Four Californian medical groups have been named in a class action lawsuit that alleges a failure to implement reasonable and appropriate cybersecurity measures, resulting in a cyberattack and data breach involving the personal and protected health information of 3,300,638 current and former patients. The lawsuit names Regal Medical Group Inc., Lakeside Medical Organization, A Medical Group Inc., Affiliated Doctors of Orange County Medical Group, Inc., and Greater Covina Medical Group, Inc., and claims the cyberattack and data breach were foreseeable and could – and should – have been prevented.

The cyberattack in question occurred on December 1, 2022. Hackers gained access to the medical groups’ IT systems, preventing access to certain servers on December 2, 2022. The cyberattack was detected on December 8, 2022, by which time the hackers had access to a huge amount of sensitive patient data, including full names, contact information, Social Security numbers, diagnoses, treatment information, medications, lab test results, radiology reports, and health insurance information.  Affected individuals were notified about the data breach in February 2023 and were offered complimentary credit monitoring services.

In addition to failing to prevent the breach, the lawsuit alleges IT systems were not being monitored, and that if they were, the attack could have been detected and stopped more quickly. The lawsuit also alleges the medical groups failed to issue timely notifications, waiting almost two months after the breach was discovered to send notification letters to victims, and then failed to disclose important information,  such as for how long hackers had access to their data. The lawsuit claims the delay in issuing notifications meant cybercriminals had plenty of time to monetize and misuse the data before the victims knew they should take steps to protect their identities.

It is common for lawsuits to be filed after healthcare data breaches and oftentimes lawsuits are filed before there has been any misuse of the stolen data. In this case, two of the plaintiffs allege attempts were made to misuse their information soon after the data breach. One plaintiff claimed multiple fraudulent charges were attempted on her credit card and another claimed there was an attempt to register a new credit card in her name and that she had received a fraud alert informing her that her Social Security number had been compromised. The attempted fraudulent activity occurred between December 2022 and February 2023, before being informed by the defendants about the data breach. The lawsuit alleges the plaintiffs and class members now face a lifelong risk of identity theft, medical identity theft, and fraud as a result of the cyberattack and data breach.

The lawsuit alleges negligence, negligence per se, breach of implied contract, intrusion upon seclusion, unjust enrichment, violations of the California Confidentiality of Medical Information Act, California Consumer Privacy Act, California Consumer Records Act, and California Unfair Competition Law, and violations of state data breach statutes. The lawsuit seeks class action status, a jury trial, compensatory, consequential, and general damages, statutory, punitive, and exemplary damages, and legal fees.

The lawsuit names Shannon Masser Downs, M.B (a minor), and Maria Hinestrosa as plaintiffs. The plaintiffs are represented by Jonathan M. Rotter and Pavithra Rajesh of Glancy Prongay & Murry LLP and Daniel O. Herrera and Nickolas J. Hagman of Cafferty Clobes Meriwether & Sprengel LLP.

The post Four Californian Medical Groups Sued over Data Breach Affecting 3.3 Million Patients appeared first on HIPAA Journal.

The Department of Justice has announced one of its first prosecutions under the Medicare Access and CHIP Reauthorization Act of 2015 in a case involving the theft and sale of Medicare Beneficiary Identifiers.

The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) required the Centers for Medicare and Medicaid Services (CMS) to remove Social Security numbers from all Medicare cards as part of an effort to prevent fraud, combat identity theft, and safeguard taxpayer dollars and replace them with Medicare Beneficiary Identifiers. MACRA also made it illegal to buy, sell, or distribute Medicare Beneficiary Identifiers without proper authority.

In contrast to Social Security numbers, Medicare Beneficiary Identifiers cannot, by themselves, be used for identity theft; however, they can be used for medical identity theft. The recent prosecution of a Florida man shows these unique identifiers are being targeted and sold on the black market.

Charles William McElwee, 36, from South Florida, is a marketer and CEO of Lead Junkies LLC. McElwee was arrested on suspicion of involvement in a scheme to defraud Medicare and recently pled guilty to conspiring to buy and sell the Medicare Beneficiary Identifiers and other personally identifiable information of more than 2.6 million Medicare recipients in a $310,000 Medicare fraud scheme.

AS part of the plea deal, McElwee pled guilty to one count of conspiring to violate MACRA and admitted that he and his co-conspirators used data mining and social engineering techniques to obtain Medicare Beneficiary Identifiers and other personal information that was subsequently advertised and sold online. The information obtained and trafficked included beneficiary names, addresses, dates of birth, Social Security numbers, and Medicare beneficiary identification numbers. Some of the co-conspirators included foreign actors, including individuals in the Philippines.

The case was investigated by the HHS-OIG in Miami, the FBI Miami field office, and was prosecuted by Assistant U.S. Attorney Jon Juenger. McElwee is due to be sentenced on April 7, 2023, and faces up to five years in federal prison.

