Legal News

FBI: Losses to Cybercrime Increased by 49% in 2022 to $10.3 Billion

Posted by HIPAA Journal

The Federal Bureau of Investigation (FBI) has published its 2022 Internet Crime Report, which shows at least $10.3 billion was lost to cybercrime in 2022, up 49% ($3.4 billion) from 2021, despite a 5% reduction in complaints (800,944). Over the past 5 years, the FBI Internet Crime Complaint Center (IC3) has received reports of losses of more than $27.6 billion across 3.26 million complaints to IC3.

FBI data show a 36% year-over-year decrease in ransomware attacks, which fell from 3,729 complaints in 2021 to 2,385 complaints in 2022. Despite this decrease, the FBI says ransomware still poses a significant threat, especially to the healthcare sector which ranked top out of 16 critical infrastructure sectors for ransomware attacks in 2022 and actually saw an increase in complaints. 210 ransomware complaints were filed with IC3 in 2022 by healthcare organizations compared to 148 in 2021. The FBI has observed an increase in double extortion tactics in ransomware attacks, where data are stolen in addition to file encryption and payment is required to obtain the decryption keys and to prevent the publication or sale of stolen data. LockBit was the most prolific ransomware actor with 149 reported attacks, ALPHV/BlackCat was second with 114 attacks, and Hive was 3rd with 87 attacks.

Several cybercriminal groups that have historically used ransomware in their attacks have switched to extortion-only attacks, involving data theft and ransom demands but no file encryption. The FBI’s data shows extortion attacks have remained flat, increasing only slightly from 39,360 complaints in 2021 to 39,416 complaints in 2022.

Phishing remains one of the most common attack vectors, although reported phishing attacks fell by 7% year over year to 300,497 incidents. Even with that decrease, phishing is still the most common crime type in terms of victim count ahead of personal data breaches with 58,859 complaints and non-payment/non-delivery with 51,679 complaints.

Business email compromise (BEC) ranked 9th out of all crime types in terms of complaints but ranked 2nd in terms of reported losses with $2,742,354,049 lost to BEC attacks in 2022. BEC attacks increased 9% year-over-year although losses to the scams were down almost 14.5%. BEC was knocked from the top spot this year by investment scams, which saw $3,311,742,206 in reported losses, up 127% from 2021. The FBI reports an unprecedented increase in crypto investment schemes in 2022 in terms of both victim count and losses.

There was a major increase in tech support scams in 2022, which rose to 3rd place in terms of losses. Tech support scam complaints increased by 36% year-over-year to 32,538 complaints and losses to these scams increased by almost 132% to $806,551,993.

The FBI stressed the importance of reporting instances of cybercrime of any type and confirmed assistance will be provided to try to recover losses. The IC3 Recovery Asset Team (RAT) has a 73% success rate in freezing funds and limiting losses and has frozen $433.30 million in funds out of $590.62 million in reported losses across 2,838 incidents.

The post FBI: Losses to Cybercrime Increased by 49% in 2022 to $10.3 Billion appeared first on HIPAA Journal.

Class Action Lawsuit Filed Against Cardiovascular Associates Over 441K-Record Data Breach

Posted by HIPAA Journal

Cardiovascular Associates in Alabama is facing a class action lawsuit over a recently reported hacking incident in which patients protected health information (PHI) was stolen. The security incident was detected on December 5, 2022, and the forensic investigation determined hackers had access to its network for a week and exfiltrated files containing the PHI of 441,640 individuals, including names, addresses, birth dates, Social Security numbers, driver’s license numbers and health, insurance, and billing/claims information.

The lawsuit was filed on March 15, 2023, by the law firm Milberg Coleman Bryson Phillips Grossman PLLC on behalf of plaintiff, Samuel Lee. The lawsuit alleges Cardiovascular Associates “intentionally, willfully, recklessly, or negligently” failed to implement reasonable and appropriate safeguards to ensure the confidentiality, integrity, and availability of patient information, failed to meet its obligations under the Federal Trade Commission (FTC) Act and HIPAA, and did not implement cybersecurity measures to industry standards, such as those detailed in the NIST Cybersecurity Framework.

