted due to the distraction caused by the ransomware attack.

The lawsuit alleges a wireless tracker used to locate medical staff was out of order, patient health records were inaccessible, and electronic systems that provided fatal tracing information were also not working. The lawsuit alleges patient information was not available at the nurses’ station and the only fetal monitoring information was a paper record at the patient’s bedside in the labor and delivery room.

“As a result, the number of healthcare providers who would normally monitor [the plaintiff’s] labor and delivery were substantially reduced and important safety-critical layers of redundancy were eliminated,” according to the lawsuit, which claims medical malpractice and wrongful death.

“Defendant Springhill Memorial Hospital planned, orchestrated, and implemented a scheme by hospital management and ownership in which they conspiratorially hid, suppressed, and failed to disclose critical patient safety-related information, and further created a false, misleading, and deceptive narrative concerning the July 2019 cyberattack by deliberately failing to disclose critical factual information,” according to the lawsuit.

The lawsuit alleges that as a proximate consequence of the non-disclosure of the attack and outage, the baby suffered “personal injuries and general damages, including permanent injury from which she died.” The hospital has denied any wrongdoing.

Following a ransomware attack, hospitals continue to provide medical services to patients in their care and follow their emergency protocols and switch to recording patient information on paper charts and conducting normally automated processes manually. It is common for emergency patients to be redirected to alternative facilities as a precaution while systems are restored and access to medical records is regained.

This is the first case where a ransomware attack is alleged to have resulted in a patient death, although it is not the only attack where patient safety has been put at risk. Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a report on healthcare ransomware attacks during the pandemic and confirmed the impact they have had on patient care and outcomes. “Although there are no deaths directly attributed to hospital cyberattacks, statistical analysis of an affected hospital’s relative performance indicates reduced capacity and worsened health outcomes, which can be measured in the time of the COVID-19 pandemic in excess deaths,” explained CISA in the report.

Also, a recent survey on IT and IT security professionals at healthcare delivery organizations in the United States conducted by the Ponemon Institute on behalf of cybersecurity risk management firm Censinet revealed respondents believed ransomware attacks resulted in an increase in the length of patient stays in hospital, delays in testing, and an increase in medical complications. 22% of respondents believed there was an increase in patient mortality after a ransomware attack.

The post Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death appeared first on HIPAA Journal.

Healthcare Workers in Minnesota File Lawsuit Against Employers to Block Vaccine Mandate

A lawsuit has been filed in U.S. District Court in Minnesota on behalf of 180 healthcare workers over the COVID-19 vaccine mandates of their employers. The plaintiffs, who have not been named in the lawsuit, claim vaccine mandates are a violation of religious freedom and state and federal laws. The lawsuit is one of several that challenge the legality of such mandates.

Vaccines remain the most effective way to prevent the spread of COVID-19, stop individuals becoming seriously ill, and reduce the number of hospitalizations from the illness. The vaccines are safe and are backed up by data showing they are highly effective at preventing serious illness. The majority of individuals who are hospitalized and/or die from COVID-19 are unvaccinated.

Many employers have opted to implement vaccine mandates and President Biden has announced a vaccine mandate covering 17 million healthcare workers at facilities that receive Medicare and Medicaid funding. Most hospitals have reported high levels of vaccination, with Mayo Clinic saying 98% of its physicians have been vaccinated, as have 87% of all of its workforce.

The Minnesota lawsuit names almost two dozen healthcare institutions including Mayo Clinic and University of Minnesota Physicians as defendants, as well as several federal health officials. The lawsuit alleges “Plaintiffs’ employers are placing a substantial burden on their employees not to practice their religious-based objection to the COVID-19 vaccination or live under the threat of having their religious exemption withdrawn at any time.” The lawsuit also alleges healthcare providers are forcing workers to get vaccinated to improve their vaccination numbers to get more federal subsidies.

In addition to individuals with religious objections to the COVID-19 vaccine, plaintiffs also include workers who are pregnant, young workers who are unsure whether the risks from vaccination are worse that the risks from contracting COVID-19, as well as individuals who have already had COVID-19. The lawsuit seeks a rapid injunction from a judge ahead of the fast-approaching vaccination deadline.

