Insight Global LLC has agreed to settle a class action lawsuit that was filed in response to an April 2021 data breach that exposed the contact tracing data of more than 76,000 Pennsylvania residents.

Insight Global was appointed the administrator of Pennsylvania’s contact tracing program during the pandemic. Performing the contracted duties required Insight Global to collect a range of sensitive information including names, telephone numbers, email addresses, sexual orientation, family size, health data, indications of exposure to COVID-19, and whether individuals required any support services.

Several Insight Global employees created Google accounts to share information, including documents and spreadsheets containing contact tracing data. When the unauthorized accounts were discovered, Insight Global instructed its employees to stop using the accounts and ensure information was secured. The issue with using unauthorized Google accounts was sensitive data was sent to servers that were outside the control of Insight Global and could potentially be accessed by unauthorized individuals. According to Insight Global’s data breach notice, the information was sent to personal Google accounts and via non-secure channels between September 2020 and April 2021. Insight Global said it discovered the security issue on April 21, 2021.

A lawsuit was filed on behalf of one of the individuals whose data had been exposed, Lisa Chapman, and similarly situated individuals who had their sensitive personal and health information exposed and potentially obtained by unauthorized individuals. The lawsuit named Insight Global and the Pennsylvania Department of Health, although the Department of Health was later dropped from the lawsuit.

The lawsuit claimed Insight Global failed to implement adequate and reasonable security measures to ensure consumers’ protected health information was secured. The lawsuit also alleged Insight Global was aware that its employees were using unsecured data communication and storage methods since at least November 2020, but failed to take action to address the problem until April 2021. The lawsuit also alleged Insight Global failed to issue timely notifications about the data breach and that when notifications were sent, the information included was inadequate. For instance, the notifications did not inform individuals that their information had been accessed by an unauthorized individual.

The lawsuit alleged the plaintiff and class members face an increased risk of identity theft and fraud due to the exposure of their personal and health information and that they have and will continue to need to continue to incur out-of-pocket expenses to protect themselves against identity theft and fraud.

Insight Global chose to settle the lawsuit with no admission of wrongdoing. Under the terms of the settlement, class members will be entitled to receive up to $250 as compensation for out-of-pocket expenses incurred due to the data breach, which includes lost time at $20 per hour. Two years of credit monitoring services will be provided. Claims for documented extraordinary losses will also be accepted up to a maximum of $5,000.

The post Insight Global Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

A U.S. District Court Judge has denied class certification in a long-running legal battle against CareFirst BlueCross BlueShield over its 2014 data breach that affected 1.1 million plan members. The breach in question was due to a spear phishing attack in April 2014, which allowed unauthorized individuals to access a database that contained the names, birthdates, email addresses, and subscriber ID numbers of around 1.1 million individuals who were registered to use CareFirst’s websites and online services.

The lawsuit was initially filed in 2015 but was dismissed by a lower court in 2016 due to lack of injury, but was resurrected by a federal appeals court in 2017. In 2018, the U.S. Supreme Court declined CareFirst’s request for review and the case was returned to the District Court for the District of Columbia and was allowed to proceed.

The lawsuit alleged CareFirst had failed to implement appropriate security measures and made several errors that allowed hackers to breach its network and access the data of its customers, and as a result of the data breach, class members face an increased risk of fraud and identity theft and have and will continue to have to spend time and money on mitigating measures. The lawsuit alleged breach of contract and violations of consumer protection laws in Maryland and Virginia.

After completing discovery, in August 2022, the plaintiffs sought to certify three classes for each of the three causes of action – A contract class for residents of Washington D.C., Maryland, and Virginia who purchased insurance from the underwriter and who had their information exposed in the breach, and two consumer classes for Maryland and Virginia residents who purchased insurance from CareFirst and were affected by the breach.

