Legal News

Slew of Lawsuits Filed Over Recent Healthcare Data Breaches

Individuals impacted by the recent data breaches at Blackbaud, Assured imaging, and BJC Healthcare have taken legal action over the exposure and theft of their personal and protected health information.

Multiple Lawsuits Filed Over Blackbaud Ransomware Attack

The data breach at Blackbaud is one of the largest ever breaches of healthcare data to be reported. It is currently unclear exactly how many healthcare entities have been affected, as each affected entity is reporting the breach separately. As the deadline for reporting approaches, the extent of the breach is becoming clearer. Currently, at least 5 million individuals are known to have been affected and around 60 healthcare organizations have confirmed they have been impacted by the breach.

As is now common in ransomware attacks, data were exfiltrated by the hackers prior to the use of ransomware. Blackbaud paid the ransom demand to obtain the keys to decrypt data and to ensure that all stolen data were permanently deleted. Blackbaud has received assurances that the stolen data have been deleted, but as a result of the breach, individuals whose information was stolen in the attack have still had to take steps to protect their identities and many have incurred out-of-pocket expenses as a result of the breach.

At least 10 lawsuits have now been filed against Blackbaud and seek class action status. The lawsuits allege negligence, breach of contract, invasion of privacy, and violations of several state laws.

Blackbaud may have received assurances that stolen data have been deleted, but there is concern that a copy could have been made and is still in the hands of the hackers. According to one lawsuit filed in California federal court, “ [Blackbaud] cannot reasonably maintain that the data thieves destroyed the subset copy simply because the defendant paid the ransom and the data thieves confirmed the copy was destroyed.” Blackbaud maintains the allegations in the lawsuits are without merit.

Lawsuit Filed Over Assured Imaging Ransomware Attack

Assured Imaging similarly suffered a ransomware attack in which patient data were stolen prior to the use of ransomware. The hackers first gained access to Assured Imaging’s systems on May 15, 2020 and deployed their ransomware on May 19, 2020. Notification letters sent to the 244,813 patients affected by the attack on August 26, 2020. While it has been confirmed that the attackers stole data, Assured Imaging was unable to determine what information was obtained.

The threat actors behind the attack later published a portion of data stolen in the attack in an attempt to pressure Assured Imaging into paying the ransom. The ransomware used in the attack was Pysa, aka Mespinoza.

A lawsuit has been filed in the US District Court of Arizona on behalf of plaintiffs Angela T. Travis, Kerri G. Peters, and Geraldine Pineda and others affected by the breach. The plaintiffs are represented by attorney Hart. L. Robinovitch of Zimmerman Reed.

The lawsuit alleges Assured Imaging maintained patient data “in a reckless manner” on a computer network that was vulnerable to cyberattacks and that there was a known risk of improper disclosure of PHI due to the lack of appropriate cybersecurity protections.

The lawsuit also alleges the failure to secure the network left patient data “in a dangerous condition” and that there was improper monitoring of its network, resulting in a delay in identifying the intrusion.

The lawsuit also alleges Assured Imaging was in breach of FTC guidelines and had failed to comply with the minimum industry standards for data security, such as applying security updates promptly, training the workforce, implementing appropriate policies and procedures with regard to data security, and the failure to encrypt data.

The lawsuit alleges patients face an increased risk of fraud and identity theft for many years to come as a result of the theft of their data and the actual or potential release of their information on the black market. Affected patients have also “suffered ascertainable losses in the form of disruption of medical services, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.

BJC Healthcare Facing Class Action Lawsuit over Phishing Attack

A lawsuit has been filed in the St. Louis Circuit Court over a March 2020 phishing attack on BJC Healthcare in which the personal and protected health information of 287,876 individuals was potentially compromised. The breach affected 19 hospitals associated with BJC Healthcare.

Three employees responded to phishing emails and disclosed their credentials and their email accounts were accessed by the attackers. BJC Healthcare claims the breach was detected the same day but could not determine whether any data in the email accounts were accessed or stolen by the attackers.