Also this month, a lawsuit was filed against the Henry Ford Health System in Detroit over its vaccine mandate. Approximately 50 employees – which include doctors, nurses, and other employees – claim the vaccine mandate is unconstitutional and an infringement on an individual’s bodily autonomy. The lawsuit alleges workers have been given the choice of exposing themselves to a potentially harmful vaccine or giving up on their careers in healthcare. A temporary restraining order was also filed against Henry Ford Health System attempting to bar the hospital system from implementing its mandate pending the outcome of the lawsuit.

Employers that have implemented a vaccine mandate have made vaccination a condition of employment and will fire workers who are not vaccinated unless there is a medical exemption. Many hospitals and other healthcare facilities are facing the prospect of staff shortages as the deadline for vaccination approaches. Workers at Henry Ford Health System who refused vaccination were required to be vaccinated by September 10 to avoid suspension and have until October 1 to be vaccinated to avoid termination.

The post Healthcare Workers in Minnesota File Lawsuit Against Employers to Block Vaccine Mandate appeared first on HIPAA Journal.

Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack

Multiple class action lawsuits have been filed against the Californian healthcare provider San Diego Health over a data breach involving the protected health information of 496,949 patients.

On March 12, 2021, San Diego Health identified suspicious activity in employee email accounts and launched an investigation. On April 8, 2021, it was determined multiple email accounts containing patients’ protected health information had been accessed by unauthorized individuals between December 2, 2020 and April 8, 2021. A review of the compromised email accounts confirmed them to contain protected health information such as names, addresses, dates of birth, email addresses, medical record numbers, government ID numbers, Social Security numbers, financial account numbers, and health information such as test results, diagnoses, and prescription information.

HIPAA requires covered entities to issue notifications to affected individuals within 60 days of the discovery of a breach. San Diego Health published a substitute breach notice on its website on July 27, 2021 and started issuing individual notifications to patients on September 9, 2021. Patients have been offered complimentary credit monitoring and identity theft protection services for 12 months and coverage under a $1 million identity theft insurance policy.

A lawsuit was filed against San Diego Health on behalf of patient Denise Menezes on September 20 alleging negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, breach of confidence, and violations of the California Consumer Privacy, California Confidentiality of Medical Information Act, and a violation of California Unfair Competition Law.

The lawsuit alleges San Diego Health failed to comply with its obligations to protect patient data as required by the HIPAA Security Rule. It is alleged that appropriate, industry-standard cybersecurity measures such as spam filtering including SPF and DMARC was not implemented to prevent hackers from gaining access to email accounts where patients’ protected health information was stored. Also, that sufficient security awareness training had not been provided to employees to help them identify and avoid phishing attempts. Additionally, the lawsuit alleges negligence for failing to detect the breach for 4 months and for failing to notify affected individuals within a reasonable amount of time.

A second lawsuit, which also seeks class action status, was filed on behalf of patient Richard Hartley on September 22. The lawsuit also alleges negligence for the same failures, and also states that a potential data breach was detected by San Diego Health on March 12, but it took until April 8 to expel the unauthorized individuals from its email environment.

The lawsuit alleges negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and violations of the California Consumer Privacy Act and California Confidentiality of Medical Information Act.

The plaintiff claims to have suffered actual injury as a result of the breach. Alleged injuries include anxiety caused by the theft of his personal information and paying monies to San Diego Health for goods and services that required a disclosure of PHI which would not have been made if he was aware inadequate security measures were in place to protect that information. The plaintiff also alleges damages to and diminution of the value of sensitive information, loss of privacy, impending and imminent injury due to identity theft, and the time and expense of mitigating the effects of the breach.

The lawsuits seek unspecified damages for the plaintiffs and all other class members whose personal and medical information may have been compromised in the attack, a jury trial, and an injunction compelling San Diego Health to enhance cybersecurity to prevent similar breaches in the future.

The post Class Action Lawsuits Filed Against San Diego Health Over Phishing Attack appeared first on HIPAA Journal.