The post Florida Man Pleads Guilty in Medicare Beneficiary Identifier Trafficking Case appeared first on HIPAA Journal.

AssistCare Home Health Services has agreed to settle a class action lawsuit, filed on behalf of individuals affected by a cyberattack and data breach in January 2021. In March 2021, AssistCare Home Health Services, which does business as Preferred Home Care of New York, notified more than 92,000 patients that their protected health information had been exposed in a cyberattack. Unauthorized individuals gained access to its network between January 8 and January 10, 2021, and exfiltrated files containing patient data.  The attack was conducted by the Sodinokibi ransomware group, which published some of the stolen data on its data leak site. The compromised data included names, personal information, health information, and Social Security numbers.

A class action lawsuit – Simmons v. AssistCare Home Health Services LLC, was filed in the New York Superior Court for Kings County covering the 92,283 individuals that were notified about the data breach. The lawsuit alleged negligence for failing to implement reasonable cybersecurity measures to protect against a known risk of ransomware attacks on the sector, and that as a result of that negligence, victims were placed at an imminent and elevated risk of identity theft and fraud.

AssistCare Home Health Services chose to settle the lawsuit with no admission of wrongdoing and has agreed to accept claims from class members up to a maximum of $3,900 per claimant. The total value of the settlement was not disclosed. Claims will be accepted up to $400 for compensation for ordinary losses such as bank fees, communication charges, and credit-related costs, and up to 4 hours of lost time at $20 per hour. Claims will also be accepted up to a maximum of $3,500 per claimant to cover documented, extraordinary losses that have not already been reimbursed, such as losses to fraud and identity theft. Regardless of if a claim is submitted, class members are eligible to receive one year of three-bureau credit monitoring services.

Class members have until April 24, 2023, to object to or exclude themselves from the settlement and submit claims for reimbursement of losses. The fairness hearing has been scheduled for June 27, 2023.

The post Settlement Reached in Preferred Home Care Data Breach Lawsuit appeared first on HIPAA Journal.

The Albuquerque, NM-based health insurance provider, True Health New Mexico, has proposed a settlement to resolve claims related to a 2021 data breach that affected 62,983 members of its health plans.

True Health New Mexico identified a security breach on October 5, 2021, with the investigation confirming that an unauthorized third party had gained access to its network and used ransomware to encrypt files. During the period of access, files were potentially viewed and exfiltrated that contained plan member data such as names, dates of birth, ages, home addresses, email addresses, insurance information, medical information, Social Security numbers, health account member IDs, provider information, and date(s) of service. No evidence of misuse of plan member data was identified at the time of issuing notification letters; however, as a precaution against identity theft and fraud, complimentary credit monitoring and identity theft protection services were offered to affected individuals.

Several lawsuits were filed soon after notifications were sent alleging the health plan provider was negligent for failing to take appropriate care to protect sensitive customer and employee data. The lawsuits also alleged negligence per se, invasion of privacy by intrusion, breach of express contract, breach of implied contract, breach of fiduciary duty, unjust enrichment, and violations of the New Mexico Unfair Practices Act.

The lawsuits sought reimbursement of out-of-pocket expenses, recovery of losses to identity theft and fraud, and True Health New Mexico to ensure that security is improved to prevent further data breaches. True Health New Mexico proposed the settlement to resolve claims related to these lawsuits with no admission of wrongdoing. Claims will be accepted from individuals who received notifications about the data breach and were represented in three class action lawsuits, McCullough, et al. v. True Health New Mexico Inc., Clement, et al. v. True Health New Mexico Inc., and Shanks, et al. v. True Health New Mexico Inc., all of which were filed in the 2nd District Court of the State of New Mexico. The three lawsuits were consolidated into a single class action lawsuit on March 21, 2022.

Under the terms of the proposed settlement, claims will be accepted up to a maximum of $5,250 per individual. Up to $250 can be claimed as reimbursement for ordinary expenses related to the data breach, such as bank fees, credit monitoring costs, and communication charges, as well as up to 5 hours of lost time at $20 per hour. Claims will also be accepted for documented extraordinary losses up to a maximum of $5,000, which can include losses to identity theft and fraud that can be reasonably traced to the data breach, as well as up to 3 hours of additional time at $20 per hour. The settlement also includes attorneys fees and awards of up to $1,500 for named plaintiffs and an additional 2 years of three-bureau credit monitoring services and identity theft insurance, provided by Equifax, from the date of the settlement.

True Health New Mexico has also agreed to improve security, which includes maintaining a written information security policy, providing cybersecurity training to the workforce, implementing a password policy, multi-factor authentication, and an endpoint detection and response solution; however, the settlement includes a clause that allows the health plan provider to escape the obligation to improve security. “In the event True Health discontinues operations, True Health will have no obligation to continue these equitable measures.”