The lawsuit claims the plaintiff and other similarly situated individuals have suffered injury as a result of the conduct of Cardiovascular Associates, including invasion of privacy, lost or diminished value of private information, and lost opportunity costs from attempting to mitigate the consequences of the data breach. The plaintiff and class members now face an increased risk of identity theft and fraud as their private information is now in the hand of cybercriminals. As such, they will have to spend time and money protecting their identities, including paying for credit monitoring and identity theft protection services for years to come.

The lawsuit states 10 causes of action: negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, wantonness, intrusion upon seclusion/invasion of privacy, declaratory judgement, and violation of the Alabama Deceptive Practices Act.

The lawsuit seeks class action status, a jury trial, attorneys’ fees, and an award of damages, including actual, statutory, nominal, and consequential damages. The lawsuit also seeks injunctive relief and provides a 17-point list of measures that should be implemented. These include encryption of data, deletion of identifying information unless there is a reasonable justification for retention, the implementation of a comprehensive information security program, independent penetration tests and security audits, third-party automated security monitoring, regular database scanning, annual information security training for employees, and the appointment of a qualified and independent third-party assessor to conduct a SOC 2 Type 2 attestation annually for a period of 10 years.

The post Class Action Lawsuit Filed Against Cardiovascular Associates Over 441K-Record Data Breach appeared first on HIPAA Journal.

Independent Living Systems Sued Over 4 Million-Record Data Breach

Posted by HIPAA Journal

It has only been a few days since the Miami-based healthcare administration and managed care solutions provider, Independent Living Systems (ILS), issued notification letters about a data breach affecting 4,226,508 individuals but a lawsuit has already been filed in response to the data breach.

ILS Identified the breach in July 2022 and determined unauthorized individuals had access to its network between June 30, 2022, and July 5, 2022. During that time they exfiltrated files that contained sensitive patient data, including names, contact information, Social Security number, Medicare/Medicaid IDs, health information, and health insurance information. ILS posted a breach notice on its website in September 2022 but said it was not possible to send notification letters until March 14, 2023, due to time-consuming review and validation processes. Affected individuals were offered complimentary credit monitoring services and security measures have been enhanced to prevent further data breaches.

The lawsuit was filed by Joseph G. Sauder of the law firm Sauder Schelkopf, LLC, in the U.S. District Court for the Southern District of Florida on behalf of plaintiffs Eddie and Herminia Basulto and similarly situated individuals. The lawsuit alleges ILS failed to adequately protect and safeguard patient data, then waited 8 months to issue individual notifications to affected individuals, even though highly sensitive patient data was known to have been compromised.

The lawsuit claims that ILS was aware of the high risk of cyberattacks yet failed to maintain reasonable and appropriate data privacy and security measures and alleges negligence, negligence per se, unjust enrichment, and a violation of the Florida Deceptive and Unfair Trade Practices Act.

The lawsuit claims the plaintiffs and class members have suffered injury and damages including a substantially increased risk of identity theft and medical theft, breach of confidentiality of their personal and health information, deprivation of the value of their personal and health information, and they have lost time and money protecting against identity theft and fraud and will have to continue to invest time and money to protect their identities in the days, weeks, and months to come. The lawsuit seeks class action status, a jury trial, declaratory relief, injunctive relief, monetary damages, statutory damages, punitive damages, equitable relief, and all other relief authorized by law.

The post Independent Living Systems Sued Over 4 Million-Record Data Breach appeared first on HIPAA Journal.

Multiple Lawsuits Filed Against Arkansas Hospitals Over Data Breaches

Posted by HIPAA Journal

Multiple class action lawsuits have been filed against two healthcare providers in Arkansas – Mena Regional Health System (MRHS) and Howard Memorial Hospital – over cyberattacks in which patient data was compromised. The lawsuits are currently pending in the District Courts in Arkansas and were filed in response to two data breaches that were discovered in 2022.

MRHS discovered unauthorized access to its computer systems on November 8, 2022, and determined hackers had exfiltrated files from its systems more than a year earlier on October 30, 2021. The files included the protected health information of 84,814 patients, such as names, birth dates, Social Security numbers, financial account information, health insurance information, and diagnosis and treatment information. Notification letters were sent to affected individuals on November 22, 2022.