Healthcare Organizations Face Legal and Technological Challenges Achieving CCPA Compliance

Healthcare organizations that are required to comply with the California Consumer Privacy Act (CCPA) are facing challenges achieving compliance, according to a new study published in the Health Policy and Technology – DOI: 10.1016/j.hlpt.2021.100543

The CCPA was signed into law on June 28, 2018 and took effect on January 1, 2020. The aim of the CCPA was to give California residents greater control over their personal data and how their information can be used.

The CCPA gave California residents the right to be informed about their personal data that will collected, whether their data may be sold or disclosed, to whom disclosures may be made, and to opt out of the sale of their personal data. They were also given the right to view the personal data held by a company covered by the CCPA, to request their personal data be deleted, and not to be discriminated against for exercising their rights under the CCPA.

The researchers conducted the study to explore any potential challenges associated with CCPA compliance for healthcare organizations, which involved interviews with 19 digital privacy and information system experts. The researchers found there to be perceived legal and technological challenges for healthcare organizations trying to comply with the CCPA.

The CCPA is mostly concerned with the use of individuals’ personal data by large consumer-facing technology companies, but the CCPA has had a significant impact on healthcare organizations. HIPAA-eligible information is exempt from the CCPA, but the researchers explained that there are some types of data which are collected by HIPAA regulated entities that potentially fall within the jurisdiction of the CCPA. For those types of data there is regulatory ambiguity, which could result in legal issues for healthcare organizations that do business with California residents.

“A lack of regulatory clarity and a low likelihood of enforcement emerged as two major themes of legal concern,” explained the researchers. “Poor data discovery and inventory processes, lack of sophisticated digital infrastructure, the interaction between technology and privacy professionals, and the high cost of compliance emerged as significant technological hurdles to CCPA compliance.”

There is confusion due to the CCPA’s broad definition of business and consumer companies that collect user data and deploy cookies, and the interplay between HIPAA and the CCPA creates some unintentional hurdles when it comes to compliance. One of the key issues covers healthcare data collected by healthcare organizations that is not classed as protected health information and is therefore not subject to the HIPAA Rules. In such cases, healthcare organizations may need to comply with the requirements of the CCPA.

“From an implementation perspective, our study finds that the more visible components of CCPA compliance, such as building a website or setting up a helpline service for consumers to raise data access requests, are easy to accomplish,” wrote the researchers. “However, the task of ensuring an accurate inventory of all the consumer data collected and stored within the organization will be a challenging endeavor.”

A considerable amount of additional data is also now being captured and collected due to the COVID-19 pandemic, and the speed at which systems had to be developed to record, store, and share that information for contact tracing and COVID-19 testing meant there was little time to ensure adequate privacy safeguards were implemented. For healthcare organizations, it is unclear in many cases whether these types of data falls under the CCPA.

The advice of the researchers for healthcare organizations doing business in California is to ensure they develop compliance plans proactively. If discovered not to be compliant they could be forced to make last-minute implementations to avoid financial penalties and could face expensive litigation.

The post Healthcare Organizations Face Legal and Technological Challenges Achieving CCPA Compliance appeared first on HIPAA Journal.

Class Action Lawsuit Filed Against St. Joseph’s/Candler over Ransomware Attack Affecting 1.4 Million Patients

A class action lawsuit has been filed against St. Joseph’s/Candler Hospital Health System in response to a ransomware attack that occurred on June 17, 2021.

The attack resulted in the encryption of files and forced the hospital’s IT systems offline. The systems accessed by the hackers contained the protected health information of 1.4 million patients, including names, Social Security numbers, driver license numbers, health insurance information, healthcare data, and financial information. St. Joseph’s/Candler offered affected patients a one-year membership to the Experian IdentityWorks credit monitoring and identity theft protection service.

The investigation into the ransomware attack confirmed the hackers first accessed its network on December 18, 2020, 6 months prior to the ransomware being deployed. During that time the hackers had access to patient data stored on its systems.

Georgia resident Daniel Elliott was one of the patients whose PHI was compromised in the attack. On August 28, 2021, the personal injury firm Harris Lowry Manton LLP, filed a class action lawsuit against St. Joseph’s/Candler naming Elliott as lead plaintiff. The lawsuit seeks damages for him and the 1.4 million other individuals affected by the ransomware attack.

