Legal News

Dental Care Alliance Settles Class Action Data Breach Lawsuit for $3 Million

Posted by HIPAA Journal

Dental Care Alliance has agreed to settle a class action lawsuit filed in response to a data breach that affected more than 1.7 million individuals. A fund of $3 million has been created to cover claims from individuals affected by the breach.

Dental Care Alliance, LLC, is a Sarasota, FL-based dental support organization with more than 320 affiliated dental practices across 20 states. Dental Care Alliance said its systems were compromised on September 18, 2020, the breach was detected on October 11, 2020, and was contained on October 13, 2020. The forensic investigation confirmed that names, addresses, diagnoses, treatment information, patient account numbers, billing information, dentists’ names, payment card information, and health insurance information had potentially been compromised. Individuals were notified about the breach in December 2020.

The breach report submitted to the HHS’ Office for Civil Rights initially indicated 1,004,304 individuals had been affected, but it was later amended to 1,723,375 individuals. Dental Care Alliance said no specific evidence of data theft was found and it was unaware of any misuse of patient data. Despite highly sensitive information being involved, credit monitoring services were not offered.

A lawsuit – Paras v. Dental Care Alliance, LLC, Case No. 22-ev-000181 – was filed in the State Court of Fulton County, Georgia, on behalf of individuals affected by the data breach. Dental Care Alliance was alleged to have failed to adequately secure patient information and the plaintiffs claimed that had reasonable cybersecurity measures been implemented, the data breach would have been prevented. The plaintiffs alleged that they face an increased risk of identity theft and fraud due to the negligence of Dental Care Alliance and that their sensitive personal and protected health information is now in the hands of data thieves.

Dental Care Alliance has proposed a settlement to resolve claims related to the data breach but has not admitted any wrongdoing. Under the terms of the settlement, a fund of $3 million will be created to cover claims from affected individuals, and 2 years of identity theft protection services are being offered to all affected individuals. Those services include dark web monitoring and coverage by a $1 million identity theft insurance policy.

All class members are entitled to submit claims of up to $2,000 for documented losses due to the data breach, and up to two hours of lost time at $20 per hour. Individuals part of a settlement subclass can submit additional claims for up to $3,000 for documented losses and an additional two hours of lost time. The cap for claims is $3,000,000, so claims will be paid pro rata if that figure is exceeded. The attorneys for the plaintiffs will ask the court to award fees of $850,000 and payments of $1,500 for the class representatives. Under the terms of the settlement, Dental Care Alliance has committed to implementing additional data security measures.

The final approval hearing for the settlement is scheduled for Sept. 1, 2022. The deadline for opting out of the settlement – July 26, 2022 – has now passed. Claims must be submitted no later than August 25, 2022.

The post Dental Care Alliance Settles Class Action Data Breach Lawsuit for $3 Million appeared first on HIPAA Journal.

Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites

Posted by HIPAA Journal

Meta is facing another class action lawsuit over the unlawful collection and sharing of health data without content. The lawsuit was filed in the Northern District of California on behalf of plaintiff, Jane Doe. The lawsuit alleges Meta and its companies, including Facebook, have been collecting the sensitive health data of millions of patients without obtaining express consent and have used the information to serve individuals with targeted advertisements.

Jane Doe was a patient of UCSF Medical Center and Dignity Health Medical Foundation and claims her sensitive health was unlawfully obtained by Meta when she entered the information into the UCSF Medical Center online patient portal. UCSF Medical Center had added Meta Pixel code to the web pages of the patient portal. Meta Pixel is a snippet of JavaScript code that is used to track website visitors. The code records and transmits to Meta the web pages that a user visits. If the code is present on a web page with a form, such as those used to book appointments, the selections from drop-down boxes are recorded and transmitted. Those selections could indicate a patient’s medical condition or why an appointment has been booked.

One of the targeted Facebook adverts served to Jane Doe. Source: Jane Doe v. Meta Platforms, Inc. F/K/A Facebook, Inc., UCSF Medical Center, and Dignity Health Medical Foundation.

Jane Doe said she has been a user of Facebook since 2012 and alleges her privacy has been violated, as her information was collected and used without her consent. The information entered on the form was used by Meta to serve her with targeted advertisements related to her medical condition. The lawsuit alleges a violation of HIPAA, as neither UCSF Medical Center nor Dignity Health Medical Foundation had entered into a business associate agreement with Meta or Facebook, and at no point did Meta, Facebook, or the hospitals obtain content or inform patients that their information was being provided to Meta to deliver targeted advertisements.