A lawsuit was filed by attorney Jack Garvey on behalf of BJC patient Brian Lee Bauer claiming BJC’s approach to patient privacy was negligent. The lawsuit alleges the health system failed to implement and follow basic security procedures which made the protected health information of its patients accessible to thieves. The lawsuit alleges BJC failed to encrypt – or did not sufficiently encrypt – patient data and that it failed to meet its data security obligations under HIPAA and the HITECH Act.

The lawsuit claims breach victims face an increased risk of identity theft and fraud and are “immediately and imminently in danger of sustaining some or further direct injury/injuries.” As a result of the breach, patients have incurred significant out-of-pocket costs related to the prevention, detection, recovery, and remediation from identity theft and fraud and that the breach “is taking a significant emotional and physical toll” on the individuals affected.

The post Slew of Lawsuits Filed Over Recent Healthcare Data Breaches appeared first on HIPAA Journal.

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days.

The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals.

CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule.

On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed CHSPSC’s information systems via its virtual private network (VPN) solution. CHSPSC failed to detect the intrusion and was notified by the Federal Bureau of Investigation on April 18, 2014 that its systems had been compromised.

During the time the hackers had access to CHSPSC systems, the ePHI of 6,121,158 individuals was exfiltrated. The data had been provided to CHSPSC through 237 covered entities that used CHSPSC’s services. The types of information stolen in the attack included the following data elements: name, sex, date of birth, phone number, social security number, email, ethnicity, and emergency contact information.

OCR launched an investigation into the breach and uncovered systemic noncompliance with the HIPAA Security Rule. While it may not always be possible to prevent cyberattacks by sophisticated threat actors, when an intrusion is detected action must be taken quickly to limit the harm caused. Despite being notified by the FBI in April 2014 that its systems had been compromised, the hackers remained active in its systems for 4 months, finally being eradicated in August 2014. During that time, CHSPSC failed to prevent unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the hackers continued to steal ePHI.

The failure to respond to a known security incident between April 18, 2014 and June 18, 2014 and mitigate harmful effects of the security breach, document the breach, and its outcome, was in violation of 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators found CHSPSC had failed to conduct an accurate and thorough security risk analysis to identify the risks to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical policies and procedures permitting access to information systems containing ePH maintained by CHSPSC only by authorized individuals and software programs had not been implemented, in violation of 45 C.F.R. § 164.312(a).

Procedures had not been implemented to ensure information system activity records such as logs and system security incident tracking reports were regularly reviewed, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D).

“The health care industry is a known target for hackers and cyberthieves.  The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino. A sizeable financial penalty was therefore appropriate.

CHSPSC chose not to contest the case and agreed to pay the financial penalty and settled with OCR. The settlement also requires CHSPSC to adopt a robust and extensive corrective action plan to address all areas of noncompliance, and CHSPSC will be closely monitored by OCR for 2 years.

The post Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures appeared first on HIPAA Journal.

Member of The Dark Overlord Hacking Group Sentenced to 5 Years in Jail

The U.S. Department of Justice has announced that a member of the notorious hacking group, The Dark Overlord, has been sentenced to 5 years in jail and has been ordered to pay $1.4 million in restitution.

The Dark Overlord hacking group started targeting U.S. organizations in 2016. The hackers gained access to the networks of companies via brute force attacks on Remote Desktop Protocol, then stole data from victim companies and threatened to sell the stolen data on criminal marketplaces if the ransom demand was not paid. The hackers issued ransom demands of between $75,000 and $350,000 in Bitcoin and issued multiple threats if the ransom was not paid. In some instances, individuals in the victim companies received personal threats against them and their family members via the telephone, email, and text messages.

Victims of The Dark Overlord included accounting firms, healthcare providers, and other companies. Healthcare provider victims included Farmington, MO-based Midwest Orthopedic Group, Swansea, IL-based Quest Records, Prosthetics & Orthotics Care in St. Louis, and Athens, GA-based Athens Orthopedic Clinic. Athens Orthopedic Clinic was recently fined $1.5 million for HIPAA failures discovered by the HHS’ Office for Civil Rights when investigating The Dark Overlord hacking incident.

