Legal News

Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack

It is becoming increasingly common for healthcare organizations to face legal action after experiencing a ransomware attack in which patient data is stolen. The Florida Orthopedic Institute, one of the largest orthopedic providers in the state, is one of the latest healthcare providers to face a class action lawsuit over a ransomware attack.

The ransomware attack was detected on April 9, 2020 when staff were prevented from accessing computer systems and data due to the encryption of files. A third-party computer forensics firm was engaged to assist with the investigation and determined on May 6, 2020 that the attackers may have accessed and exfiltrated patient data. A range of sensitive data was potentially compromised including names, dates of birth, Social Security numbers, and health insurance information. Affected patients were notified about the breach on or around June 19, 2020 and were offered complimentary identity theft and credit monitoring services for 12 months. At the time of issuing notifications, no evidence had been found to suggest patient data had been misused.

Attorney John Yanchunis of the law firm Morgan & Morgan recently filed a lawsuit against Florida Orthopedic Institute in Hillsborough County, FL alleging the healthcare provider failed to implement appropriate safeguards to ensure the confidentiality of patient data. He claimed “Certainly, this information was in the hands of cybercriminals and was being used maliciously.”

The lawsuit alleges the healthcare provider was “lackadaisical, cavalier, reckless, or in the very least, negligent” with respect to maintaining the privacy of its patients and basic cybersecurity best practices were not followed. In addition to negligence, the lawsuit alleges invasion of privacy, breach of fiduciary duty, breach of implied contract, unjust enrichment and violation of the Florida’s Deceptive and Unfair Trade Practices Act.

While patients were offered complimentary identity theft protection services, Yanchunis claims that 12 months of coverage is not nearly enough to protect victims, since affected individuals now face an elevated risk of financial harm as a result of the breach for many years to come.

The lawsuit seeks extended credit monitoring for breach victims and at least $99 million in damages on behalf of the current and former patients.

The incident has yet to appear on the breach portal maintained by the HHS’ Office for Civil Rights so it is currently unclear how many patients have been affected by the attack. According to the lawsuit, at least 100,000 patients were affected and potentially more than 150,000.

Other recent ransomware attacks that have resulted in lawsuits include the attack on DCH Health System and BST & Co CPAs LLC. Grays Harbor Community Hospital recently proposed a $185,000 settlement to resolve a potential class action lawsuit filed on behalf of a victim of the breach.

The post Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack appeared first on HIPAA Journal.

The California Consumer Privacy Act is Now Being Enforced

On July 1, 2020, enforcement of the California Consumer Privacy Act (CCPA) of 2018 began. The CCPA took effect on January 1, 2020 and all companies covered by the Act were given a 6 month grace period before compliance with the CCPA would be enforced, although compliance with the provisions of the Act have been mandatory since January 1, 2020.

The grace period has now elapsed. California Attorney General Xavier Bercerra confirmed there will be no delay to enforcement, even though dozens of requests were made by companies and trade associations asking for the grace period to be extended for a further 6 months due to the 2019 Novel Coronavirus pandemic. The requests were acknowledged but no extension was given.

“Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” said Attorney General Bercerra in a statement to Forbes. “We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”

Now that the CCPA has teeth it means that any violation of the CCPA from July 1, 2020 can attract a financial penalty of up to $7,500 per violation. If a company is believed to be in violation of the CCPA, a warning will be issued, and the company will be given 30 days to correct the violation or financial penalties and lawsuits may follow.

The CCPA introduced a swathe of new privacy protections for California consumers and many individuals outside of California, mirroring several of the rights introduced by the EU’s General Data Protection Regulation (GDPR). The CCPA applies to all companies that have over $25 million in annual revenue, companies that collect the personal information of more than 50,000 consumers, households, or devices, and any business that derives more than 50% of its annual revenue from selling the personal information of consumers.