District Court Judge, Christopher R. Cooper, determined that the plaintiffs had satisfied the prerequisites for class certification, “but the Court has serious concerns about whether common issues will predominate over individual inquiries in this case. Specifically, in light of the Supreme Court’s recent decision in TransUnion LLC v. Ramirez (2021), which held that a risk of future harm standing alone does not constitute a concrete Article III injury in damages actions.” As such, the motion for class certification was denied.

The proposed class definitions would allow claims to be submitted by all affected CareFirst customers, even though many of those customers took no steps to mitigate their exposure to identity theft or medical fraud and therefore suffered no Article III injury. The injury in this case comes from the costs incurred due to the data breach, not the exposure of data due to the data breach. Judge Cooper said in his ruling that the plaintiffs can file a motion with narrowed class definitions to prevent claims from un-injured class members.

The post Judge Denies Class Certification in CareFirst Data Breach Lawsuit appeared first on HIPAA Journal.

Illinois Gastroenterology Group (IGG) has agreed to settle a class action lawsuit that stemmed from a 2021 data breach that exposed the protected health information of 227,943 patients. The data breach was detected by IGG on October 22, 2021, however, it took until November 18, 2021, for the investigation to conclude that unauthorized individuals had accessed its systems and until March 22, 2022, to determine that the protected health information of patients had been compromised. The compromised data included names, addresses, birth dates, Social Security numbers, driver’s license numbers, passport numbers, financial account information, payment card information, employer-assigned identification numbers, medical information, and biometric data. Notifications were sent to the HHS and affected individuals a month later, on April 22, 2022.

A lawsuit – McNicholas, et al. v. Illinois Gastroenterology Group PLLC – was filed in the Nineteenth Judicial Circuit Court of Lake County, Illinois, that alleged IGG had failed to implement reasonable and appropriate safeguards to protect the privacy and confidentiality of the sensitive data collected and stored. IGG chose to settle the lawsuit with no admission of any wrongdoing to prevent further legal costs and avoid the uncertainty of trial. The total settlement amount was not disclosed.

Under the terms of the settlement, class members are entitled to receive a cash payment of $50 as compensation or a cash payment of $150 if their Social Security numbers or biometric information were compromised. Alternatively, claims may be submitted if damages have been experienced and reimbursement will be provided for documented losses traceable to the data breach up to a maximum of $200 for ordinary losses, three hours of lost time at $25 per hour, and up to $5,000 for extraordinary losses, such as identity theft. All individuals who received a notification from IGG about the data breach are entitled to receive three years of free credit monitoring services, which include a $1 million identity theft insurance policy. IGG has also agreed to implement additional security measures to protect patient data. These measures have either already been implemented and paid for by IGG or will be paid for by IGG separately from other settlement benefits.

The deadline for exclusion from and objection to the settlement is May 17, 2023. The deadline for submitting claims is June 16, 2023. The final approval hearing has been scheduled for June 22, 2023.

The post Illinois Gastroenterology Group Settles 2021 Data Breach Lawsuit appeared first on HIPAA Journal.

A lawsuit has been filed against the digital marketing agency, Rise Interactive Media & Analytics, over a cyberattack in which the protected health information of approximately 54,500 patients of Edgepark Medical Supplies was compromised.

On November 14, 2022, a hacker gained access to Rise’s network and accessed files containing sensitive patient data, including names, email addresses, phone numbers, provider information, diagnoses, expected delivery dates, and health insurance information. Rise discovered Edgepark data had been compromised on December 2, 2022, and the affected individuals were notified about the attack on February 10, 2023.

The lawsuit was filed by the law firm Wolf Haldenstein Adler Freeman & Herz LLC in the U.S. District Court of the Northern District of Illinois Eastern Division on behalf of plaintiff Tiffany Roper and similarly situated individuals. The lawsuit alleges Rise was at fault for the breach due to the failure to implement reasonable security measures to protect consumer data that was provided by Edgepark.