True Health New Mexico, a wholly owned subsidiary of Bright Health, has already stopped providing health plans to New Mexico residents and will only provide coverage to existing health plan members until June 30, 2023, as Bright Health has decided to focus on markets where it will have the greatest impact.

The deadline for objection to or exclusion from the settlement is April 14, 2023. Claims must be submitted no later than August 14, 2023. The final fairness hearing has been scheduled for May 10, 2023.

The post True Health New Mexico Proposes Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Several class action lawsuits have been filed against Regal Medical Group and affiliated healthcare providers following the February 1, 2023, announcement that the protected health information (PHI) of up to 3,300,638 individuals had potentially been stolen in a December 2022 ransomware attack.

The attack affected Regal Medical Group, the Heritage Provider Network, and several affiliated healthcare providers, including Lakeside Medical Organization, A Medical Group, Inc., ADOC Acquisition Co., Greater Covina Medical Group Inc., and Affiliated Doctors of Orange County. The attack was detected on December 2, when employees started experiencing difficulty accessing data.

The forensic investigation revealed the attack started on or before December 1, with sensitive data exfiltrated from its servers on December 1. The stolen files included PHI such as names, phone numbers, addresses, dates of birth, diagnosis and treatment information, laboratory test results, prescription data, radiology reports, health plan member numbers, and Social Security numbers. Affected individuals were offered a 12-month membership to a credit monitoring service.

It is now common for multiple lawsuits to be filed after healthcare data breaches, so it is no surprise that so many lawsuits have been filed after an attack of this magnitude. One of the biggest concerns raised in the lawsuits was how the attackers were able to gain access to so much data, much of which was highly sensitive and could be misused in many different ways. The lawsuits were filed in the California superior state court and federal court, and each makes similar claims against Regal Medical Group and the Heritage Provider Network, including negligence, negligence per se, breach of implied contract, unjust enrichment, and unfair business practices. The lawsuits allege violations of the California Consumer Privacy Act of 2018, the California Confidentiality of Medical Information Act, Unfair Competition Law, the FTC Act, and the Health Insurance Portability and Accountability Act.

The lawsuits also take issue with the time taken to issue notifications about the breach, which started to be issued on February 1, 2022, when the data breach occurred on December 1, 2022. While the notifications were issued within the time frame allowed by the HIPAA Breach Notification Rule, that Rule also states that notifications should be issued without undue delay. One of the lawsuits also takes issue with the information provided in the notifications, which failed to provide full information on the nature of the breach, such as for how long the attackers had access to the stolen data.

One of the lawsuits, Timothy Head vs. Regal Medical Group Inc, Heritage Provider Network Inc. (Cole & Van Note), claims the defendants intentionally, willfully, recklessly, or negligently failed to take and implement adequate and reasonable measures to ensure that representative plaintiff(s)’ and class members PHI/PII was safeguarded,” also claims the defendants were negligent for failing to encrypt data.

Sam Abedi And Farnaz Doroodian v. Heritage Provider Network, Inc. and Regal Medical Group, Inc. (Zimmerman Reed LLP/ The Johnson Firm) and David Rodriguez v. Regal Medical Group (Wucetich & Korovilas LLP) make similar claims, including the defendants were well aware of the high prevalence of data breaches and had the resources available to protect data but failed to invest sufficiently in data security, the remediation of vulnerabilities, staff training, and testing security controls.

Lynn Austin vs. Regal Medical Group, Inc. (Parker & Minnie, LLP & Mason LLP) claims the plaintiffs have suffered actual and concrete injury, including out-of-pocket expenses, loss of valuable rights and protections, heightened stress, fear, anxiety, and risk of future invasions of privacy, and mental and emotional distress.

The lawsuits seek class action certification, a jury trial, actual and punitive damages, and injunctive relief, including an order from the courts to prohibit the defendants from engaging in unlawful acts and deceptive business practices and to ensure that a comprehensive information security program is implemented to protect against future data breaches.

The post Multiple Lawsuits Filed Against Regal Medical Group Over 3.3 Million-Record Ransomware Attack appeared first on HIPAA Journal.

Several class action lawsuits have been filed against Regal Medical Group and affiliated healthcare providers following the February 1, 2023, announcement that the protected health information (PHI) of up to 3,300,638 individuals had potentially been stolen in a December 2022 ransomware attack.

The attack affected Regal Medical Group, the Heritage Provider Network, and several affiliated healthcare providers, including Lakeside Medical Organization, A Medical Group, Inc., ADOC Acquisition Co., Greater Covina Medical Group Inc., and Affiliated Doctors of Orange County. The attack was detected on December 2, when employees started experiencing difficulty accessing data.