The CCPA gives consumers in the state of California the right to know what personal information companies are collecting and the purpose for which data is being collected. No other personal data can be collected other than the data types covered by the consent given by consumers.

Companies covered by the act must have a banner on their website informing consumers about their rights, which includes the right to opt out and not have their personal data collected. Consumers can request all personal information collected by a company be deleted and companies must have a process in place to delete personal information if such a request is received.

The CCPA prohibits the sale of the personal information of minors under the age of 16 without their permission, and the sale of the personal information of minors under the age of 13 is only permitted with parental consent. The CCPA also prohibits companies from discriminating against consumers who choose to exercise their rights under the CCPA.

There is also a private cause of action, so consumers can take legal action against companies over breaches of their unredacted, unencrypted personal information and can claim $100 and $750.

The post The California Consumer Privacy Act is Now Being Enforced appeared first on HIPAA Journal.

$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit

A proposed settlement has been agreed between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit over a June 2019 ransomware attack that resulted in the encryption of patient data.

The settlement was negotiated by the plaintiff and Grays Harbor to avoid the uncertainty of a trial and the costs of further litigation. The settlement was not decided in favor of either party by the Court.

The ransomware attack that prompted the lawsuit was detected in June 2019. The Washington healthcare provider powered down its systems to contain the virus that had prevented servers from being accessed, but not in time to prevent its computer systems from being encrypted. Grays Harbor had backed up its data for such an eventuality, but the backup files were also encrypted in the attack. The attack took its electronic health record system offline for around two months.

A ransom demand of $1 million was demanded by the attackers for the keys to decrypt the data. Gray’s Harbor had an insurance policy that provided cover of up to $1 million, although it is unclear whether that insurance policy paid out and if the ransom was paid. Regardless, it was not possible to recover all data encrypted in the attack and some patients’ protected health information was not recovered.

The lawsuit alleged violations of the Washington State Consumer Privacy Act, the Washington State Uniform Healthcare Information Act, the Washington State Consumer Privacy Act, the state Constitution’s Right to Privacy, that Grays Harbor Community Hospital and Harbor Medical Group were negligent for failing to protect the privacy of patients, breach of express contract, breach of implied contract, and an intrusion upon seclusion/ invasion of privacy.

Grays Harbor Community Hospital and Harbor Medical Group agreed to the settlement with no admission of liability. All claims stated in the lawsuit have been denied.

Grays Harbor Community Hospital and Harbor Medical Group proposed a settlement of $185,000 to cover the claims of the 88,000 patients affected by the ransomware attack. Affected patients can submit claims up to a maximum of $210 per person to cover out-of-pocket monetary losses incurred as a result of the breach and up to three hours of documented lost time dealing with the fallout from the breach at a rate of $15 per hour.

Claims up to $2,500 will also be accepted to cover provable other losses incurred that were more likely than not due to the ransomware attack. All available credit monitoring insurance and identity theft insurance must be exhausted before Grays Harbor is responsible for any larger payouts. If the claims exceed $185,000 they will be paid pro rata to reduce costs.

Class members have until July 27, 2020 to exclude themselves from the settlement or submit an objection. A fairness hearing has been scheduled for August 31, 2020. To receive a share of the settlement fund, a claim must be submitted by December 23, 2020.

Following the ransomware attack, steps were taken to improve security and more than $300,000 has been invested in information security. A further $60,000 will be spent on security improvements over the next three years.

This is the second data breach settlement to be announced this week. A settlement was also proposed by UnityPoint health to resolve a lawsuit filed by victims of two 2018 phishing-related data breaches. That settlement will see UnityPoint Health make a minimum of $2.8 million available to cover claims and, very unusually, no cap has been placed on claims payments, so the final settlement amount could be substantial.

The post $185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit appeared first on HIPAA Journal.

UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit

Des Moines, Iowa-based UnityPoint Health has agreed to settle a proposed class action lawsuit filed by victims of two phishing attacks in 2017 and 2018 that saw the protected health information of 1.4 million patients exposed.

