Legal News

Advocate Aurora Health and WakeMed Sued Over Meta Pixel Privacy Breaches

Posted by HIPAA Journal

Two class action lawsuits have been filed on behalf of patients whose protected health information (PHI) was impermissibly disclosed to Meta/Facebook as a result of the use of the Meta Pixel JavaScript code snippet on the websites and web applications of Advocate Aurora Health and WakeMed Health and Hospitals. Advocate Aurora Health said the PHI of up to 3 million patients had potentially been disclosed to Meta/Facebook, and WakeMed said around 495,000 patients were affected due to the inclusion of the code on the MyChart patient portal and its appointment scheduling page. Both healthcare providers have admitted to an impermissible disclosure of PHI but said at the time of issuing notifications that they were unaware of any cases of misuse of patient information and that there are no indications that employees of Meta or Facebook viewed the transmitted data.

The lawsuit against Advocate Aurora Health, which also names Meta as a defendant, was filed in the U.S. District Court for the Northern District of Illinois and names Alistair Stewart, of Illinois, as the lead plaintiff. The lawsuit seeks class action status, damages, and injunctive and other equitable relief. According to the lawsuit, “Whenever a patient uses Advocate’s websites and applications, including its LiveWell portal, Advocate and Facebook intercept, contemporaneously cause transmission of, and use personally identifiable patient information and PHI without patients’ knowledge, consent, or authorization.” The lawsuit alleges Advocate Aurora Health and Meta were aware that protected health information was being transmitted, and that this was in violation of the HIPAA Rules. “This was evidenced from, among other things, the functionality of the Pixel, including that it enabled Advocate’s LiveWell portal to show targeted advertising to its digital subscribers based on the products those digital subscribers had previously viewed on the website, including certain medical tests or procedures, for which Advocate received financial remuneration.”

Advocate Aurora Health maintains that the tracking code was only used to improve the consumer experience across its websites, and to encourage individuals to schedule necessary preventive care, and said it has stopped using the code and has implemented additional safeguards and third-party code-checking procedures to prevent similar breaches in the future.

The lawsuit against WakeMed was filed in the Wake County Superior Court in North Carolina by attorneys Gary Jackson and Tom Wilmoth and similarly seeks class action status, damages, and injunctive relief. The lawsuit makes similar claims and also alleges that the code was added to the website in the knowledge that sensitive patient data would be shared with Meta, and that WakeMed received financial benefits from sharing that information with Meta. The lawsuit alleges violations of FTC Rules and HIPAA, as sensitive healthcare data, including PHI, was shared with Meta without the knowledge or consent of the plaintiff and class members.

The lawsuit states the plaintiff reasonably expected her online communications with WakeMed to be confidential and would not be shared with or intercepted by a third party, and that consent to share her data had not been requested or obtained. The lawsuit alleges negligence for failing to implement reasonable safeguards to prevent improper disclosures of PHI, failing to adequately train employees, and failing to follow industry-standard data security practices.

In order for healthcare data breach lawsuits to succeed, an actual injury must have been sustained. In contrast to data breach lawsuits filed against healthcare organizations that have been hacked, the plaintiffs’ PHI is not in the hands of cybercriminals and there has been no injury through fraud or identity theft. The lawsuits allege an injury has been suffered in the form of the diminution in the value of the plaintiffs’ and class members’ private information. The plaintiff in the WakeMed lawsuit alleges she has lost time and experienced annoyance, interference, and inconvenience, which has led to her suffering anxiety, emotional distress, and increased concerns about her loss of privacy.

Many healthcare providers added Meta Pixel code to their websites. A study conducted by The Markup revealed 33 of the top 100 hospitals in the United States used the code, several of which added Meta Pixel to their patient portals. In August 2022, Novant Health announced that the PHI of up to 1.36 million patients had potentially been disclosed to Meta/Facebook, and many other healthcare providers are expected to make similar announcements in the coming weeks. Lawsuits have already been filed against Medstar Health System in Maryland, UCSF Medical Center and Dignity Health Medical Foundation, and Northwestern Memorial Hospital in Chicago, due to the use of the tracking code on their websites.

