The Wisconsin-based dermatology practice, Forefront Dermatology, has agreed to settle a class action lawsuit filed on behalf of patients whose protected health information (PHI) was compromised in a ransomware attack in late May 2021.

Forefront Dermatology has affiliated practices in 21 states and Washington D.C. In May 2021, the practice was targeted by the Cuba ransomware gang, which gained access to its network and exfiltrated files from the network before encrypting data. The gang then dumped some of the stolen data on its dark web data leak site to pressure the practice into paying the ransom. According to Forefront Dermatology’s data breach notice, the attack was detected on June 4. The forensic investigation confirmed the attackers potentially accessed and stole files containing the PHI of up to 2.4 million employees and patients. That information included names, dates of birth, account numbers, health insurance information, Social Security numbers, medical record numbers, medical and treatment information, and other sensitive data.

A class action lawsuit was filed in the U.S. District Court for the Eastern District of Wisconsin shortly after patients were notified about the breach, which alleged Forefront Dermatology had failed to implement adequate data security protocols, including permitting the use of “incredibly simplistic passwords,” and had maintained patient data “in a reckless manner”.  The lawsuit alleged the ransomware attack and data breach was made possible due to those security failures, and that Forefront Dermatology was aware of the risk of a data breach and had the resources to implement appropriate data security measures but failed to do so.

The lawsuit takes issue with the month-long delay in issuing breach notification letters, and the conflicting statements provided to patients and the Maine attorney general, with the latter informed that Social Security numbers had been stolen when patients were told that information such as Social Security numbers, driver’s license numbers, and financial account/payment card information was not accessed or stolen.

The lawsuit alleges the plaintiffs – Judith Leitermann, Lynn Anderson, And Milan E. Kunzelmann – and similarly affected individuals have been exposed to a heightened and imminent risk of fraud and identity theft, and that their PHI is now in the hands of criminals. AS a result of the alleged negligence of Forefront Dermatology, the plaintiffs and class members must closely monitor their financial accounts to guard against identity theft and have and will continue to incur out-of-pocket costs for protective measures to deter and detect identity theft.

Forefront Dermatology has not admitted any wrongdoing and accepts no liability for the data breach, but chose to settle the lawsuit to prevent further legal costs and to avoid the uncertainty of trial. Forefront Dermatology proposed a $3.75 million settlement to resolve all claims related to the data breach.

Under the terms of the settlement, class members are entitled to claim up to $10,000 for documented losses from identity theft, credit-related costs, bank fees, communication charges, and fraudulent charges, as well as claim up to five hours of lost time at $25 per hour, and may also sign up for one year of free credit monitoring services. Class members may opt out of receiving expense reimbursement and credit monitoring services and will instead receive a cash fund payment, the value of which will depend on the number of participating class members.

Class members have until January 24, 2023, to object to or exclude themselves from the settlement, and until February 8, 2023, to submit a claim. The final approval hearing has been scheduled for March 1, 2023

The post Forefront Dermatology Proposes $3.75 Million Settlement to Resolve Ransomware Lawsuit appeared first on HIPAA Journal.

A former employee of Axia Women’s Health in Pennsylvania has been charged in a 39-count indictment for stealing patient information for personal gain. The Upper Moreland Police Department in Montgomery County, PA, uncovered an elaborate scheme involving the theft of the identities of patients, which were used to obtain credit cards and loans, rent high-end apartments, and obtain several thousand dollars worth of furniture.

The investigation centered on Gwendolyn Murray of Philadelphia. Text messages were found on Murray’s cellphone that had been sent by Ashley Latimer, 34, of Philadelphia, which appeared to be screenshots of patient records. Ashley was determined to have sent the messages while working at AFC Urgent Care in South Philadelphia. Further investigation revealed Latimer had worked at AFC Urgent Care between September 16, 2021, and December 26, 2021, but was fired when she was suspected of stealing $3,200 from the cash drawer.

Latimer then found employment as a medical assistant at Axia Women’s Health, where she was given access to patient records to complete her work duties. While employed at Axia Women’s Health, Latimer used her cellphone to take photographs of patient records containing driver’s license numbers and other information, which were sent to Murray to create fraudulent customer accounts and obtain credit in the victims’ names. The stolen identities were used to create fraudulent accounts at Wayfair, Mattress Queen, Carvana, and Bob’s Discount Furniture.

The police seized Latimer’s cell phone and found 41GB of data that included text conversations with Murray along with photographs of computer screens and paper documents containing the personal information of patients of Axia Women’s Health, where Latimer was employed in the first and second quarters of 2022. The detectives also found images of Experian Credit Reports, lease applications, and applications and approvals for credit at Wayfair and Carvana in the names of Axia Women’s Health patients.

On November 10, 2022, Pennsylvania Attorney General Josh Shapiro announced that Latimer had been arrested and charged for her role in the scam. The information stolen by Latimer was used to open credit cards and make purchases totaling more than $31,000. Latimer has been charged with 27 counts of identity theft, 7 counts of theft, 4 counts of computer theft, and one count of forgery.