Under HIPAA, healthcare providers are permitted to disclose an individual’s protected health information to another HIPAA-covered entity or a third-party vendor for reasons related to treatment, payment, or healthcare operations, and in such cases, consent is not required from the patient. Most other disclosures require a HIPAA-covered entity to enter into a business associate agreement with the third party prior to any disclosure of PHI, and content is required from the individuals whose PHI is disclosed.

There is no private right of action in HIPAA, so it is not possible for individuals to sue their healthcare providers for HIPAA violations, but there are often equivalent federal and state laws that do have a private right of action. In this case, the lawsuit makes sixteen claims including common law invasion of privacy – intrusion upon seclusion, invasion of privacy, breach of contract, breach of implied contract, unjust enrichment, and violations of the California Constitution, California Confidentiality of Medical Information Act (CMIA), California Business and Professions Code, California Invasion of Privacy Act, the Comprehensive Computer Data Access and Fraud Act, and the Federal Wiretap Act.

The lawsuit alleges the plaintiff and class members have suffered damage and loss as a result of the conduct of the defendants, which has deprived the plaintiff and class members of control of their valuable property, the ability to obtain compensation for their data, the ability to withhold their data from sale, and that the violations have resulted in irreparable and incalculable harm and injuries. The lawsuit seeks damages and injunctive and equitable relief.

The lawsuit makes similar allegations to another lawsuit filed against Meta, in that case by plaintiff John Doe, who was a patient of MedStar Health in Maryland. The Markup recently conducted an investigation into the sharing of healthcare data with Meta/Facebook via Meta Pixel on hospital websites and found that 33 of the top 100 hospitals in the United States had the Meta Pixel code on their websites, and 7 hospitals had the code installed on their patient portals behind logins, yet consent to share data was not obtained.

The post Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites appeared first on HIPAA Journal.

Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers

Posted by HIPAA Journal

The U.S Department of Justice has announced that around $500,000 in Bitcoin has been seized from North Korean threat actors who were using Maui ransomware to attack healthcare organizations in the United States.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a security alert warning that North Korean hackers have been targeting the healthcare and public health sector in the United States using Maui ransomware since at least May 2021. The attacks have caused extensive disruption to IT systems and medical services and have put patient safety at risk.

The new ransomware variant was discovered during an investigation of a ransomware attack on a hospital in Kansas in May 2021. The attack was traced to a North Korean hacking group that is suspected of receiving backing from the state. The Kansas hospital had its servers encrypted, preventing access to essential IT systems for more than a week. The hospital paid a ransom of $100,000 for the keys to decrypt files and regain access to its servers and promptly notified the FBI about the attack and payment. The FBI was able to trace the payment, which was passed to money launderers in China, along with another payment of approximately $120,000 that was made by a healthcare provider in Colorado.

In May 2022, the FBI filed a seizure warrant in the District of Kansas to recover payments made in cryptocurrencies to the Maui ransomware gang, and ransom payments of approximately $500,000 were recovered from the seized cryptocurrency accounts. The funds have been forfeited by the ransomware gang and have been returned to healthcare providers in Kansas and Colorado.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Deputy Attorney General Lisa O. Monaco today at the International Conference on Cyber Security. “Not only did this allow us to recover their ransom payment as well as a ransom paid by previously unknown victims, but we were also able to identify a previously unidentified ransomware strain. The approach used in this case exemplifies how the Department of Justice is attacking malicious cyber activity from all angles to disrupt bad actors and prevent the next victim.”

Microsoft has also recently reported that a North Korean hacking group that operates under the name HolyGhost has also been using ransomware attacks on SMBs in the United States. It is not clear if the attacks are being conducted by a state-sponsored hacking group or if individuals associated with the Lazarus Group are moonlighting and conducting the attacks independently.

“Today’s success demonstrates the result of reporting to the FBI and our partners as early as possible when you are a victim of a cyberattack; this provides law enforcement with the ability to best assist the victim,” said FBI Cyber Division Assistant Director Bryan Vorndran. “We will continue to pursue these malicious cyber actors, such as these North Korean hackers, who threaten the American public regardless of where they may be and work to successfully retrieve ransom payments where possible.”

The post Department of Justice Announces Seizure of $500,000 in Ransom Payments Made by U.S. Healthcare Providers appeared first on HIPAA Journal.