The post Advocate Aurora Health and WakeMed Sued Over Meta Pixel Privacy Breaches appeared first on HIPAA Journal.

Georgia Home Health Company Settles Phishing Investigation and Pays $425,000 Penalty

Posted by HIPAA Journal

Aveanna Healthcare has agreed to pay a $425,000 financial penalty to the Office of the Attorney General of Massachusetts for failing to implement appropriate safeguards to prevent phishing attacks, in violation of state and federal laws.

Aveanna Healthcare operates in 33 states and is the nation’s largest provider of pediatric home care. In the summer of 2019, Aveanna Healthcare was targeted in a phishing campaign that saw more than 600 phishing emails sent to its employees. The phishing emails attempted to trick the recipients into providing credentials, money, or other sensitive information. The first email account was breached in July 2019, with the attacks continuing throughout the summer. Aveanna Healthcare discovered the breach on August 24, 2019.

The forensic investigation revealed multiple employees had been tricked into disclosing their account credentials, which provided the attackers with access to parts of the network that contained the protected health information (PHI) of 166,000 patients, including the PHI of approximately 4,000 Massachusetts residents. The patient information exposed and potentially copied included names, Social Security numbers, driver’s license numbers, financial account numbers, and health information such as diagnoses, medications, and treatment information. The threat actors also logged into the human resources system and attempted to change the direct deposit information of employees to divert payments.

The Massachusetts AG’s Office launched an investigation into the phishing attacks and determined that Aveanna Healthcare had failed to implement appropriate safeguards to protect against phishing attacks. The AG’s Office alleged Aveanna was aware that its cybersecurity program was insufficient at the time of the phishing attacks and that it did not have sufficient tools in place to adequately defend against phishing attacks, such as multifactor authentication and sufficient security awareness training for its workforce. The Massachusetts AG’s Office determined that Aveanna’s security program had not met the minimum level of security required by the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts nor the minimum standards for security demanded by the HIPAA Security Rule.

The consent judgment requires Aveanna to pay a financial penalty of $425,000 to the Massachusetts AG’s office to resolve the violations, and adopt a corrective action plan that requires Aveanna to develop, implement, and maintain a security program that includes phishing protection technology, multi-factor authentication, and other systems designed to detect and address intrusions. Aveanna must also provide additional security awareness training to the workforce, including providing regular updates on the latest security threats. Aveanna is required to undergo annual independent assessments of its compliance with the consent order and will be monitored by the Massachusetts AG’s Office for a period of four years.

“Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information,” said Massachusetts Attorney General Maura Healey. “As a result of this resolution, Aveanna will ensure compliance with our strong data security laws and take steps necessary to protect its employees and the private data of Massachusetts residents moving forward.”

Aveanna Healthcare is also facing a class action lawsuit over the exposure of patient data. The lawsuit alleges the failure to implement appropriate security measures also takes issue with the length of time it took Aveanna to announce the data breach – 5 months after the breach was detected.

The post Georgia Home Health Company Settles Phishing Investigation and Pays $425,000 Penalty appeared first on HIPAA Journal.

California Appellate Court Confirms Trial Court’s Decision to Toss Class Action Insider Breach Lawsuit

Posted by HIPAA Journal

A Californian appellate court has recently confirmed the decision of the lower court to deny class action status for a lawsuit filed against a Californian healthcare provider over an insider data breach that affected 5,485 patients.

In May 2018, the healthcare provider – Muir Medical Group IPA – discovered a former employee had accessed and copied the records of patients before leaving employment and took patient information to her new employer. The investigation determined the breach occurred in December 2017 and affected patients who received treatment between November 2013 and February 2017. The information copied by the employee included names, contact information, treatment information, and other sensitive data.