Howard Memorial Hospital in Nashville discovered a cyberattack and data breach in early December 2022 and determined hackers had access to its network for more than two weeks between November 14, 2022, and December 4, 2022. During that time, files were exfiltrated that contained a range of sensitive data including names, birth dates, Social Security numbers, health insurance information, medical record numbers, medical histories, and treatment information. Affected individuals were notified about the data breach on December 29, 2022. The breach was reported to the HHS’ Office for Civil Rights as affecting 53,668 individuals.

Several lawsuits have been filed against MRHS in response to the breach, including Cant et al. v. Mena Regional Health System et al (Carney Bates & Pulliam LLC and Lynch Carpenter, LLP), and another filed by Thiago Coelho of the Wilshire Law Firm. The lawsuits against MRHS make similar claims and allege the health system was negligent by failing to implement reasonable and appropriate cybersecurity measures to ensure patient data remained private and confidential. The lawsuits also take issue with the length of time taken to discover the cyberattack and data breach – more than one year. MRHS has already sought to have the lawsuits dismissed and claims they fail to allege any specific cybersecurity failure occurred and presume that there must have been a cybersecurity failure because there was a successful cyberattack, yet they fail to suggest anything that MRHS could have done differently to prevent the cyberattack.

Willbanks et al. v. Howard Memorial Hospital (The Sanford Law Firm) alleges negligence, breach of implied contract, and breach of fiduciary duty and claims the hospital maintained patient data in a careless manner. A lawsuit was also filed against Howard Memorial Hospital by Carney Bates & Pulliam LLC and Lynch Carpenter, LLP, on behalf of plaintiffs Bonita Martin, Bill Roberts, and Pamela Garza that makes similar claims.

According to Arkansas Business, at least 8 lawsuits are pending in the District Courts in Arkansas over these two data breaches. The lawsuits allege the victims of these breaches now face a substantial risk of fraud, identity theft, and other misuses of their personal data. The lawsuits seek class action status, damages, reimbursement of out-of-pocket expenses, injunctive relief, and attorneys’ fees. While the personal and protected health information of patients was stolen in these attacks, both health systems say they are unaware of any actual or attempted misuse of patient data. Lawsuits alleging future risk of identity theft and fraud often do not succeed and fail to get past the initial motions to dismiss.

The post Multiple Lawsuits Filed Against Arkansas Hospitals Over Data Breaches appeared first on HIPAA Journal.

Settlement Agreed with Florida Children’s Health Insurance Website Contractor to Resolve False Claims Act Allegations

Posted by HIPAA Journal

The United States Department of Justice has agreed to settle alleged False Claims Act violations with Jelly Bean Communications Design LLC and manager Jeremy Spinks related to the failure to protect HIPAA-covered data.

Jelly Bean Communications Design is a Tallahassee, FL-based company co-owned by Jeremy Spinks, who is the company’s manager and sole employee. The company provides web hosting functions and services for its clients, one of which was the Florida Healthy Kids Corporation (FHKC). FHKC is a state-created entity that offers health and dental insurance to children in Florida between the ages of 5 and 18. FHKC receives Medicaid funds and state funds for providing health insurance programs for children in Florida.

On July 1, 2012, the Agency for Health Care Administration (AHCA) in Florida contracted with FHKC to provide services for the State Children’s Health Insurance Plan (SCHIP) Program, which included implementing technical safeguards to ensure the confidentiality, integrity, and availability of the electronic protected health information that was received, maintained, or transmitted on behalf of AHCA. FHKC contracted with Jelly Bean Communications Design on October 13, 2013, to provide web design, programming, and hosting services. Under that contract, Jelly Bean Communications Design was required to provide a fully functioning hosting environment that complied with the standards of the HIPAA Security Rule, thus requiring Jelly Bean Communications Design to create appropriate code to ensure the secure communication of HIPAA-protected data. The contract was renewed by FHKC through 2020, with the federal government covering 86% of the payments to Jelly Bean Communications Design.

Between 2013 and 2020, the online application system created by Jelly Bean Communications Design collected data from parents and other individuals that were provided when submitting applications for Medicaid insurance coverage for children. Jelly Bean Communications Design issued invoices to FHKC for its services, which included “HIPAA-compliant hosting” and a monthly retainer fee for hosting and other tasks.