The first phishing attack occurred in November 2017 and was discovered on February 15, 2018. The attackers had access to the email accounts of certain employees of its Madison campus for more than 3 months and potentially obtained the protected health information of approximately 16,429 patients. Patients were notified about the breach in April 2018.

The second phishing attach was much more extensive. The campaign saw a UnityPoint executive impersonated in March 2018, and several employees responded to the message and disclosed their login credentials. The breach was detected in May 2018 and the investigation revealed the compromised email accounts contained the protected health information of 1.4 million patients, making it the second largest healthcare data breach to be reported in 2018.  The attackers had access to the email accounts for almost a month before the breach was detected and email accounts were secured. Notification letters were sent to affected individuals in August 2018.

A lawsuit was filed soon after the announcement about the breach was made. The lawsuit alleged UnityPoint Health mishandled the breach and misrepresented the nature, breadth, scope, harm, and cost of the breach. It was alleged that UnityPoint Health did not notify affected individuals within the 60-day time frame demanded by the HIPAA Breach Notification Rule and when notifications were issued, patients were not informed that their Social Security numbers had been exposed.

In the breach notification letters UnityPoint Health explained that no evidence was found to suggest the protected health information exposed in the attack was or will be used for unintended purposes, suggesting affected patients were not placed at risk. UnityPoint Health also failed to offer breach victims credit monitoring or identity theft protection services, even though Social Security numbers and river’s license numbers had been exposed.

UnityPoint Health attempted to have the lawsuit dismissed and was partially successful. In July 2019, a US District Court Judge partially dismissed some of the claims in the lawsuit, although other claims were allowed to proceed. The judge ruled that the plaintiffs’ alleged facts sufficient to establish there was an objectively reasonable likelihood of future identity theft.

A settlement was proposed on June 26, 2020 to resolve the lawsuit and will provide victims with monetary and injunctive relief. Under the terms of the proposed settlement, UnityPoint Health has agreed to make a minimum of $2.8 million available to class members to cover claims. Each affected individual can submit a claim of up to $1,000 to cover documented ordinary out-of-pocket expenses such as credit monitoring and identity theft protection services, and up to 3 hours in lost time charged at $15 per hour.

A claim of up to $6,000 can be made per person to cover extraordinary expenses which includes documented out-of-pocket expenses and up to 10 hours per person at $15 per hour for time lost arranging credit monitoring services, credit freezes, and other actions taken as a result of the breach.  In contrast to most data breach settlements, UnityPoint Health has not placed a cap on extraordinary expenses claims, so UnityPoint Health will cover actual losses if breach victims submit a valid claim. All victims will also be entitled to a year’s membership to credit monitoring and identity theft protection services and will be protected by a $1 million insurance policy against identity theft. The credit monitoring services and insurance policy are estimated to cost around $200 per class member.

The four breach victims named in the lawsuit will also be entitled to claim an additional $2,500 per person. The full costs of notice and claims administration and attorney fees will be paid by UnityPoint Health up to a maximum value of $1.58 million.

UnityPoint Health has also agreed to make improvements to network and data security and will undergo an annual audit by a third-party security firm to ensure that security measures are adequate, and the healthcare provider is complying with its security policies.

Given the lack of a cap on claims, this could turn out to be one of the largest ever healthcare data breach settlements. The settlement will now need to be approved by a judge and could be finalized by the end of the year.

The post UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

NY District Court Kicks Data Breach Lawsuit Against Episcopal Health Services Back to State Court

A lawsuit filed by patients of Uniondale, N.Y-based Episcopal Health Services Inc., whose personal and protected health information was compromised in a phishing attack in 2018, has been kicked back to the New York State Supreme Court for further proceedings.