The UK national, Nathan Wyatt, 39, was arrested by UK police in September 2017 over the hacking of the iCloud account of Pippa Middleton, the sister of the Duchess of Cambridge. Around 3,000 photographs were stolen and a ransom demand of £50,000 was issued for their return. He was released without charge but was later charged on 20 counts of fraud by false representation, two counts of blackmail, and one count of possession of an identity document with intent to deceive. One of the attacks involved the blackmailing a law firm in the UK as part of the Dark Overlord hacking group. Wyatt was sentenced to 3 years in jail in the UK for the offenses.

Wyatt was then indicted by a grand jury in November 2017 over his role in the Dark Overlord attacks on 5 victim companies in the United States and was extradited to the United States in December 2019 where he has remained in custody.

Wyatt was indicted on 6 counts.  1 count of conspiracy, 2 counts of aggravated identity theft, and 3 counts of threatening to damage a protected computer. Wyatt entered into a plea arrangement and agreed to plead guilty to the conspiracy charge if the remaining five counts were dropped.

Wyatt admitted being part of The Dark Overlord hacking group and that he and his co-conspirators obtained sensitive data from victim companies, including patient medical records, and threatened to publish or sell the data if the ransom demand was not paid.

Wyatt did not orchestrate the attacks and was not one of the leaders of the group. Wyatt’s role was “creating, validating, and maintaining communication, payment, and virtual private network accounts that were used in the course of the scheme to, among other things, send threatening and extortionate messages to victims,” according to the Department of Justice.

U.S. District Judge Ronnie White, of the Eastern District of Missouri, sentenced Wyatt to 60 months in jail less time already served and ordered Wyatt to pay $1,467,048 in restitution to the victim companies.

“Nathan Wyatt used his technical skills to prey on Americans’ private data and exploited the sensitive nature of their medical and financial records for his own personal gain,” said Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division.  “Today’s guilty plea and sentence demonstrate the department’s commitment to ensuring that hackers who seek to profit by illegally invading the privacy of Americans will be found and held accountable, no matter where they may be located.”

The post Member of The Dark Overlord Hacking Group Sentenced to 5 Years in Jail appeared first on HIPAA Journal.

Express Scripts HIPAA-Based Lawsuit Dismissed by Court of Appeals

In 2019, a lawsuit was filed against Express Scripts by five independent pharmacies alleging improper use of patient data in violation of HIPAA.

Express Scripts is the largest pharmacy benefits manager in the United States with its own retail pharmacies and pharmacy service. The five pharmacies were part of the Express Scripts network and were required to submit detailed claims to Express Scripts for processing and reimbursement before dispensing drugs. The pharmacies also needed to include information about the medications in their claims, along with the contact information of their customers.

In the lawsuit, the pharmacies alleged that Express Scripts was in breach of contract and good-faith and fair-dealing covenants, and in violation of HIPAA and the HITECH Act. The pharmacies were required to provide Express Scripts with information about their customers, which it is alleged was then used to switch the customers to Express Script’s mail order service. The pharmacies alleged there was no need to supply that information to confirm coverage and for reimbursement.

“The Pharmacies maintain that [Express Scripts] is using their confidential customer information without authorization to switch their customers to [Express Scripts] own mail-order service when [Express Scripts] should only use the information to confirm customers’ coverage and to reimburse the Pharmacies,” according to the court filing. The pharmacies also alleged the pharmacy benefits manager was engaged in unfair competition and “shared the Pharmacies’ trade secrets with its affiliates in order to steal the Pharmacies’ customers.”

The district court dismissed the lawsuit stating the information provided was not protected and the agreements the pharmacies entered into with Express Scripts allowed the pharmacy benefits manager to pursue mail-order prescription arrangements without violating any good faith agreements or contracts. The district court also ruled that the pharmacies could not sue for a HIPAA violation as there is no private cause of action in HIPAA.

In their appeal against the decision of the district court to dismiss the lawsuit, the pharmacies explained that the decision to dismiss the lawsuit for lack of standing was incorrect as they were not attempting to sue for a HIPAA violation. They also asked for the courts alternative reasoning – “that HIPAA only allows the Pharmacies’ customers, not the Pharmacies, to authorize the use of their confidential health information” – be disregarded. Express Scripts argued that even if it were possible to state a claim under HIPAA, the pharmacies had failed to provide sufficient facts to demonstrate a past or ongoing HIPAA violation.