A lawsuit was filed in the wake of the breach – Vigil v. Muir Medical Group IPA, Inc. – that alleged negligence and violations of the Confidentiality of Medical Information Act (CMIA), the Customer Records Act, and unlawful business practices under the Unfair Competition Law. The lawsuit also alleged violations of the Security Management Process standard of HIPAA, as the employee should not have been able to access the records of many of the patients.

Class action status for the lawsuit was rejected by the trial court, as the claims made by the plaintiff were deemed to be deficient. The court determined the patient’s claims hinged on the alleged CMIA violation. The trial court found the predominance of common questions requirement was not met as, under CMIA, individualized inquiries would be required to prove the defendant’s liability and damages to each of the affected patients, and liability is predicated on whether each of the class members’ records was actually viewed which, based on the facts, was not capable of resolution in the aggregate.

The decision was appealed, but the appellate court sided with the defendant, confirming that class action status could not be granted as the plaintiff was unable to show an unauthorized third party had viewed the records of each class member, therefore this was a private issue and class certification was not appropriate. The appellate court also ruled the plaintiff had no viable claim under CMIA due to failure to demonstrate the healthcare provider had negligently maintained or stored patient information, then lost that information due to its negligence.

The post California Appellate Court Confirms Trial Court’s Decision to Toss Class Action Insider Breach Lawsuit appeared first on HIPAA Journal.

RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach

Posted by HIPAA Journal

The American Civil Liberties Union of Rhode Island (ACLU of RI) is taking legal action against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England (UHC) over an August 2021 data breach that affected more than 22,000 individuals.

According to RIPTA, a cyberattack on its systems was detected and blocked on August 5, 2021. The breach was investigated, and it was determined that hackers gained access to its network two days previously, on August 3. The review of the files on the accessible parts of its system revealed they contained the data of 5,015 members of its group health plan, including names, dates of birth, Social Security numbers, and health plan ID numbers.

The breach was reported to the HHS’ Office for Civil Rights as affecting 5,015 individuals; however, the information of a further 17,378 individuals who were not RIPTA employees was also compromised. Notification letters were sent to all affected individuals four months after the discovery of the data breach, which saw multiple complaints filed with the Rhode Island Attorney General by non-RIPTA employees demanding to know how and why RIPTA had access to their data. According to RIPTA, those individuals were insured by UnitedHealthcare, RIPTA’s previous health insurance provider. RIPTA said UnitedHealthcare had provided RIPTA with files containing the data of non-RIPTA employees.

Steven Brown, ACLU of RI Executive Director, told HIPAA Journal, “To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why it took over four months for RIPTA to notify both their employees and other affected individuals that their information had been hacked.”

The lawsuit was filed on behalf of plaintiffs Alexandra Morelli, a URI employee, and Diane Cappalli, a retired RIPTA employee. The plaintiffs represent a class of more than 20,000 individuals. The lawsuit alleges the plaintiffs and class members have been exposed to an ongoing risk of fraud and identity theft, which requires them to constantly monitor their financial accounts and credit reports as their personal information is in the hands of cybercriminals. Morelli alleges she has been a victim of fraud and has had unauthorized charges on her credit cards and withdrawals from her bank account.

The lawsuit alleges the defendants were negligent for failing to implement appropriate safeguards to protect sensitive employee and health plan member information, such as failing to encrypt data and properly maintain, protect, purge, and safely destroy data. These failures are alleged to have violated two state laws in Rhode Island – The Identify Theft Protection Act of 2015 and the Confidentiality of Healthcare Communications and Information Act.

The lawsuit also takes issue with the length of time it took to issue notifications about the breach, which were sent 138 days after the data breach was discovered. HIPAA requires notifications to be issued within 60 days of discovery of a data breach and state law requires notifications to be issued within 45 days. Further, the notifications did not contain sufficient information, such as if Social Security numbers have been breached, and RIPTA’s website notification – published in December 2021 – failed to state that the data of Non-RIPTA employees had also been breached.