“This defendant is accused of taking advantage of her position and violating her trust and responsibility as a medical professional,” said AG Shapiro. “We will not, under any circumstance, allow individuals to put patients at risk and compromise our Commonwealth’s health care systems.”

The post Former Pennsylvania Medical Assistant Charged with Stealing Patient Information for Personal Gain appeared first on HIPAA Journal.

Five former employees of Methodist Hospital in Tennessee have been indicted by a federal grand jury in Memphis for criminal violations of the Health Insurance Portability and Accountability Act (HIPAA) for impermissibly accessing the protected health information of patients and providing that information to another individual for financial gain.

According to the indictment, between November 2017 and December 2020, Roderick Harvey, 40, conspired with five former hospital employees and paid them to provide him with the names and telephone numbers of patients who had been involved in motor vehicle accidents. Harvey then sold that information to third parties such as personal injury lawyers and chiropractors.

The former Methodist Hospital employees – Kirby Dandridge, 38, Sylvia Taylor, 43, Kara Thompson, 30, Melanie Russell, 41, and Adrianna Taber, 26 – and Harvey were charged with conspiracy to obtain patient information with the intent to sell, transfer or use such information for personal gain, the maximum penalty for which is five years in jail, three years of supervised release, and a financial penalty of up to $250,000. Each of the five employees was also charged with separate criminal violations of HIPAA for disclosing patient information to Harvey, with those charges carrying a maximum penalty of one year in jail, one year of supervised release, and a fine of up to $50,000.

Harvey has been charged with seven counts of obtaining patient information with the intent to sell the information for financial gain, with the offenses occurring from November 12, 2017, to September 7, 2019. Harvey faces up to 10 years in jail, a fine of up to $250,000, and three years of supervised release for each charge.

Methodist Le Bonheur Healthcare discovered the unauthorized access, terminated the employees for the HIPAA violations, and reported the employees to law enforcement. The case was investigated by the Federal Bureau of Investigation and the Tennessee Bureau of Investigation, with e case prosecuted by Assistant United States Attorney Carroll L. André III.

The post Five Former Tennessee Hospital Employees Charged with Criminal HIPAA Violations appeared first on HIPAA Journal.

A New York-based physician-owned provider of administrative services to anesthesiology firms is facing several class action lawsuits over a cyberattack and data breach that has affected at least 24 entities and involved the exposure and potential theft of the protected health information of more than 450,000 patients.

Anesthesiology firms started reporting data breaches to the Department of Health and Human Services’ Office for Civil Rights in September 2022, with the notification letters to patients indicating there had been a data breach at their anesthesia management services organization. The notification letters failed to name that company.

According to the notification letters, the management services organization detected the cyberattack on or around July 11, 2022, or July 15, 2022 – two templates were used by the affected firms that had different dates. The forensic investigation determined the attackers had access to parts of its system that contained the protected health information of patients, including names, Social Security numbers, dates of birth, driver’s license numbers, financial account information, health insurance policy numbers, medical record numbers, Medicaid/Medicare IDs, and health information, including diagnosis and treatment information.

At least five complaints have now been filed in the U.S. District for Southern New York against the management company – Somnia Inc. – over the data breach that allege the company was negligent for failing to implement appropriate safeguards to ensure the confidentiality, integrity, and availability of patient information, that Somnia failed to comply with FTC guidelines and the HIPAA Rules and had not followed industry standards for data security.

Some of the lawsuits also take issue with the way the breach was reported due to the failure to mention Somnia Inc. by name in the notification letters, and in some cases, to fully disclose exactly what information had been compromised. One lawsuit took issue with Somnia Inc. only disclosing the breach as affecting 1,326 patients, when the breach was known to have affected more than 400,000 individuals at the time and suggested, “Somnia is trying to completely avoid any and all responsibility for the data breach and is using its local practices to obscure the identity of the responsible entity as well as to downplay the severity of the data breach.”

The lawsuits allege individuals affected by the breach now face an immediate and elevated risk of identity theft and fraud as a result of the negligence of Somnia, and seek class action status, damages, adequate credit monitoring and identity theft protection services, injunctive relief, and a court order that requires Somnia to implement enhanced security measures to ensure patient information is appropriately protected.

The post New York Provider of Administrative Anesthesiology Services Facing Multiple Class Action Data Breach Lawsuits appeared first on HIPAA Journal.

Ann & Robert H. Lurie Children’s Hospital has proposed a settlement to resolve a class action lawsuit filed in response to two privacy breaches involving unauthorized medical record access by employees.

On November 15, 2019, the Chicago hospital discovered an employee had been impermissibly accessing patient records. The investigation determined the unauthorized access occurred between Sept. 10, 2018, and Sept. 22, 2019. The employee, a nursing assistant, viewed patient records that included names, addresses, dates of birth, and medical information, including diagnoses, medications, appointments, and procedures. Once the unauthorized access was confirmed, the employee was terminated. Lurie Children’s Hospital notified affected patients in December 2019 and said there was no reason to suggest the information had been further discovered or misused.