The pharmacies also claimed in their appeal that Express Scripts was only entitled to received information after claims had been processed, and that the collection of customer information was unnecessary and was only being collected out of self-interest.

The 8th U.S. Circuit Court of Appeals affirmed the lower court’s ruling that it is not possible to sue for a HIPAA violation, that the information provided to Express Scripts was not protected, and the terms of the pharmacies contracts with Express Scripts allowed the pharmacy benefits manager to offer mail-order prescription arrangements to the pharmacies’ customers. The contracts entered into by the pharmacies stated they agreed to cooperate with Express Scripts for the coordination of their customers’ benefits, and mail service dispensing – even through Express Script’s own service – falls within the category of benefits provided to any member.

The Court of Appeals also affirmed the lower courts dismissal of the pharmacies attempted monopolization claim, ruling “the Pharmacies did not plead sufficient facts to meet their “burden of alleging a relevant market in order to state a plausible antitrust claim.”

The post Express Scripts HIPAA-Based Lawsuit Dismissed by Court of Appeals appeared first on HIPAA Journal.

HealthAlliance Hospital and Ciox Health Facing Class Action Medical Records Lawsuit

A lawsuit has been filed against HealthAlliance Hospital and Ciox Health, its health record management vendor, for denying a widow from obtaining her deceased husband’s medical records.

Sherry Russell, 62, from Woodstock NY, lost her husband of 42 years to lung cancer in October 2020. Mr. Russell visited HealthAlliance Hospital: Broadway Campus for a chest x-ray in March 2017 but lung cancer was not diagnosed. The cancer diagnosis came two years later when the tumor was 2 inches in diameter and it was too late to provide treatment.

Mrs. Russell believes the radiologist failed to identify the tumor on the x-ray, resulting in a misdiagnosis. Had the tumor been found earlier, it is possible that treatment could have been provided in time to save her husband’s life.

Mrs. Russell requested a copy of her husband’s medical records from HealthAlliance Hospital in order to obtain a copy of the chest x-ray report to support her malpractice lawsuit against the hospital over the failure to diagnose lung cancer; however, she has been unable to obtain a copy of the report.

Under HIPAA, patients are allowed to obtain a copy of their medical records from their healthcare providers. The HITECH Act of 2009 amended 164.510(b) of HIPAA to “permit covered entities to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with prior expressed preference of the individual that is known to the covered entity.”

When a request is made to obtain a copy of a person’s medical records from a healthcare provider, copies of paper records and electronic records must be provided. The provider can charge a reasonable, cost-based fee for providing copies, which should be provided in the format of the patient’s choosing, if it is technically feasible for a provider to release records in that format. Hospitals can receive thousands of requests for copies of medical records, so many choose to use a health record management vendor to manage those requests, in this case, Ciox Health.

The medical records lawsuit claims that under the federal HITECH Act of 2009, Mrs. Russell is entitled to a copy of her husband’s medical records and that the hospital and Ciox are only permitted to charge $6.50 for providing those records. The lawsuit also alleges both parties have been unresponsive and have been difficult to deal with. When both parties did respond to requests, Mrs. Russell was informed that it was only possible to provide a copy of paper records, not any electronic health records, and Ciox said it charges 75 cents per page for providing those records.

“[Mrs.] Russell can’t even determine the name of the correct physician liable for wrongdoing, without the medical records,” said Sherry Russel’s lawyer, John Fisher. “HealthAlliance Hospital, the very entity that has wronged her, is continuing to wrong her by stonewalling her.” Due to the statute of limitations in New York, the malpractice lawsuit must be filed by Friday this week. Fisher said that the malpractice lawsuit would be filed, even if the medical records are not provided.

Fisher is also seeking class action status for the medical records lawsuit against HealthAlliance Hospital and Ciox Health and claims he has dozens of clients that have similarly faced difficulties exercising their HIPAA Right to obtain medical records from HealthAlliance Hospital and Ciox Health.