The lawsuit seeks compensatory and punitive damages, attorneys’ fees, and an order for the defendants to cover the cost of “adequate” credit monitoring and identity theft protection services, which has been specified as 10 years. The lawsuit also calls for the defendants to implement and maintain a comprehensive information security program.

“Every Rhode Islander should be concerned not just about the flimsy safeguards that were in place to protect against a breach, but also that a state agency had access to the personal medical information of people not even in their employ,” said Brown. “As we pursue a legal remedy for this tremendous breach of personal and medical privacy, we believe this incident should also serve as a wake-up call to the General Assembly to strengthen the remedies available to victims of these breaches.”

The post RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach appeared first on HIPAA Journal.

RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach

Posted by HIPAA Journal

The American Civil Liberties Union of Rhode Island (ACLU of RI) is taking legal action against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England (UHC) over an August 2021 data breach that affected more than 22,000 individuals.

According to RIPTA, a cyberattack on its systems was detected and blocked on August 5, 2021. The breach was investigated, and it was determined that hackers gained access to its network two days previously, on August 3. The review of the files on the accessible parts of its system revealed they contained the data of 5,015 members of its group health plan, including names, dates of birth, Social Security numbers, and health plan ID numbers.

The breach was reported to the HHS’ Office for Civil Rights as affecting 5,015 individuals; however, the information of a further 17,378 individuals who were not RIPTA employees was also compromised. Notification letters were sent to all affected individuals four months after the discovery of the data breach, which saw multiple complaints filed with the Rhode Island Attorney General by non-RIPTA employees demanding to know how and why RIPTA had access to their data. According to RIPTA, those individuals were insured by UnitedHealthcare, RIPTA’s previous health insurance provider. RIPTA said UnitedHealthcare had provided RIPTA with files containing the data of non-RIPTA employees.

Steven Brown, ACLU of RI Executive Director, told HIPAA Journal, “To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why it took over four months for RIPTA to notify both their employees and other affected individuals that their information had been hacked.”

The lawsuit was filed on behalf of plaintiffs Alexandra Morelli, a URI employee, and Diane Cappalli, a retired RIPTA employee. The plaintiffs represent a class of more than 20,000 individuals. The lawsuit alleges the plaintiffs and class members have been exposed to an ongoing risk of fraud and identity theft, which requires them to constantly monitor their financial accounts and credit reports as their personal information is in the hands of cybercriminals. Morelli alleges she has been a victim of fraud and has had unauthorized charges on her credit cards and withdrawals from her bank account.

The lawsuit alleges the defendants were negligent for failing to implement appropriate safeguards to protect sensitive employee and health plan member information, such as failing to encrypt data and properly maintain, protect, purge, and safely destroy data. These failures are alleged to have violated two state laws in Rhode Island – The Identify Theft Protection Act of 2015 and the Confidentiality of Healthcare Communications and Information Act.

The lawsuit also takes issue with the length of time it took to issue notifications about the breach, which were sent 138 days after the data breach was discovered. HIPAA requires notifications to be issued within 60 days of discovery of a data breach and state law requires notifications to be issued within 45 days. Further, the notifications did not contain sufficient information, such as if Social Security numbers have been breached, and RIPTA’s website notification – published in December 2021 – failed to state that the data of Non-RIPTA employees had also been breached.

The lawsuit seeks compensatory and punitive damages, attorneys’ fees, and an order for the defendants to cover the cost of “adequate” credit monitoring and identity theft protection services, which has been specified as 10 years. The lawsuit also calls for the defendants to implement and maintain a comprehensive information security program.