The Methodist Hospitals Settles Class Action Data Breach Lawsuit for $425,000

Posted by HIPAA Journal

The Methodist Hospitals Inc. has agreed to settle a class action lawsuit and has created a fund of $425,000 to cover claims from victims of a 2019 data breach that affected almost 70,000 current and former patients.

The Gary, IN-based healthcare provider reported an email security incident to the HHS’ Office for Civil Rights on April 4, 2019, that resulted in the exposure and potential theft of the protected health information of 68,039 patients. The investigation confirmed hackers gained access to two employee email accounts between March 13, 2019, and July 8, 2019, following responses to phishing emails and potentially exfiltrated patient information such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, Medicare/Medicaid numbers, usernames, passwords, treatment and diagnosis information, and payment card information.

A lawsuit – Jones v. The Methodist Hospitals, Inc. – was filed in the Harris County District Court in Texas in the wake of the data breach that alleged The Methodist Hospitals was negligent for failing to adequately protect the protected health information of patients. Plaintiffs James Jones and Samantha L. Gordon, and members of the class allegedly suffered harm as a result of the data breach.

The Methodist Hospitals denied any wrongdoing and the OCR investigation was closed with no action taken; however, the decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the settlement, eligible class members are entitled to submit a claim for two additional years of credit monitoring and identity theft resolution services, reimbursement for economic losses, and reimbursement for time lost due to the data breach. Claims for reimbursement of documented economic losses of up to $3,000 can be submitted and/or claims of up to $300 can be submitted for reimbursement of lost time. Final approval of the settlement was received on June 13, 2022. Claims must be submitted by October 6, 2022.

The post The Methodist Hospitals Settles Class Action Data Breach Lawsuit for $425,000 appeared first on HIPAA Journal.

BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack

Posted by HIPAA Journal

BJC HealthCare has agreed to settle a class action lawsuit to resolve claims it failed to adequately protect patient data from phishing attacks. The nonprofit St. Louis-based hospital system reported a breach of its email system to the HHS’ Office for Civil Rights on May 5, 2020, that affected 287,876 individuals. The investigation confirmed that three email accounts had been compromised in March 2020 as a result of responses to phishing emails. While data theft could not be determined, the affected email accounts contained the protected health information of patients of 19 of its hospitals, including names, birth dates, health insurance information, Social Security numbers, driver’s license, and healthcare data.

The lawsuit, filed in the Circuit Court of the City of St. Louis State of Missouri, originally included 10 counts against the defendants and survived two motions to dismiss, with the lawsuit allowed to proceed on 8 of the 10 counts: unjust enrichment, breach of contract, negligence, negligence per se, breach of covenant of good faith and fair dealing, vicarious liability, and violations of the Missouri Merchandising Practicing Act (MMPA) and Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA).

BJC HealthCare agreed to settle the lawsuit with no admission of liability or wrongdoing. Under the terms of the settlement, BJC HealthCare will make funds available to cover claims from affected individuals up to a maximum of $5,000. Each individual affected may submit a claim for ordinary and extraordinary expenses incurred as a result of the data breach.

Claims can be submitted for ordinary expenses such as bank fees, interest, credit monitoring costs, postage, mileage, and up to 3 hours of lost time at $20 per hour. Ordinary claims are capped at $250 per person. Claims of up to $5,000 can be submitted for extraordinary expenses, including documented monetary losses and up to three hours of additional lost time at $20 per hour. BJC Healthcare has also agreed to cover the cost of two years of credit monitoring and identity theft protection services. Named plaintiffs will receive up to $2,000 and BJC HEalthCare will cover the plaintiffs’ legal costs. BJC HealthCare has committed $2.7 million to cover the cost of implementing multi-factor authentication for its email accounts to improve protection against phishing attacks.

Claims must be submitted by Dec. 14, 2022. The final approval hearing for the settlement is on Sept. 6, 2022.

In May 2022, BJC HealthCare reported another email breach to the HHS’ Office for Civil Rights. The incident was reported as affecting 500 individuals – a common placeholder used until the exact number of affected individuals is determined. The breach occurred two months previously.

The post BJC Healthcare Settles Data Breach Lawsuit Stemming from 2020 Phishing Attack appeared first on HIPAA Journal.

Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit

Posted by HIPAA Journal

Tenet Healthcare and Baptist Health are facing a class action lawsuit over a recently reported data breach that affected 1.2 million patients. The breach was detected on April 20, 2022, with the forensic investigation confirming an unauthorized third-party had accessed the IT networks of Baptist Medical Center or Resolute Health Hospital between March 31 and April 24, 2022, and removed files containing sensitive patient data. The information potentially compromised included names, addresses, Social Security numbers, health insurance information, medical information, and billing and claims data.

Tenet Healthcare issued a public notification about the cyberattack and data breach on April 26, 2022, while the investigation into the breach was ongoing. Notifications were sent to affected individuals in mid-June, less than two months after the discovery of the cyberattack. Affected individuals were offered complimentary credit monitoring and identity theft protection services.

The lawsuit was filed in Dallas County and names Texas resident, Troy Contreras, as the lead plaintiff. The lawsuit alleges the defendants were negligent for failing to protect the privacy of patients by implementing appropriate safeguards that met industry standards, such as multi-layered security, malware detection software, and providing sufficient security awareness education to the workforce, and that the data security practices of the defendants were not aligned with the guidelines issued by the Federal Trade Commission. The lawsuit also alleges a failure to issue proper notifications.

The plaintiff claims to have spent a significant amount of time ensuring his personal and protected health information is safe and that he is protected against fraud, and will continue to have to spend time doing so in the future. The lawsuit does not allege any actual misuse of the plaintiff’s data. The lawsuit seeks damages in excess of $1 million.

San Francisco Settles Medical Data Breach Lawsuit

The city and county of San Francisco have settled a long-running class action data breach lawsuit – Jane Doe, et al. vs. The City and County of San Francisco, et al – and have agreed to make $400,000 available to cover claims from the 8,884 class members. The lawsuit was filed following the impermissible disclosure of the private medical information of patients of Zuckerberg San Francisco General Hospital and Trauma Center, whose medical records were kept by neurosurgeon Dr. Shirley Stiver.

The case was filed in April 2016 in San Francisco Superior Court over the disclosure of highly sensitive data such as names, medical records, diagnoses – including HIV diagnoses – surgical notes, consultation notes, and radiologic films. The disclosures occurred without written consent from patients. The lawsuit alleged violations of the Confidential Medical Information Act and the California Health & Safety Code.

Class members are entitled to submit claims for up to $599. Claims must be submitted by August 30, 2022. The final approval hearing has been scheduled for September 29, 2022.

The post Tenet Healthcare Sued Over Data Breach; San Francisco Settles Data Breach Lawsuit appeared first on HIPAA Journal.

Health Aid of Ohio Settles Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Health Aid of Ohio has agreed to settle a class action lawsuit to resolve claims that it failed to protect the sensitive personal information of its customers.

Health Aid of Ohio is a Parma, OH-based full-service home medical equipment provider. On February 19, 2021, Health Aid discovered hackers had gained access to its network and viewed and removed files containing sensitive customer information. The files contained information such as name, telephone number, Social Security number, date of birth, medical diagnosis, insurance information, and the type of equipment that was delivered or repaired. Notifications were issued to affected customers in May 2021. The data breach affected 141,149 individuals.

A lawsuit was filed on behalf of affected individuals, which alleged Health Aid had failed to implement reasonable cybersecurity measures to ensure the confidentiality of customer data. The lawsuit alleged negligence, unjust enrichment, invasion of privacy, and other claims.

Health Aid admitted no wrongdoing but decided to settle the lawsuit to resolve all claims related to the data breach. Under the terms of the settlement, any individual affected who had their Social Security number exposed is entitled to a cash payment of up to $250 and can submit a claim for out-of-pocket expenses, including credit monitoring costs, and up to four hours of lost time at $15 per hour. Documentation must be submitted to support any claim. Any individual who can provide documentation that proves they were a victim of fraud can submit a claim of up to $2,500. Claims must be submitted by August 22, 2022, and the deadline for exclusion or objection is July 22, 2022.

Regardless of the types of information exposed in the data breach, all class members are entitled to a 12-month complimentary membership to credit monitoring and identity theft restoration service. Health Aid has also agreed to implement a range of additional safeguards to better protect customer information in the future and will undergo annual security risk assessments in 2022 and 2023 to determine whether further security enhancements can be made.

The final approval hearing for the settlement has been scheduled for Sept. 20, 2022.

The post Health Aid of Ohio Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Multiple Class Action Lawsuits Filed Against MCG Health Over Data Breach

Posted by HIPAA Journal

Multiple class action lawsuits have been filed against the Seattle-based Hearst Health subsidiary, MCG Health, over a data breach that has affected at least 10 healthcare organizations including Indiana University Health, Lenoir Health Care, Phelps Health, and Jefferson County Health Center.