In early December 2020, it became clear that the website had been hacked and unauthorized individuals accessed the application data of more than 500,000 individuals submitted through the HealthyKids.org website. FHKC initiated an investigation that revealed hackers had altered applications allowing data to be stolen. The review of the website found multiple outdated and vulnerable applications and the website had not been patched since November 2013. Further, the website did not maintain audit logs showing who had accessed the personal information of applicants. The types of information compromised included names, dates of birth, email addresses, telephone numbers, addresses, Social Security numbers, financial information, family relationship information, and secondary insurance information. The application portal was shut down by FHKC in December 2020 in response to the cybersecurity failures.

The civil litigation alleged that Jelly Bean Communications Design and Jeremy Spinks failed to follow cybersecurity standards resulting in the exposure of sensitive HIPAA-covered data while submitting false claims that data would be safeguarded, while knowingly failing to properly maintain, patch, and update software systems. While Jelly Bean Communications Design acted as a business associate under HIPAA, the action was taken over violations of the False Claims Act under the Department of Justice’s 2021 Civil Cyber-Fraud Initiative. The Civil Cyber-Fraud Initiative utilizes the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients, and was the result of a coordinated effort by the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section, and the U.S Attorney’s Office for the Middle District of Florida, with assistance provided by HHS-OIG.

The claims were settled by Jelly Bean Communications Design and Jeremy Spinks, who agreed to pay $293,771 to resolve the allegations, of which $130,565.00 is restitution. The settlement was agreed to avoid the delay, uncertainty, inconvenience, and expense of protracted litigation, with no admission of liability or wrongdoing and no concession by the United States that its claims were not well founded.

“Companies have a fundamental responsibility to protect the personal information of their website users. It is unacceptable for an organization to fail to do the due diligence to keep software applications updated and secure and thereby compromise the data of thousands of children,” said Special Agent in Charge Omar Pérez Aybar of the Department of Health and Human Services, Office of Inspector General (HHS-OIG). “HHS-OIG will continue to work with our federal and state partners to ensure that enrollees can rely on their health care providers to safeguard their personal information.”

The post Settlement Agreed with Florida Children’s Health Insurance Website Contractor to Resolve False Claims Act Allegations appeared first on HIPAA Journal.

Lehigh Valley Health Network Sued After Ransomware Gang Publishes Nude Patient Images

Posted by HIPAA Journal

A lawsuit has been filed against Lehigh Valley Health Network (LVHN) over its recent BlackCat ransomware attack. The attack saw files encrypted after data was exfiltrated as is typical in ransomware attacks; however, the attack stood out due to the aggressive move of the threat group to increase the pressure on LVHN to pay the ransom. Naked images of breast cancer patients were published on the group’s data leak site, along with medical questionnaires, passports, and other sensitive patient data such as driver’s license numbers, Social Security numbers, medical diagnosis/treatment information, and lab results.

LVHN held firm and refused to pay the ransom. The Federal Bureau of Investigation (FBI) advises against paying ransoms in ransomware attacks as payment encourages further attacks, there is no guarantee that payment will put an end to the extortion, nor does it guarantee that stolen data will be deleted. The lawsuit claims that LVHN prioritized money over patient privacy by refusing to pay.

The lawsuit was filed in the Court of Common Pleas of Lackawanna County in Pennsylvania on behalf of plaintiff Jane Doe and similarly situated individuals. According to the lawsuit, cancer patients receiving treatment at LVHN were photographed nude, often unbeknownst to the patients themselves, and the naked images were then stored on LVHN’s network. LVHN said the photographs were clinically appropriate. The lawsuit alleges the BlackCat ransomware group issued its ransom demand and notified LVHN that it had obtained the images and would start publishing them on its data leak site if its ransom demand was refused, then proceeded to do that when payment was not made. BlackCat has also threatened to publish further data each week if its ransom demand continues to be refused.

“LVHN needed to act with serious consideration of the consequences that would befall these patients if those images were released on the Internet where they can stay forever,” stated the plaintiff’s attorneys. “LVHN made the knowing, reckless, and willful decision to let the hackers post the nude images of Plaintiff and others on the Internet… rather than act in their patients’ best interest, LVHN put its own financial considerations first.” The lawsuit seeks to hold LVHN to account for the embarrassment and humiliation that it has caused the plaintiff and class members.