The forensic investigation revealed the attack started on or before December 1, with sensitive data exfiltrated from its servers on December 1. The stolen files included PHI such as names, phone numbers, addresses, dates of birth, diagnosis and treatment information, laboratory test results, prescription data, radiology reports, health plan member numbers, and Social Security numbers. Affected individuals were offered a 12-month membership to a credit monitoring service.

It is now common for multiple lawsuits to be filed after healthcare data breaches, so it is no surprise that so many lawsuits have been filed after an attack of this magnitude. One of the biggest concerns raised in the lawsuits was how the attackers were able to gain access to so much data, much of which was highly sensitive and could be misused in many different ways. The lawsuits were filed in the California superior state court and federal court, and each makes similar claims against Regal Medical Group and the Heritage Provider Network, including negligence, negligence per se, breach of implied contract, unjust enrichment, and unfair business practices. The lawsuits allege violations of the California Consumer Privacy Act of 2018, the California Confidentiality of Medical Information Act, Unfair Competition Law, the FTC Act, and the Health Insurance Portability and Accountability Act.

The lawsuits also take issue with the time taken to issue notifications about the breach, which started to be issued on February 1, 2022, when the data breach occurred on December 1, 2022. While the notifications were issued within the time frame allowed by the HIPAA Breach Notification Rule, that Rule also states that notifications should be issued without undue delay. One of the lawsuits also takes issue with the information provided in the notifications, which failed to provide full information on the nature of the breach, such as for how long the attackers had access to the stolen data.

One of the lawsuits, Timothy Head vs. Regal Medical Group Inc, Heritage Provider Network Inc. (Cole & Van Note), claims the defendants intentionally, willfully, recklessly, or negligently failed to take and implement adequate and reasonable measures to ensure that representative plaintiff(s)’ and class members PHI/PII was safeguarded,” also claims the defendants were negligent for failing to encrypt data.

Sam Abedi And Farnaz Doroodian v. Heritage Provider Network, Inc. and Regal Medical Group, Inc. (Zimmerman Reed LLP/ The Johnson Firm) and David Rodriguez v. Regal Medical Group (Wucetich & Korovilas LLP) make similar claims, including the defendants were well aware of the high prevalence of data breaches and had the resources available to protect data but failed to invest sufficiently in data security, the remediation of vulnerabilities, staff training, and testing security controls.

Lynn Austin vs. Regal Medical Group, Inc. (Parker & Minnie, LLP & Mason LLP) claims the plaintiffs have suffered actual and concrete injury, including out-of-pocket expenses, loss of valuable rights and protections, heightened stress, fear, anxiety, and risk of future invasions of privacy, and mental and emotional distress.

The lawsuits seek class action certification, a jury trial, actual and punitive damages, and injunctive relief, including an order from the courts to prohibit the defendants from engaging in unlawful acts and deceptive business practices and to ensure that a comprehensive information security program is implemented to protect against future data breaches.

The post Multiple Lawsuits Filed Against Regal Medical Group Over 3.3 Million-Record Ransomware Attack appeared first on HIPAA Journal.

A lawsuit has been filed against Freehold Township, NJ-based CentraState Healthcare System over its December 2022 ransomware attack, a few days after the health system started sending notification letters to around 617,000 affected patients. The lawsuit alleges CentraState Medical Center was negligent for failing to implement adequate and reasonable safeguards to protect the sensitive data of its patients.

On February 10, 2023, CentraState confirmed it had suffered a ransomware attack that disrupted its computer systems. The health system detected the attack on December 29, 2022, blocked the unauthorized access, and launched an investigation to determine the nature and scope of the breach. CentraState confirmed that the hackers gained access to part of its systems that contained an archived database, and stole that database. The database included names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers, and patient account numbers. Complimentary credit monitoring and identity theft protection services were offered to individuals who had their Social Security number exposed.

On February 20, 2023, a lawsuit was filed in the Monmouth County Superior Court by attorney Benjamin Johns, which named Rita Sorrentino-Poggi of Manalapan as the plaintiff. Sorrentino-Poggi was notified on February 8, 2023, that some of her information was stolen by the hackers. The lawsuit alleges that as a direct result CentraState Medical Center’s failure to protect patient data, the plaintiff’s and class members’ sensitive data is now in the hands of the hackers and, potentially, other hostile individuals. As such, the plaintiff and similarly situated victims of the data breach now face an increased risk of identity theft and fraud and will have to spend a significant amount of time and money protecting themselves against identity theft and fraud.

The lawsuit seeks monetary damages, reimbursement of out-of-pocket expenses, and injunctive relief, including an order from the courts for CentraState to enhance data security to prevent similar attacks and data breaches in the future.

The post CentraState Medical Center Facing Class Action Lawsuit Over December 2022 Ransomware Attack appeared first on HIPAA Journal.