The issue of charging excessive amounts for copies of medical records was addressed by the HHS in guidance on fees issued in 2016. The HHS confirmed that a $6.50 flat fee can be charged for providing copies of medical records, although it is also possible to charge average labor costs or actual costs for providing a copy to a third party. The HHS also recently launched a HIPAA Right of Access Initiative to vigorously enforce compliance with this important right of HIPAA, and has already issued two financial penalties over the failure to honor this right.

Ciox Health is no stranger to legal action over medical record access. A federal lawsuit was filed against Ciox Health and 62 hospitals in Indiana over the falsification of records and for participating in a kickback scheme involving overbilling for releasing patient EHRs, although the case was dropped. In 2018, Milwaukee-based Aurora Health Care and Ciox Health settled a class-action lawsuit alleging overcharging for medical record requests. A predecessor company of Ciox Health had charged an average fee of $22.58 for providing copies of health records. A $35.4 million settlement was proposed and Alpharetta, Georgia-based Ciox Health agreed to make the funds available to cover claims submitted by patients.

In January 2018, Ciox Health filed a lawsuit against the HHS to stop HHS enforcement of the HIPAA Right of Access Rule based on the 2016 changes, claiming the HHS updates were “irrational, arbitrary, capricious and absurd.” Ciox argued, “a $6.50 flat fee that was drawn from thin air and bears no rational relationship to the actual costs associated with processing such requests.”

In January 2020, a federal judge ruled against the HHS stating that the fee limitations only apply to an individual’s right of access, and not to requests for copies of medical records from third parties, such as attorneys.

The post HealthAlliance Hospital and Ciox Health Facing Class Action Medical Records Lawsuit appeared first on HIPAA Journal.

Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge

A potential class action lawsuit filed against the University of Chicago, UChicago Medicine, and Google over an alleged privacy and HIPAA breach has been dismissed by a Federal judge.

The lawsuit was filed in June 2019 in response to an alleged violation of HIPAA Rules related to a data sharing partnership between the University of Chicago Medicine and Google.

In 2017, the University of Chicago Medicine sent the de-identified data of patients to Google as part of an initiative to use medical records to improve predictive analysis of hospitalizations, and by doing so, improve the quality of patient care. The aim of the partnership was to use machine learning techniques to identify when a patient’s health is declining, to allow timely interventions to prevent hospitalization.

The University of Chicago Medicine sent hundreds of thousands of patient records dating from 2009 to 2016 to Google. The data shared with Google was deidentified but contained physicians’ notes and time stamps of dates of service.

The lawsuit was filed by Edelson PC on behalf of lead plaintiff, Matt Dinerstein, a patient of UC Medical Center who had hospital stays on two occasions in 2015.

The lawsuit alleged Mr. Dinerstein’s confidential protected health information was shared with Google without properly de-identifying the data, as free-text notes from doctors and nurses were included in the data along with associated time stamps.  That information had come to light following a 2018 research study which confirmed notes and time stamps were included in the data.

The lawsuit alleged the inclusion of that information meant the data shared with Google was not sufficiently de-identified. Since Google already had a substantial store of information, it is possible that patients could be re-identified, which created a privacy risk for all patients whose information was shared with Google.

The lawsuit also alleged the medical records had value to Mr. Dinerstein and had been stolen, although no claim was made that Google had tried to re-identify patients. The lawsuit also claimed Mr. Dinerstein was owed a reasonable royalty for the use of his protected health information.

UC Medical Center and Google filed motions to dismiss the lawsuit on August 3, 2019 claiming all data sent to Google under the partnership had been transmitted via secure channels in a manner compliant with the HIPAA Rules. The motions also stated neither HIPAA nor the Illinois Medical Patient Rights Act include a private right of action.

On September 4, 2020, Federal Judge Rebecca Pallmeyer of the United States District Court Northern District of Illinois Eastern Division, rejected Mr. Dinerstein’s claims and dismissed the lawsuit.