St. Joseph’s/Candler, which operates Savannah Hospital in Georgia, is the largest health system in the region. The lawsuit alleges St. Joseph’s/Candler was negligent for failing to adequately secure patient data and for not taking sufficient steps to prevent ransomware attacks.

Specifically, the lawsuit states St. Joseph’s/Candler, failed to “design, adopt, implement, control, direct, oversee, manage, monitor and audit appropriate data security process, controls, policies, procedures, protocols and software and hardware systems” to protect sensitive patient data. The alleged failures resulted in the exposure and potential theft of patient data, which has put affected patients at an increased risk of suffering identity theft and medical identity theft. Patients have had to expend money to protect their identities, and must continue to expend in the future, monitor their financial accounts, health insurance accounts, and credit files as a consequence of the data breach.

Elliott and members of the class action lawsuit seek a jury trial, unspecified monetary relief for punitive damages, reimbursement of expenses, restitution and disgorgement, and legal fees.

The lawsuit is one of several to be recently filed against healthcare providers that have suffered ransomware attacks. A class action lawsuit was recently filed against Attleboro, MA-based Sturdy Memorial Hospital over a February 2021 ransomware attack in which the PHI of 35,271 patients was potentially compromised. In that attack, the hospital paid the ransom to recover the encrypted data and prevent it being published or sold. 2 years of credit monitoring services were offered to affected patients, but the lawsuit seeks extended cover as well as unspecified damages and attorneys’ fees.

Two individuals affected by the recently disclosed ransomware attack on DuPage Medical Group have also filed a lawsuit that seeks class action status and unspecified damages. The ransomware attack occurred in mid-July and the systems compromised in the attack contained the protected health information of 655,384 individuals.

The post Class Action Lawsuit Filed Against St. Joseph’s/Candler over Ransomware Attack Affecting 1.4 Million Patients appeared first on HIPAA Journal.

Patients Sue DuPage Medical Group over July 2021 Ransomware Attack

Two DuPage Medical Group patients are taking legal action against the healthcare provider following a July 2021 ransomware attack in which patients’ protected health information was exposed.

DuPage Medical Group suffered the ransomware attack in mid-July. The forensic investigation determined unauthorized individuals had gained access to its computer network between July 12 and July 13, and deployed ransomware in an attempt to extort money. The attack caused a major computer and phone outage that lasted around a week.

On August 17, the forensic investigators confirmed hackers had gained access to parts of the computer network that contained the protected health information of 655,384 patients, and potentially viewed or obtained patient names, addresses, dates of birth, diagnosis codes, medical procedure codes, and treatment dates. Some Social Security numbers may also have been compromised.

Notification letters started to be sent to affected patients in late August. At the time of issuing notifications, DuPage Medical Group said it was unaware of any actual or attempted misuse of patient data, although the possibility could not be ruled out. Free credit monitoring and identity theft protection services have been offered to affected patients.

The lawsuit was filed in DuPage County Circuit Court on behalf of Rochelle Hestrup and Erin Peiss on September 1, 2021, just a few days after the healthcare provider mailed notification letters to patients. The lawsuit alleges DuPage Medical Group was negligent for not implementing appropriate defenses to protect against ransomware attacks and that it failed to monitor its computer network and systems containing patient information. The lawsuit also alleges DuPage Medical Group did not notify patients quickly enough, even though notification letters were mailed well inside the 60-day deadline of the HIPAA Breach Notification Rule.

The lawsuit alleges, “As a direct result of the data breach, plaintiffs and class members have been exposed to a heightened and imminent risk of fraud and identity theft.” The lawsuit seeks class action status and the plaintiffs are seeking damages, reimbursement of out-of-pocket expenses, and require DuPage Medical Group to make improvements to its security systems to better protect sensitive patient data.

“We remain committed to information security, and although we are unaware at this time of any attempted or actual misuse of the information involved, we understand the concern that this potential access raises,” said DuPage Medical Group in a statement to the Chicago Tribune.

The post Patients Sue DuPage Medical Group over July 2021 Ransomware Attack appeared first on HIPAA Journal.