The lawsuit alleged that Episcopal Health Services had failed to protect the private information of its patients from unauthorized disclosures. As a result of those failures, Episcopal Health Services suffered a breach of some of its employee email accounts between August 28, 2018 and October 5, 2018. The email accounts contained a range of sensitive data including patients’ names, addresses, dates of birth, Social Security numbers, and financial information.

The lawsuit named three plaintiffs who were patients of St. John’s Episcopal Hospital. They claimed injuries had been suffered as a direct result of the disclosure of their confidential information. The lawsuit referenced the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission (FTC) Act, with the plaintiffs claiming Episcopal Health Services had violated those laws. The plaintiffs also alleged a breach of fiduciary duty, a breach of implied contract, a delay in issuing notifications about the breach, and negligence with respect to the hiring and training of its employees.

Episcopal Health Services removed the case from the New York State Supreme Court, alleging the claims fell under HIPAA and the FTC Act, which are federal laws. The defendant also sought to have the lawsuit dismissed for lack of standing and failure to state a claim.

The lawsuit was kicked up to the U.S. District Court for the Eastern District of New York, which recently ruled that the lawsuit did not raise any questions about federal law. While HIPAA and the FTC Act were referenced in the lawsuit, the claims were not based on HIPAA or FTC Act violations, instead they were common law causes of action. There is no private cause of action in either HIPAA or the FTC Act. Actions can only be taken over violations of HIPAA by the Department of Health and Human Services or State Attorneys General, while the FTC Act can only be enforced by the Federal Trade Commission.

District Court Judge Dora L. Irizarry ruled that the District Court did not have the authority to preside over the case, so the case was sent back to the New York State Supreme Court for further proceedings. No ruling was made on Episcopal Health Services’ motion to dismiss the lawsuit.

The post NY District Court Kicks Data Breach Lawsuit Against Episcopal Health Services Back to State Court appeared first on HIPAA Journal.

Hacker Arrested and Charged Over 2014 UPMC Cyberattack

The United States Attorney’s Office of the Western District of Pennsylvania has announced that a suspect has been arrested and charged over the 2014 hacking of the human resources databases of University of Pennsylvania Medical Center (UPMC).

UPMC owns 40 hospitals around 700 outpatient sites and doctors’ offices and employs over 90,000 individuals. In January 2014, UPMC discovered a hacker had gained access to a human resources server Oracle PeopleSoft database that contained the personally identifiable information (PII) of 65,000 UPMC employees. Data was stolen in the attack and was allegedly offered for sale on the darknet. The stolen data included names, addresses, dates of birth, salary and tax information, and Social Security numbers.

The suspect has been named as Justin Sean Johnson, a 29-year old man from Michigan who previously worked as an IT specialist at the Federal Emergency Management Agency.

Johnson, who operated under the monikers TDS and DS, was indicted on 43 counts on May 20, 2020: One count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity theft. Johnson is alleged to have hacked into the database, exfiltrated PII, and sold the stolen data on darknet marketplaces such as AlphaBay Market to multiple worldwide buyers. Prosecutors also allege that in addition to selling the PII of UPMC employees, between 2014 and 2017 Johnson sold other PII on the darknet forums.

The PII stolen from UPMC was subsequently used in a massive campaign to defraud UPMC employees. Hundreds of fraudulent tax returns were filed in the names of UPMC employees, which prosecutors say resulted in around $1.7 million in false refunds being issued. Those refunds were converted into Amazon gift cards that were used to obtain around $885,000 in goods, which were mostly shipped to Venezuela to be sold in online marketplaces.

Two other people were charged in connection with the hacking of UPMC. In 2017, Venezuelan national, Maritza Maxima Soler Nodarse, pleaded guilty to conspiracy to defraud the United States and was involved in filing fraudulent tax returns. A Cuban national, Yoandy Perez Llanes, pleaded guilty to money laundering and aggravated identity theft in 2017. Maritza Maxima Soler Nodarse was sentenced to time served and was deported and Yoandy Perez Llanes will be sentenced in August 2020.