“Even if Mr. Dinerstein has a property interest in medical information, his allegations do not support an interference that the value of that property has been diminished by the University’s or Google’s actions,” said Judge Pallmeyer, also saying royalties are only appropriate for interference with a property right, and the plaintiff had failed to establish he had such rights to his PHI. Judge Pallmeyer also said in the ruling that Mr. Dinerstein had failed to adequately demonstrate the alleged privacy breach had caused him economic damage. The plaintiff has the right to file an amended complaint before October 15, 2020.

The ruling will certainly be good news for Google, which is also facing scrutiny of its partnership with Ascension over potential HIPAA violations related to the millions of records Ascension provided to Google in 2019 under “Project Nightingale”.

The post Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge appeared first on HIPAA Journal.

Konica Minolta Settles EHR False Claims Case for $500,000

Konica Minolta Healthcare Americas Inc. has agreed to pay a $500,000 financial penalty to settle a case against its former subsidiary, Viztek LLC, to resolve False Claims Act violations related to its electronic health record (EHR) product.

The American Recovery and Reinvestment Act of 2009 established the Medicare & Medicaid EHR Incentive Programs to encourage healthcare providers to adopt a certified EHR. Healthcare providers that adopted a certified EHR were entitled to claim incentive payments to offset the cost purchasing the solution, provided they were able to demonstrate meaningful use of the EHR technology.

Companies that developed and marketed EHR solutions were required to demonstrate that their products met the HHS-adopted criteria and obtain certification for their solutions. According to a Viztek whistleblower, a former product manager at the company, Viztek and Konica Minolta Healthcare had falsified testing results of the Viztek solution, EXA EHR, in 2015 and misrepresented the capabilities of the product. Konica Minolta acquired Viztek in October 2015 during the period when the EHR was being tested.

The whistleblower filed a lawsuit against Viztek and Konica Minolta in December 2017 under the whistleblower provisions of the False Claims Act, alleging that as a result of the falsified testing results, healthcare providers using the solution had submitted false claims to the HHS for EHR incentive payments in 2015 and 2016.

According to the lawsuit, the capabilities of EXA EHR that were necessary to obtain certification had not been built into the product at the time of testing. Viztek attested to EHR testing company Infogard that the product met the HHS-adopted criteria, and hard-coded the software to ensure it passed the certification tests, even though the solution could not support the applicable criteria for its customers.

Infogard was also named as a defendant in the lawsuit. The lawsuit alleged Infogard either knew that EXA EHR did not meet all applicable requirements for certification or recklessly disregarded the fact that it did not meet the required criteria.

Under the Whistleblower provisions of the False Claims Act, the whistleblower is entitled to share in any settlement if they bring civil actions on behalf of the U.S government. The whistleblower is due to receive $100,000 of the settlement amount.

The post Konica Minolta Settles EHR False Claims Case for $500,000 appeared first on HIPAA Journal.

Federal Judge Dismisses Heritage Valley Health System NotPetya Lawsuit Against Nuance Communications

In 2019, Beaver, PA-based Heritage Valley Health System filed a lawsuit against its vendor Nuance Communications over its NotPetya malware attack in 2017. The lawsuit was recently dismissed by a federal judge for the US District Court of the Western District of Pennsylvania.

The NotPetya attacks occurred a short time after the WannaCry ransomware attacks in 2017 and targeted the same vulnerability in Windows Server Message Block (SMB). NotPetya encrypted the master boot record of infected computers, rendering them unusable. The attacks occurred in July 2017, four months after Microsoft released a patch to fix the SMB vulnerability that was exploited in the attacks.

The cyberattack on Nuance Communications saw 14,800 servers and 26,000 workstations encrypted by NotPetya. The extent of the damage meant 7,600 servers and 9,000 workstations needed to be replaced. Heritage Valley Health System was also affected by the attack, with the investigation revealing the malware had spread to the health system’s computer network via a trusted virtual private network (VPN) connection with Nuance. Once NotPetya was transferred to Heritage Valley, its servers and workstations were also encrypted, preventing the devices from being booted and rendering data inaccessible.

Heritage Valley filed a lawsuit against Nuance alleging the NotPetya cyberattack was the result of negligence and poor security practices and governance oversight. The lawsuit also alleged breach of implied contract and unjust enrichment. The damage to its computer systems forced Heritage Valley to temporarily cancel many of its patient care services for almost a week. The loss of business and damage to computer hardware cost the heath system millions.