In addition to the embarrassment and humiliation caused by the publication of naked images, the plaintiff and class members have also had their sensitive information stolen and published online. The theft and publication of data have put the plaintiff and class at risk of identity theft and fraud, resulting in them incurring out-of-pocket expenses and covering the cost of expensive and time-consuming efforts to mitigate the risk of fraud.

The lawsuit alleges LVHN knew or should have known about the foreseeable and catastrophic consequences of healthcare ransomware attacks and data breaches as multiple alerts had been issued by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Trade Commission, yet LVHN failed to implement appropriate and reasonable measures to protect against ransomware attacks. The lawsuit claims LVHN’s conduct violated nine HIPAA provisions and makes allegations of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, breach of confidence, and publicity given to private life. The lawsuit seeks class action status, a jury trial, and remedies including damages, reimbursement of out-of-pocket- costs, and equitable and injunctive relief, including improvements to LVHN’s data security systems, annual security audits, and the provision of identity theft protection services to the plaintiff and class.

The lawsuit was filed by Simon VB. Harris and Patrick Howard of the law firm Saltz, Mongeluzzi, & Bendesky, P.C.

The post Lehigh Valley Health Network Sued After Ransomware Gang Publishes Nude Patient Images appeared first on HIPAA Journal.

$3 Million Settlement with Blackbaud Resolves SEC Allegations of Misleading Disclosures About Ransomware Attack

Posted by HIPAA Journal

The Securities and Exchange Commission (SEC) has agreed to a $3 million settlement with Blackbaud Inc. to resolve charges that the company issued misleading statements about the impact of its 2020 ransomware attack. Blackbaud is a Charleston, SC-based cloud computing provider that serves the social good community. In May 2020, malicious actors gained access to its self-hosted private cloud environment and used ransomware to encrypt files. The forensic investigation confirmed the hackers gained access to files that included donor information such as names, addresses, phone numbers, email addresses, and birth dates. According to Blackbaud, approximately 13,000 customers were affected.

In July 2020, Blackbaud confirmed that the attack was blocked before the attackers were able to encrypt its systems fully, but not in time to prevent a copy of certain data from being stolen from its cloud environment. Blackbaud paid the ransom to ensure the stolen information was deleted and received proof that the stolen data had been deleted. Blackbaud initially said no financial information or Social Security numbers were exposed; however, Blackbaud later confirmed that a subset of individuals had their bank account information, Social Security numbers, and usernames and passwords exposed.

According to the SEC, Blackbaud publicly announced on July 16, 2020, that bank account information and Social Security numbers were not accessed, but within a few days of those public statements being made, its technology and customer relations staff learned that bank account information and Social Security numbers were in the dataset that was exfiltrated by the attackers. In August 2020, three months after the attack occurred, Blackbaud said in a 10-Q filing that there was only a hypothetical risk that data was stolen in the attack, then confirmed in an 8-K filing in September 2020 that Social Security numbers and bank account information may have been stolen.

Blackbaud did not deliberately issue misleading statements, as technology and customer relations personnel did not communicate the discovery of the theft of financial data and Social Security numbers to the senior management responsible for public disclosures. According to the SEC, Blackbaud failed to maintain disclosure controls and procedures. The SEC determined that Blackbaud had violated sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934, and Rules 12b-20, 13a-13, and 13a-15(a).

“Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.” Blackbaud agreed to settle with the SEC with no admission or denial of the charges and agreed to pay a $3 million civil monetary penalty.

“Blackbaud is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the commission as the company continuously improves its reporting and disclosure policies, said Blackbaud Chief Financial Officer, Tony Boor. “Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimize the risk of cyberattacks in an ever-changing threat landscape.”

The post $3 Million Settlement with Blackbaud Resolves SEC Allegations of Misleading Disclosures About Ransomware Attack appeared first on HIPAA Journal.