“Every Rhode Islander should be concerned not just about the flimsy safeguards that were in place to protect against a breach, but also that a state agency had access to the personal medical information of people not even in their employ,” said Brown. “As we pursue a legal remedy for this tremendous breach of personal and medical privacy, we believe this incident should also serve as a wake-up call to the General Assembly to strengthen the remedies available to victims of these breaches.”

The post RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach appeared first on HIPAA Journal.

Pharma Sales Rep Pleads Guilty to Healthcare Fraud and Criminal HIPAA Violations

Posted by HIPAA Journal

A pharmaceutical sales rep has pleaded guilty to conspiring to commit healthcare fraud and wrongfully disclosing and obtaining patients’ protected health information in an elaborate healthcare fraud scheme involving criminal HIPAA violations.

Keith Ritson, 42, of Bayville, New Jersey, is a former pharmaceutical sales representative who promoted compound prescription medications and other drugs between 2014 and 2016. Compound prescription medications are specialty drugs that are mixed by a pharmacist to meet the needs of individual patients and are typically prescribed when standard medications for a specific medical condition cannot be taken by a patient, due to an allergy for instance. Compound prescription medications are not FDA approved but can be legally prescribed by a physician who determines that standard medications are not appropriate for a particular patient.

Ritson discovered that certain health insurance plans with pharmacy benefit management services covered compound prescription medications from a Louisiana pharmacy – Central Rexall Drugs, Inc. The pharmacy benefits administrator paid prescription drug claims and the state of New Jersey and other insurance plans were billed for the amounts paid. Ritson and his conspirators discovered certain insurance companies would reimburse thousands of dollars a month for some compound prescription medications, and Ritson would receive a percentage of the money paid to the pharmacy by the pharmacy benefits administrator for any prescription medications he arranged.

Individuals who had insurance plans that covered the compound medications would be recruited to receive the medications, even if they were not medically necessary, and Ritson himself also received the medications. Ritson identified the patients through the medical practice of Dr. Frank Alario. Alario pleaded guilty to his role in the healthcare fraud scheme earlier this month.

Ritson was not associated with Alario’s medical practice and was therefore not permitted to access or obtain the protected health information of Alario’s patients, but Alario provided Ritson with access to his offices and patient information to check which patients had insurance plans that would cover the medications. Ritson would then earmark patients so Alario would then know which patients to prescribe the medications to. In some instances, Ritson was present in patient examination rooms with Alario, and patients were given the impression that he was either employed by the medical practice or was affiliated with it.

Ritson used patient information to fill out prescription forms and Alario would then authorize the prescriptions. Ritson would then be paid a commission on those prescriptions.  Ritson pleaded guilty to one count of conspiracy to commit health care fraud and one count of conspiring to wrongfully disclose and obtain patients’ PHI on October 19, 2022. He is due to be sentenced on Feb. 7, 2023, and faces up to 10 years in jail, a $250,000 fine for the healthcare fraud count, and a maximum of one year in jail for the criminal HIPAA violation and a $50,000 fine. Alario faces up to one year in jail and a $50,000 fine for his role in the scheme.

Three former executives of Central Rexall Drugs were charged for their role in the scheme in a 24-count indictment including healthcare and wire fraud. They are Christopher Kyle Johnston, 43, of Mandeville, Louisiana; Trent Brockmeier, 60, of Pigeon Forge, Tennessee; and Christopher Casseri, 54, of Baton Rouge, Louisiana. Hayley Taff, 39, of Hammond, Louisiana, worked at the pharmacy and pleaded guilty to conspiracy to commit healthcare fraud and is due to be sentenced on March 13, 2023.

The post Pharma Sales Rep Pleads Guilty to Healthcare Fraud and Criminal HIPAA Violations appeared first on HIPAA Journal.

United Health Centers of the San Joaquin Valley Proposes Settlement to Resolve Data Breach Lawsuit

Posted by HIPAA Journal

United Health Centers of the San Joaquin Valley (UNC) has proposed a settlement to resolve a class action lawsuit filed on behalf of patients affected by its August 2021 Vice Society ransomware attack.