A similar breach was detected by the hospital in 2020. A nursing assistant was discovered to have accessed patient records without authorization between November 1, 2018, and February 29, 2020, and was also terminated. Patients were notified about the breach in May 2020. A mother took legal action against the hospital on behalf of her 4-year-old daughter, whose medical records and been impermissibly accessed by the two nursing assistants. Her daughter’s records included details of an examination to investigate suspected sexual abuse.

The lawsuit – Doe v. Lurie Children’s Hospital of Chicago – alleged the hospital had been negligent for failing to protect patient records, the hospital breached its implied contract, and failed to monitor employees’ access to patients’ medical records. Lurie Children’s Hospital denied liability for the breach and did not admit any wrongdoing and maintained the plaintiff failed to state a claim in the lawsuit upon which relief can be granted, as the plaintiff failed to assert any basis that the actions of the hospital caused any harm.

Lurie Children’s Hospital proposed a settlement to put an end to the allegations of wrongdoing. The proposed settlement does not include any monetary benefits, but the hospital has agreed to make changes to policies and procedures and implement additional safeguards to better protect patient data. Those measures include increased monitoring of employee access logs, which include twice weekly reviews of audit alerts, and a commitment to provide employees with additional training on medical record access. The hospital has also stated that it will be applying “break the glass” protocols for highly sensitive medical information related to certain treatments, including evaluations for sexual abuse and sexual assault.

The deadline for objection and exclusion is January 4, 2023. The final approval hearing has been scheduled for January 25, 2023.

The post Lurie Children’s Hospital Proposes Settlement to End Insider Breach Lawsuit appeared first on HIPAA Journal.

Oakbend Medical Center in Richmond, TX, and Keystone Health in Chambersburg, PA, are facing class action lawsuits over recent hacking incidents that resulted in the exposure and theft of the protected health information of hundreds of thousands of patients.

OakBend Medical Center

On September 1, 2022, OakBend Medical Center discovered its systems had been compromised and files had been encrypted. The breach was contained and access to its network was terminated, and a forensic investigation was conducted to determine the nature and scope of the attack. The forensic investigation confirmed that the attackers had exfiltrated files containing patient data. OakBend Medical Center said entire medical records do not appear to have been stolen. The stolen data included names, contact information, dates of birth, and Social Security numbers. The threat actors behind the attack – Daixin Team – claim the data they stole included 1 million patient records, although that has yet to be confirmed by Oakbend Medical Center.

On October 28, 2022, two patients affected by the data breach – Ryan Higgs and Alissa Wojnar – took legal action over the theft of their protected health information. The lawsuit was filed by Dallas, TX-based attorney, Joe Kendall, in the District Court for the Southern District of Texas and alleges Oakbend Medical Center maintained the private information of patients “in a reckless manner,” and failed to properly monitor its IT network. The lawsuit alleges negligence, negligence per se, breach of implied contract, breach of fiduciary duty, intrusion upon seclusion, invasion of privacy, and unjust enrichment.

The plaintiffs claim they have suffered the loss of the benefit of their bargain, out-of-pocket expenses, the value of their time that was incurred to remedy and mitigate the effects of the attack, emotional distress, and the imminent risk of future harm caused by the compromise of their sensitive personal information. The lawsuit seeks class action status, compensatory damages, reimbursement of out-of-pocket expenses, and injunctive relief that requires OakBend Medical Center to implement additional security measures to better protect patient data and to also provide adequate credit monitoring services to affected patients.

Keystone Health

On August 19, 2022, Keystone Health discovered its network had been compromised. After systems were secured, a forensic investigation was launched to determine the scope of the attack, and it was confirmed that hackers had access to its network between July 28, 2022, and August 19, 2022. During that time, they had access to sensitive patient data including names, Social Security numbers, and clinical information. The breach affected 235,237 patients, who were notified on October 14, 2022.

A lawsuit was filed in the District Court for the Middle District of Pennsylvania by the law firm Milberg Coleman Bryson Phillips Grossman, PLLC that named Jacob Whitehead as plaintiff, on behalf of his minor son. The lawsuit alleges Keystone Health failed to properly secure and safeguard personally identifiable information, and that the private information of patients was maintained in a reckless and negligent manner that made it vulnerable to cyberattacks.

The lawsuit alleges negligence for failing to implement minimum industry standards for protecting patient data and claims Keystone Health failed to meet its obligations under the HIPAA Security Rule as appropriate safeguards had not been implemented to protect patients’ electronic protected health information. The lawsuit also alleges a violation of the HIPAA Breach Notification Rule for failing to properly notify patients about the data breach.

The lawsuit claims the plaintiff and others affected by the data breach are now at significant risk of identity theft and various other forms of personal, social, and financial harm. They allege an injury has been sustained in the form of the lost or diminished value of their private information, out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their private information, lost time and opportunity, and a continued and substantially increased risk of cyberattacks and fraud.

The lawsuit seeks class action status, a jury trial, damages, and equitable and injunctive relief, including a requirement for Keystone Health to ensure it has an effective and comprehensive security program, to undergo independent security audits and penetration tests, to engage internal personnel to run automated security monitoring, and to provide security awareness training to all employees, at least annually.

The post Lawsuits Filed Against OakBend Medical Center and Keystone Health Over Data Breaches appeared first on HIPAA Journal.