Mon Health is facing a class action lawsuit over a hacking incident that allowed unauthorized individuals to gain access to its network for an 11-day period in December 2021. Mon Health said it detected the breach on December 30, 2021, with the forensic investigation determining hackers accessed its network between December 9 and December 19.

Mon Health announced the security breach on February 28, 2022, and confirmed that the hackers had access to the personal and protected health information of 492,861 individuals, including information about patients, employees, providers, and contractors. The information potentially accessed and stolen included names, addresses, birth dates, Social Security numbers, Medicare claim numbers, patient account numbers, health insurance information, medical record numbers, dates of service, provider names, claims information, and medical and clinical treatment information.

The lawsuit, which names Monongalia Health Systems Inc. and affiliated hospitals, Monongalia County General Hospital Co., Stonewall Jackson Memorial Hospital Co., and Preston Memorial Hospital Corp as defendants, was filed in Monongalia County Circuit Court in West Virginia by the Clarksburg law firm, Morgan and Morgan. The lawsuit names Rachel Silbaugh, Robin Stripling, and Michael Stripling as plaintiffs, with all other individuals affected by the breach included as class members.

The lawsuit alleges the data breach occurred as Mon Health failed to implement appropriate cybersecurity measures and was not in compliance with the security standards of the HIPAA Security Rule, alleging negligence, breach of contract, breach of confidence, and breach of implied contract. While the breach notification letters were sent within the maximum timeframe permitted by the HIPAA Breach Notification Rule, the plaintiffs allege those notification letters were untimely and were “woefully deficient” in information about the breach.

Typically, when healthcare organizations experience a breach of the types of information that are sought by identity thieves, affected individuals are offered complimentary credit monitoring services. The plaintiffs claim that these were not provided and that they have been placed with the burden of checking for misuse of their personal information. The plaintiffs claim they face an immediate and ongoing threat of identity theft and fraud as a direct result of the data breach and will continue to suffer damages, including covering the cost of ongoing credit monitoring and identity theft protection services.

The lawsuit seeks class certification, reimbursement of out-of-pocket expenses, and equitable relief, citing 20 data security measures that must be implemented to better protect patient data and prevent further data breaches.

The post Mon Health Faces Class Action Lawsuit Over 493K Record Data Breach appeared first on HIPAA Journal.

LifeBridge Health Inc. has agreed to settle a class action lawsuit to resolve claims from patients affected by a data breach that was discovered in 2018. The total value of the settlement is $9.475 million, which includes an $800,000 fund to cover claims from class members.

In March 2018, LifeBridge Health discovered a malware infection that provided unauthorized individuals with access to a server that hosted its electronic medical records, patient registration, and billing systems. The breach investigation determined the initial intrusion occurred 18 months previously in September 2016. The breach was disclosed by LifeBridge Health in May 2018, with the healthcare provider confirming the information of 582,174 patients had potentially been compromised, with the exposed information including names, dates of birth, addresses, diagnoses, medications prescribed, clinical and treatment information, insurance details, and a limited number of Social Security numbers.

A lawsuit – Johnson, et al. v. LifeBridge Health, Inc. – was filed in the Circuit Court for Baltimore City, MD, by the law firm Murphy, Falcon & Murphy on behalf of patients affected by the incident. The two patients named in the lawsuit, Jahima Scott and Darlene Johnson, claimed to have had their identities stolen as a direct result of the breach, with both claiming they were victims of credit card fraud shortly after the data breach occurred.

The lawsuit alleged class members had been exposed to serious harm and that their personal and protected health information was in the hands of identity thieves, which placed them at immediate and ongoing risk of identity theft and fraud. The named plaintiffs claimed to have suffered monetary losses, had financial transactions declined, experienced issues with their email accounts, fraudulent accounts were created in their names, and their identities had been used to file fraudulent claims for unemployment benefits and COVID-19 disaster small business loans.

The lawsuit alleged LifeBridge Health was negligent as it failed to follow basic security practices, which violated several privacy protection statutes in Maryland, including the Maryland Personal Information Protection Act, Maryland Social Security Number Privacy Act, and Maryland Consumer Protection Act.

LifeBridge Health did not admit to any wrongdoing and did not accept liability for the incident, but chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, LifeBridge Health has agreed to create an $800,000 fund to cover claims from class members and will invest $7.9 million in additional security measures to prevent further data breaches, including data encryption, network monitoring, security awareness training, asset tracking, and multi-factor authentication. The remaining $775,000 of the total settlement amount will cover legal fees.

Class members are entitled to submit claims for reimbursement of ordinary and extraordinary losses, including up to 3 hours of lost time at $20 per hour, and a further 2 hours if they suffered extraordinary losses. Claims for ordinary losses of up to $250 per class member can be submitted to cover bank fees, credit monitoring, credit freeze, communication, and other costs, and a claim can be submitted for extraordinary losses up to a maximum of $5,000.

A final approval hearing has been scheduled for October 26, 2022. Claims must be submitted by February 1, 2023.

The post LifeBridge Health Agrees to $9.5 Million Settlement to Resolve 2016 Data Breach Claims appeared first on HIPAA Journal.