Revenetics Facing Class Action Lawsuit Over Royal Ransomware Attack and Data Breach

Posted by HIPAA Journal

Revenetics is facing a class action lawsuit over its December 2022 cyberattack and data breach that affected more than 250,000 individuals. Revenetics is a revenue cycle management company that provides its software solutions to many healthcare providers. On December 15, 2023, Revenetics detected a system intrusion and confirmed on December 27, 2022, that the attackers exfiltrated files that included names, dates of birth, clinical information, financial information, procedure and service codes, and healthcare provider and health plan names.

The Royal ransomware group claimed responsibility for the attack and issued a ransom demand to prevent the publication of the 16GB of data allegedly stolen in the attack. The Royal ransomware group is known to target healthcare organizations and typically exfiltrates data and then issues ransom demands of between $250,000 and $2 million to prevent the publication of the stolen data. When ransoms are not paid, the group published the stolen data on its data leak site. In February 2023, Royal started to publish Revenetics data on its data leak site.

The law firm Cole & Van recently filed a lawsuit in the U.S. District Court for the District of Colorado on behalf of plaintiff Paula Henderson and similarly affected individuals, alleging Revenetics was negligent for failing to implement adequate and reasonable measures to safeguard the personal and protected health information of patients. As a result of that negligence, the lawsuit claims the plaintiff and class members have suffered injury and harm such as anxiety, emotional distress, loss of privacy, and economic and non-economic losses and that their PHI is now in the hands of criminals, which means they face an imminent and elevated risk of identity theft, fraud, and abuse.

In addition to negligence, the lawsuit alleges a breach of implied contract and a breach of the implied covenant of good faith and fair dealing. The lawsuit seeks class action status, a jury trial, an award of actual, nominal, and consequential damages, equitable relief, and injunctive relief, including a court order requiring Revenetics to encrypt sensitive data, comply with applicable regulations and industry standards for data security, implement and maintain a comprehensive information security program, segment data, conduct regular database and security checks, provide regular security awareness training to employees, submit to third-party security audits, and conduct penetration tests on a regular basis.

The post Revenetics Facing Class Action Lawsuit Over Royal Ransomware Attack and Data Breach appeared first on HIPAA Journal.

Maternal & Family Health Services Sued Over Ransomware Attack and Data Breach

Posted by HIPAA Journal

A lawsuit has been filed against Maternal & Family Health Services (MFHS) in Pennsylvania which alleges the healthcare provider failed to protect patient data and did not send timely breach notifications.

In January 2023, MFHS, one of the largest healthcare providers in the state, notified approximately 461,000 current and former patients about a security breach. According to the notifications, unauthorized individuals gained access to its network and used ransomware to encrypt files. MFHS said the sophisticated ransomware attack was discovered in April 2022. The forensic investigation confirmed the attackers had access to its network between August 2021 and April 2022, during which time they had access to, and potentially stole, patient data such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account/payment card information, medical information, and health insurance information. At the time of issuing notifications, misuse of patient data had not been detected; however, as a precaution, complimentary credit monitoring and identity theft protection services were offered to affected patients.

On March 3, 2023, a lawsuit was filed against the Wilkes-Barre-based healthcare provider in the U.S. District Court for the Middle District of Pennsylvania. The lawsuit alleges negligence, breach of contract, breach of implied contract, breach of fiduciary duty, and breach of confidence. According to the lawsuit, MFHS was negligent by failing to implement reasonable and appropriate safeguards to protect the privacy of patients, then failed to issue timely notifications when the breach was detected.

The lawsuit names Chris Izquierdo of Scranton, PA as the lead plaintiff. Izquierdo, a former patient of MFHS, was notified about the data breach in January 2023 and claims his protected health information was stolen in the attack and has been misused. At least five credit card accounts were opened in his name in Florida since the breach occurred, and charges have been applied to those accounts. Izquierdo claims he has been told he must pay the interest accrued on those cards. The lawsuit also takes issue with the delay in notifications, which were sent almost 9 months after the breach was detected, when the HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach.

The lawsuit seeks damages, injunctive relief requiring MFHS to implement comprehensive cybersecurity measures to better protect patient data, and attorneys’ fees and legal costs. The plaintiff is represented by Gazda Penetar PC and Morgan & Morgan.

The post Maternal & Family Health Services Sued Over Ransomware Attack and Data Breach appeared first on HIPAA Journal.