The attack in question saw the ransomware actors gain access to its network and exfiltrate files that contained patient information such as names, Social Security numbers, medical record numbers, dates of birth, and treatment information, with the information copied from its systems between August 24, 2021, and August 28, 2021. Notification letters about the attack and data breach were issued four months after the attack in December 2021. Affected individuals were offered complimentary 12-month memberships to a credit monitoring and identity theft protection service.

A lawsuit was filed in the Fresno County Superior Court – Avetisyan v. United Health Centers of the San Joaquin Valley – by attorney Matthew R. Wilson on behalf of UNC patient, Narek Avetisyan, and other individuals similarly affected by the data breach. The lawsuit alleged negligence, invasion of privacy, and violations of the California Confidentiality of Medical Information Act and the Consumer Records Act.

UNC said it has implemented and maintains “meritorious defenses” to prevent attacks of this nature and accepts no wrongdoing for the data breach or liability, and while UNC said it was happy to vigorously defend the lawsuit, the decision was made to try to settle the lawsuit to avoid ongoing legal costs and the uncertainty of trial.

Under the terms of the proposed settlement, affected individuals will be entitled to three years of credit monitoring and identity theft protection services, even if they choose to exclude themselves from the settlement. Individuals who accept the settlement will be entitled to submit a claim for up to $500 for non-economic losses due to the data breach and can claim up to $2,500 as reimbursement for documented losses that can be reasonably attributed to the cyberattack.

Individuals who wish to object to or exclude themselves from the settlement must do so by November 19, 2022, which is also the final date for submitting claims for reimbursement. A fairness hearing has been scheduled for February 8, 2023.

The post United Health Centers of the San Joaquin Valley Proposes Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Doctor Who Provided PHI to Pharma Sales Rep Pleads Guilty to Criminal Violations of HIPAA

Posted by HIPAA Journal

A former physician with practices in New Jersey, New York, and Florida has pleaded guilty to criminal violations of HIPAA for disclosing patients’ protected health information to a sales representative of a pharmaceutical firm, according to the U.S. Attorney’s Office of the District of New Jersey.

The Frank Alario, 65, of Delray Beach, Florida, pleaded guilty to disclosing patient information to sales rep, Keith Ritson, who promoted compound prescription medications and other medications to the patients. Compound prescription medications are medications mixed specifically for individual patients when standard FDA-approved medications are determined to not be appropriate, due to an allergy for example. Compound prescription medications are not approved by the FDA but can be legally prescribed by physicians.

The HIPAA Privacy Rule permits disclosures of patients’ protected health information for the purposes of treatment, payment, or healthcare operations; however, other disclosures are only permitted if consent to share information is provided by each patient. Ritson was an outside pharmaceutical representative who was not associated with Alario’s practices, and as such Ritson was not permitted to access the protected health information of Alario’s patients. Permission to disclose the information was not provided by patients.

Alario allowed Ritson to have significant access to his office, patients’ medical files, and other patient information, both inside and outside normal business hours. Ritson was given access to areas of Alario’s office that were restricted to staff members, such as areas with patient files and computers. In addition to allowing access to these areas, Ritson was allowed to look up patient information in files and on computers to identify patients who had insurance coverage that would pay for the compound medications. Ritson would then mark the files of patients whose insurance would pay for the medications so Alario would know which patients to prescribe the medications to.

In some cases, Ritson was allowed to be present during appointments. Alario gave patients the impression that Ritson was a member of staff or was affiliated with the medical practice and during those appointments sensitive health information would be directly disclosed to Ritson. The information obtained was then used to fill out prescription forms for medications, which would then be authorized by Alario, with Ritson receiving a commission on the prescribed prescriptions.

Alario and Ritson were both charged in an indictment for conspiring to violate HIPAA. Ritson’s charges are still pending, with his trial scheduled for November 7, 2022. Alario pleaded guilty and sentencing is scheduled for February 7, 2023. Alario faces a maximum of one year in jail and a $50,000 fine.