Magellan Health has agreed to settle a class action data breach lawsuit and will create a $1.43 million fund to cover claims from patients affected by the breach.

The lawsuit – Dearing v. Magellan Health Inc. et al. – was filed in the Arizona Superior Court against Magellan Health Inc. and Magellan RX Management, LLC on behalf of patients whose protected health information was exposed in a May 2019 phishing attack. Unauthorized individuals gained access to emails and email attachments that contained patients’ protected health information, including names, Social Security numbers, and health information. Approximately 273,000 individuals were affected and had their protected health information exposed.

The plaintiffs alleged the defendants failed to implement appropriate cybersecurity measures to prevent unauthorized access to sensitive patient data and had those safeguards been implemented, the data breach would have been prevented. The plaintiffs alleged the security failures were in violation of the Health Insurance Portability and Accountability Act, although the lawsuit was filed over the violation of state laws.

The plaintiffs also took issue with how Magellan Health handled the data breach and the delay in issuing notifications. The phishing attack occurred in May 2019, was not detected until July 2019, and notification letters were not sent to affected individuals until November 2019, 6 months after the attack. Had notifications been issued sooner, the plaintiffs argued that they could have taken steps to protect against identity theft and fraud.

The decision was taken to settle the lawsuit to prevent further legal costs and to avoid the uncertainty of trial. The defendants made no admission of wrongdoing and do not accept any liability for the data breach. Under the terms of the settlement, $1.43 million will be made available to cover claims from the class members.

All class members are entitled to submit claims of up to $225 to cover ordinary out-of-pocket expenses, such as the costs of credit reports, telephone calls, and Internet usage, and up to two hours of lost time at $15 per hour. Class members that have incurred costs related to credit monitoring and fraud resolution may also be able to claim back those costs. Claims may be submitted for extraordinary losses up to $2,500, such as monetary losses due to fraud and identity theft, as well as a further 3 hours of lost time at $15 per hour. Those claims must be supported by appropriate documentation.

Class members have until November 15, 2022, to exclude themselves or object to the settlement. The final approval hearing for the settlement is December 2, 2022, and all claims must be submitted by December 15, 2022.

The post Magellan Health Settles Class Action Data Breach Lawsuit for $1.43 Million appeared first on HIPAA Journal.

Ambry Genetics has agreed to settle a class action lawsuit that stemmed from a breach of the protected health information of 232,772 patients. In April 2020, Ambry Genetics notified patients that some of their protected health information was stored in an email account that was accessed by an unauthorized individual over a two-day period in January 2020. Emails and attachments contained sensitive patient data such as names, diagnoses, and other medical information, with a subset of patients also having their Social Security numbers exposed. The investigation was not able to determine whether any information in the email account was exfiltrated by the attackers.

A lawsuit was filed in the US District Court for the Central District of California shortly after notifications were issued that alleged Ambry Genetics had failed to implement reasonable safeguards to protect patient information and had not followed industry best practices for cybersecurity and, as a direct consequence of those failures, the protected health information of patients was compromised. The lawsuit also took issue with the delay in issuing notification letters to affected individuals.  The HIPAA Breach Notification Rule requires HIPAA-covered entities to issue notification letters within 60 days of the discovery of a data breach, but it took almost 4 months for notification letters to be issued. The lawsuit also alleged invasion of privacy, breach of contract, and violations of state privacy and business laws.

The lawsuit had been dismissed, amended, and refiled on multiple occasions over the past two years, with the latest complaint filed in December 2021. The settlement was proposed to prevent further legal costs and the uncertainty of trial, and is intended to fully resolve, discharge, and settle all claims made by the plaintiffs and class members. Ambry Genetics has not admitted to any wrongdoing and accepts no liability for the data breach.

Under the terms of the settlement, Ambry Genetics has agreed to create a $12.25 million fund, $2.25 million of which will cover the costs of notifications, administrative costs, and three years of identity theft protection and credit monitoring services to the class members.

Individuals affected by the data breach will be entitled to submit claims of up to $10,000 for reimbursement of documented out-of-pocket expenses incurred due to the data breach, up to 10 hours of documented time at $30 per hour, and up to 3 hours of ‘default time’ at $30 an hour. Individuals who were residents of California or Illinois at the time of the data breach are entitled to claim $150 compensation, in addition to any other claims, to resolve potential violations of the California Confidentiality of Medical Information Act and the Illinois Genetic Information Privacy Act. Class representatives will be entitled to claim a service award of $2,500.

In addition to the settlement, Ambry Genetics said it has spent in excess of $800,000 on issuing notifications and paying for credit monitoring services, with those costs potentially increasing to $1.4 million. Ambry Genetics said the total settlement amount is likely to increase to more than $14 million, and potentially more than $20 million when all remedial actions have been taken.

Those actions include changes to its business practices and additional security measures, including providing further security awareness training for staff members, adding warnings to external emails, and placing more stringent restrictions on access to patients’ protected health information. Ambry Genetics has also strengthened vendor management and requires all vendors to have SOC-2 certification, perform third-party risk assessments, and conduct penetration tests and phishing simulations on employees.

The post Ambry Genetics Settles Class Action Data Breach Lawsuit for $12.25 Million appeared first on HIPAA Journal.