The attack on Nuance was certainly preventable, as had Nuance applied the patch in the four months prior to the attack, infection would not have been possible. The forensic investigation also confirmed that Heritage Valley was infected through Nuance. The reason for the lawsuit being dismissed was due to the contract between Heritage Valley and its vendor. Heritage Valley had signed a contract with vendor Dictaphone Inc. in 2003. Dictaphone was acquired by Nuance in 2006.

In the lawsuit, Heritage Valley argued “Nuance is liable for any contractual obligations and tort liability arising from the plaintiff’s use of the products acquired from Dictaphone, and Nuance should be held liable for poor security practices and governance oversight as it had a broader duty to prevent the cyberattack.”

Since the acquisition of Dictaphone in 2006, Nuance had acquired more than 50 other companies and had more than 150 subsidiaries. “The sheer number of Nuance’s corporate acquisitions and the reach and pace of its global expansion combined to make meaningful integration of acquired systems and meaningful segmentation of Nuance’s growing global network difficult,” argued Heritage Valley in the lawsuit. “With each acquisition and international expansion, Nuance exposed itself and its customers to increasing cybersecurity risk, all the while Nuance did not have the management or funding in place to sufficiently protect against these risks.”

In its motion to dismiss, Nuance argued that it could not be held liable for negligence because it was not party to the Master System Procurement Agreement between Dictaphone and Heritage Valley in 2003, through which Heritage Valley purchased hardware and software from Dictaphone. The hardware and software were then maintained through a private portal-to-portal network.

The judge accepted Heritage Valley’s arguments and did not dispute the facts of the claims, but ruled that Dictaphone and Nuance were both exempted from product liability claims as external sources were involved and that Nuance could not be liable as the 2003 contract was signed between Heritage Valley and Dictaphone.

The post Federal Judge Dismisses Heritage Valley Health System NotPetya Lawsuit Against Nuance Communications appeared first on HIPAA Journal.

Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge

A lawsuit filed against Sarrell Regional Dental Center for Public Health Inc. over a July 2019 ransomware attack has been dismissed by a Federal judge due to a lack of standing.

Sarrell was able to recover from the attack and restore its computer systems and data without paying the ransom, although the dental center was forced to close for two weeks while its systems were restored. No evidence was found to indicate patient data was accessed or downloaded from its systems, although it was not possible to rule out a data breach with 100% certainty so notification letters were sent to the 391,000 patients whose personal and protected health information (PHI) was potentially compromised.

A lawsuit was filed against Sarrell in 2019 on behalf of patients affected by the attack. The lawsuit sought class action status and damages for patients whose PHI was potentially compromised in the attack. The lawsuit alleged patients faced a higher risk of identity theft as a result of the attack and had to cover the cost of credit monitoring services.

Judge R. Austin Huffaker Jr. stated in his ruling that while the extent and depth of the breach were “murky”, Sarrell had conducted an investigation into the attack and found no evidence that files containing protected health information had been accessed or exfiltrated by the attackers and there was no evidence patient information had been misused in any way.

The lawsuit alleged the ransomware attack was a direct result of the failure of Sarrell to implement reasonable cybersecurity procedures and protocols and patients’ personal and protected health information was now likely in the hands of identity thieves. Consequently, patients affected by the breach had to spend time and money protecting themselves against identity theft and fraud. However, Judge Austin Huffaker viewed the claims as speculative, since the plaintiffs failed to provide “at least some plausible specific allegation of actual or likely misuse of data.”

Since the plaintiffs and putative class members failed to allege they had suffered identity theft or fraud as a result of the ransomware attack, there were insufficient grounds to sue Sarrell for the security breach. “The fact that the breach occurred cannot, in and of itself, be enough, in the absence of any imminent or likely misuse of protected data, to provide plaintiffs with standing to sue,” wrote Judge Austin Huffaker. “The plaintiffs fail to allege that they or members of the putative class have suffered actual identity theft. Instead, their pleading speaks of ‘possibilities’ and traffics in ‘maybes’.”

The post Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge appeared first on HIPAA Journal.