The data breach was reported to the HHS’ Office for Civil Rights on June 10 as affecting 793,283 individuals, but some affected healthcare organizations have self-reported the breach. The breach notification issued to the Maine Attorney General indicates the protected health information of up to 1.1 million patients was potentially obtained by an unauthorized third party in the attack.

MCG Health said it discovered on May 25, 2022, that files had been removed from its systems that included names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth, and genders. Notification letters were sent to affected individuals on June 10, 2022, and 2 years of complimentary credit monitoring and identity theft protection services have been offered to affected individuals.

So far at least five lawsuits have been filed against MCG Health in the District Court for the Western District of Washington over the data breach. The lawsuits make similar claims and allege negligence, invasion of privacy, bailment, breach of implied contract, breach of confidence, and a violation of the Washington Consumer Protection Act.

Strecker v. MCG Health, alleges the hackers had access to MCG Health systems for at least two weeks before the breach was detected; however, Booth v. MCG Health alleges the data breach occurred more than two years before it was detected by MCG Health, and that hackers gained access to MCG Health systems and exfiltrated data around February 25 to 26, 2020, and that the breach date of March 25, 2022, on the MCG Health notifications is when MCH Health discovered that sensitive files had been infiltrated. It then took more than 2 months for notifications to be issued to affected individuals.

The lawsuits allege the affected plaintiffs have suffered lost time, annoyance, interference, and inconvenience as a result of the data breach, and now that their protected health information is in the hands of criminals, they face a substantial present risk of identity theft and fraud, and that risk will continue to increase for years to come. Plaintiff Cynthia Strecker claims to have suffered anxiety and emotional distress due to the data breach and has increased concerns for the loss of her privacy. Similar claims are made in Thorbecke et al v. MCG Health, Saiki v. MCG Health, and Crawford et al v. MCG Health.

The lawsuits seek class action certification, compensatory and punitive damages, pre- and post-judgment interest, attorney’s fees and costs, and other relief, and call for MCG Health to make significant improvements to security, including encrypting all data, conducting regular penetration tests, employing data segmentation, improving logging and monitoring, appointing a third-party assessor to conduct annual SOC 2 Type 2 attestations for 10 years, and to cease storing personally identifiable patient information in cloud databases.

The post Multiple Class Action Lawsuits Filed Against MCG Health Over Data Breach appeared first on HIPAA Journal.

University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000

Posted by HIPAA Journal

University of Pittsburgh Medical Center has agreed to settle a class action data breach lawsuit and will make $450,000 available to cover claims from individuals who have suffered losses due to the theft and misuse of their protected health information.

The data breach affected approximately 36,000 patients and saw their protected health information accessed and stolen by an unauthorized third party between April 2020 and June 2020. The breach occurred at UPMC’s legal counsel, Charles J. Hilton PC, (CJH), which provided billing-related services. The compromised data was stored within the firm’s email environment and included names, birth dates, Social Security numbers, financial information ID numbers, signatures, insurance information, and medical information. The data breach was detected in June 2020; however, notifications were not sent to affected individuals until December 2020.

While many speculative lawsuits are filed against healthcare organizations and their business associates over the exposure of patient data, in this case, the plaintiff was defrauded soon after the breach, which was, on the balance of probability, due to his information being stolen in the data breach at CJH. An Amazon credit card account had been opened in his name. The plaintiff claimed he had to spend a considerable amount of time addressing the misuse of his personal and protected health information. The lawsuit alleged UPMC and CJH failed in their duty to protect patient data and had not implemented reasonable and appropriate safeguards to protect their private data.

Neither UPMC nor CJH admitted any wrongdoing or liability but agreed to settle the lawsuit. Under the terms of the settlement, class members are entitled to make a claim for a $250 cash payment as reimbursement for documented out-of-pocket expenses related to the data breach and may submit claims for up to $2,500 to recover fraudulent charges and costs related to identity theft, plus $30 for undocumented time spent dealing with the breach. 12 months of complimentary credit monitoring, identity theft, and dark web monitoring services will also be provided to class members. Claims must be submitted no later than September 3, 2022.

Last year, UPMC settled a long-running lawsuit for $2.65 million. The lawsuit was filed on behalf of 27,000 employees affected by a February 2014 data breach.

The post University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000 appeared first on HIPAA Journal.