The breach investigation revealed access to the OracleSoft database was first gained on December 1, 2023. After gaining access to the database, a test query was performed and the data of approximately 23,500 individuals was accessed. Between January 21, 2014 and February 14, 2014, the database was accessed on multiple occasions each day and the data of tens of thousands of UPMC employees was stolen.

Johnson faces a long prison term if found guilty of the crimes. The conspiracy charge carries a maximum prison term of 5 years and a fine of up to $250,000. The wire fraud charges carry a maximum prison term of 20 years and a fine of up to $250,000 for each count and, there will be a mandatory 2-year prison term for aggravated identity theft and a fine of up to $250,000 for each count.

“The healthcare sector has become an attractive target of cyber criminals looking to update personal information for use in fraud; the Secret Service is committed to detecting and arresting those that engage in crimes against our Nation’s critical systems for their own profit,” said Timothy Burke, Special Agent in Charge, U.S. Secret Service, Pittsburgh Field Office.

“Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes,” said U.S. Attorney Brady.

The post Hacker Arrested and Charged Over 2014 UPMC Cyberattack appeared first on HIPAA Journal.

New York Accounting Firm Facing Class Action Lawsuit Over Maze Ransomware Attack

Patients whose protected health information was stolen in a manual ransomware attack on the New York accounting firm BST & Co. CPAs LLC in late 2019 have taken legal action against the company.

The lawsuit alleges BST & Co. was negligent for failing to take appropriate and reasonable steps to prevent the attack and did not provide a prompt an accurate notice to affected patients. The lawsuit also alleges the company breached its fiduciary duty to protect sensitive patient information and violated state laws related to deceptive business practices.

The ransomware attack was discovered by BST on December 7, 2019. The attack involved Maze ransomware and, prior to file encryption, the gang exfiltrated a range of data from the company and threatened to publish the data if the ransom was not paid. The gang then follow through with the threat and published sensitive data on its website when payment was not made.

According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, the PHI of 170,000 individuals was potentially compromised in the attack, many of whom were patients of Community Care Physicians. Even though patient data had been published online where it could be accessed by anyone, BST waited until February 14, 2020 to send notification letters to patients.

The lawsuit was filed in New York’s supreme court on May 27, 2020 and class action status is being sought. The lawsuit alleges BST & Co. “intentionally, willfully, recklessly, or negligently failed to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions,” and states its computer systems and security practices were not adequately robust.

The lawsuit also alleges BST and its staff were not properly monitoring the computer network and systems that contained sensitive patient information. Were that to be the case, the attack would have been identified sooner. The lawsuit claims that as a result of the failures of the company, patient data is now in the hands of data thieves and patients’ identities are now at risk.

The lawsuit seeks compensatory damages, reimbursement for out-of-pocket-expenses, the provision of adequate credit monitoring services, and calls for improvements to be made to the company’s security systems to ensure further breaches are prevented in the future.

The post New York Accounting Firm Facing Class Action Lawsuit Over Maze Ransomware Attack appeared first on HIPAA Journal.

Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack

The Atlanta, GA-based healthcare provider Aveanna Healthcare is facing a class action lawsuit over a data breach that occurred in the summer of 2019. Affecting 166,000 patients, it is one of the largest healthcare data breaches to be reported this year.

Aveanna Healthcare provides healthcare services to adults and children in 23 states and is the largest provider of pediatric home care in the United States. In the summer of 2019, several email accounts were compromised in a phishing attack. Aveanna Healthcare discovered the attack on August 24, 2019 and immediately secured its email accounts. The investigation revealed the first email account was breached on July 9, 2019, giving the attackers access to protected health information for more than 6 weeks.

Emails in the compromised accounts contained patient information such as names, health information, financial information, passport numbers, driver’s license numbers, Social Security numbers, and other sensitive data. It was not possible to determine whether emails and files were viewed by the attackers. No evidence was found to suggest  patient information was stolen in the attack, but it was not possible to rule out the possibility that the attackers exfiltrated email data before they were shut out of the email accounts.