The lawsuit also calls into question why Edgepark provided patient data such as health insurance information to Rise and seeks to establish how that information is relevant to the digital marketing services the company provides to Edgepark, especially since permission must be obtained from patients before disclosing protected health information for marketing purposes. The lawsuit also takes issue with the length of time it took to notify the affected patients about the breach – three months after the intrusion was detected and for the lack of information in the breach notification letters.  The lawsuit claims the notification letters did not explain how the breach occurred, how the information was stolen, and what steps Rise has taken to prevent misuse of patient data.

Shortly after the data breach, in late December 2022 or early January 2023, the plaintiff claims that her information was used to fraudulently fill a prescription using her health insurance, which indicates her data had been rapidly traded on the dark web. She also claims she faces a present and imminent lifetime risk of identity theft and fraud as a result of the data breach.

The lawsuit alleges negligence, unjust enrichment, and invasion of privacy and seeks class action status, a jury trial, damages, legal costs, and injunctive relief, including 16 requirements for Rise to improve security to prevent further cyberattacks and data breaches.

The post Rise Interactive Media & Analytics Sued Over Edgepark Medical Supplies Data Breach appeared first on HIPAA Journal.

At least two class action lawsuits have been filed against the online health insurance marketplace, DC Health Link, over a recent hacking incident which, according to DC Health link, affected 56,415 customers. DC Health Link is a public-private healthcare exchange program for residents of Washington D.C. that is operated by the DC Health Benefit Exchange Authority (DCHBX). DC Health Link has approximately 100,000 customers including 11,000 Congressional staff and Members of Congress.

DC Health Link confirmed in a March 6, 2023, statement that Mandiant had been engaged to assist with the investigation and said 56,415 customers had been affected and had some of their personal information accessed or stolen. The compromised information included: name, birth date, gender, health plan information (plan name, carrier name, premium amount, employer contribution, coverage dates, employer information, enrollee information (name, address, email address, phone number, race, ethnicity, citizenship status).  The types of data involved varied from individual to individual.

Affected individuals have been offered three years of credit monitoring protection at no cost, which includes cover for their spouses, dependents, and children. DC Health Link said those monitoring services were being offered to all customers, even if they were not one of the 56,415 individuals known to be affected. DC Health Link did not provide any details on how the breach occurred and said the investigation is ongoing.

On the same day of the announcement, a member of a popular hacking forum with the moniker IntelBroker claimed to have obtained the data of 170,000 individuals in the attack and was offering to sell the stolen data. A sample of the stolen data was published online. Initially, it appeared that the individuals behind the attack were unaware that the data of Congress Members and Congressional staff were in the dataset. However, another user of the hacking forum – Denfur – jointly claimed responsibility for the attack and said U.S. politicians were targeted out of allegiance to Russia and they targeted Washington D.C. services that politicians would use. In a conversation with CyberScoop, Denfur said the data would be released when there was no longer a use for it and said initial access was gained through an open, exposed database.

The lawsuits were filed in the U.S. District Court for the District of Columbia and allege DC Health Link/DCHBX were negligent by failing to secure the sensitive data of customers. Both lawsuits suggest the breach is more extensive than DC Health Link’s statement, with one suggesting up to 506,000 individuals have potentially been affected and the other putting the figure between 56,000 and 107,000 individuals.

One of the lawsuits was filed by Milberg Coleman Bryson Phillips Grossman PLLC on behalf of plaintiff Angelo Meranda against DC Health Link, Mila Kofman, Executive Director of DCHBX, the Executive Board of DCHBX, and Diane C. Lewis, Chairperson of the Executive Board of DCHBX. The other lawsuit named DC Health Link as the sole defendant, and was filed by Gary E. Mason of Mason LLP on behalf of plaintiff Jenni Suhr. The lawsuits seek class action status, monetary damages, and for DCHBX/DC Health Link to make improvements to security to prevent further data breaches.

The post Lawsuits Mount Against DC Health Link Over Breach of Congress Members’ Data appeared first on HIPAA Journal.