The post Doctor Who Provided PHI to Pharma Sales Rep Pleads Guilty to Criminal Violations of HIPAA appeared first on HIPAA Journal.

Netwalker Ransomware Affiliate Sentenced to 20 Years in Jail

Posted by HIPAA Journal

An affiliate of the infamous Netwalker ransomware gang has been sentenced to serve 20 years in jail for his role in ransomware attacks on entities in the United States.

Netwalker is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct attacks and deploy ransomware in exchange for a cut of the ransom payments they generate, typically receiving up to 75% of any ransoms paid. After gaining access to a victim’s network, sensitive data would be identified and exfiltrated and used as leverage to pressure victims into paying. Threats were then issued to publish or sell the data if the ransom is not paid. Ransom demands ranged from hundreds of thousands to millions of dollars.

While some RaaS operations ban their affiliates from conducting attacks on healthcare organizations, that was not the case with Netwalker, which actively targeted healthcare organizations around the world. The gang also stepped up attacks on the sector during the COVID-19 pandemic.  Victims included the Champaign-Urbana Public Health District and the University of California San Francisco, which had files encrypted on the servers used by its School of Medicine. A ransom of $1.14 million was paid by UCSF for the decryptor to recover essential files.

Sebastien Vachon-Desjardins, 34, from Quebec, a former IT consultant who worked for the Public Works and Government Services in Canada, was arrested in Canada in January 2021 on suspicious of conducting ransomware attacks as part of a law enforcement crackdown on the Netwalker ransomware gang. Law enforcement searched his home and found 719 Bitcoin with a value of more than $28 million, CAD $640.040 in cash, and seized CAD $420,941 from his bank account.

Vachon-Desjardins pleaded guilty to breaching companies and conducting attacks and also admitted to training other individuals on how to conduct attacks. During the 9 months from May 2020 to January 2021, Vachon-Desjardins is alleged to have earned more than 2,000 Bitcoin for the gang and is estimated to have earned more than CAD $30 million in just 9 months. Vachon-Desjardins was charged for the attacks conducted in Canada, was sentenced to serve 6 years and 8 months in jail, and was ordered to pay restitution to 8 victims of his attacks, ranging from $2,500 to $999,239. While awaiting sentencing, Vachon-Desjardins was also sentenced to serve 4.5 years in jail for a separate drug trafficking case.

A law enforcement investigation into the ransomware attacks conducted by Vachon-Desjardins on U.S. firms was also underway and earlier this year, Vachon-Desjardins was extradited to the United States to face charges in Florida, including conducting a ransomware attack on a Tampa-based firm. Vachon-Desjardins entered into a plea deal and pled guilty to conspiracy to commit computer fraud, conspiracy to commit wire fraud, causing intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.

Federal sentencing guidelines were in the range of 12-15 years; however, U.S. District Court Judge, William F. Jung, opted for a much harsher sentence to serve as a deterrent to other would-be ransomware affiliates. Vachon-Desjardins was sentenced to serve 60 months in jail for conspiracy to commit computer fraud and transmitting a demand in relation to damaging a protected computer, 120 months for causing intentional damage to a protected computer, and 240 months for conspiracy to commit wire fraud, with the sentences to run concurrently. Vachon-Desjardins also agreed to forfeit $21.5 million and will have to serve 3 years of supervised release.

During his prison term, Vachon-Desjardins will not be permitted to use a computer capable of connecting to the Internet, including a smartphone, gaming device, or other electronic devices. U.S. District Court Judge, William F. Jung, said that were it not for the plea deal, and if the case had gone to trial, he would have sentenced Vachon-Desjardins to life in prison.

The post Netwalker Ransomware Affiliate Sentenced to 20 Years in Jail appeared first on HIPAA Journal.