The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires patients affected by data breaches to be notified about the exposure of their PHI without unnecessary delay and no later than 60 days after the discovery of a breach. The Department of Health and Human Services’ Office for Civil Rights must also be notified about a breach within 60 days.

Aveanna Healthcare delayed issuing breach notifications to patients until this year and reported the breach to the HHS’ Office for Civil Rights on February 14, 2020, more than 5 months after the breach was discovered.

More than 100 patients affected by the breach have so far been included in the lawsuit. They allege that Aveanna Healthcare failed to issue timely notifications, and when those notifications were eventually sent, they failed to explain what types of information had been compromised. Aveanna Healthcare is alleged to have maintained the private personal and healthcare data of patients “in a reckless manner” and information stored in its systems was vulnerable to attack as a result.

The lawsuit states that Aveanna Healthcare was aware that patient data was at risk yet failed to take adequate steps to secure patient data. The plaintiffs also allege Aveanna Healthcare was not properly monitoring computer systems that contained patient data. If those systems were being monitored, it would not have taken 6 weeks for the data breach to be identified.

The plaintiffs claim they now face an elevated risk of identity theft and fraud as their sensitive data is now in the hands of data thieves. The lawsuit seeks nominal and compensatory damages for patients affected by the breach, reimbursement of out-of-pocket expenses, and injunctive relief.

The post Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack appeared first on HIPAA Journal.

New Washington D.C. Data Breach Notification Law Takes Effect

On May 19, 2020, legislative changes to the Washington D.C. data breach notification law took effect. The changes were introduced in March and significantly updated existing breach notification requirements. There has been a major expansion of data classified as personal information that warrants breach notifications if subjected to unauthorized access and new data security requirements have been introduced.

Prior to the change, notifications were required if personal information such as names, phone numbers, and addresses were exposed in combination with a Social Security number, driver’s license number, DC ID card, or credit/debit  card number or if numbers and codes were breached that allowed credit or finance accounts to be accessed.

The change has seen several other data elements added to the list. Breach notifications are now required if any of the following data is breached, even in the absence of a name if the data could be used for identity theft:

  • Medical information
  • Health insurance information
  • Genetic data and DNA profiles
  • Biometric information
  • Passport numbers
  • Usernames or email addresses in combination with a password or security questions and answers that would allow the account to be accessed
  • Taxpayer ID numbers
  • Military ID numbers
  • Other unique government-issued ID numbers

The D.C. Attorney General’s office must be notified in the event of a breach involving the data of more than 50 D.C. residents, and notifications must be issued without unreasonable delay in the most expedient manner possible. As is the case in states such as California, there are now content requirements for breach notifications.

It is also now mandatory for the breached entity to offer a minimum of 18 months of complementary identity theft protection services to breach victims if a Social Security number or taxpayer ID number has been breached.

The update also calls for all businesses that collect, maintain, or process the personal information of D.C. residents to implement and maintain reasonable safeguards to secure personal information. The policies, procedures, and practices should reflect the nature and size of the entity. In cases where the entity works with third-party service providers, they must enter into a service agreement with the covered entity confirming they too will implement reasonable safeguards to ensure the confidentiality, integrity, and availability of personal information provided to them.

Breach notifications are not required if encrypted data is breached unless it can be decrypted, and neither if the breached entity determines, in conjunction with the D.C. Attorney General, that there is a low risk of harm.

HIPAA-covered entities in compliance with the HIPAA Breach Notification Rule are deemed to be compliant with the breach notification requirements of the updated law but are still required to notify the D.C. Attorney General about a data breach. The same applies to entities that are subject to and compliant with GLBA.

The post New Washington D.C. Data Breach Notification Law Takes Effect appeared first on HIPAA Journal.