Legal News

CaptureRx Proposes $4.75 Million Settlement to End Data Breach Litigation

Posted by HIPAA Journal

CaptureRx has proposed a $4.75 million settlement to resolve claims related to a 2021 data breach that affected approximately 2.4 million patients of its healthcare provider clients.

CaptureRx is a healthcare administrative service provider that helps hospitals manage their 340B drug discount programs. On February 6, 2021, CapturRx discovered unauthorized individuals had gained access to its network and used ransomware to encrypt its files. On March 19, 2021, CaptureRx determined files containing patient data had been compromised, and affected clients started to be notified on March 30, 2021. CaptureRx publicly announced the data breach but did not initially disclose how many individuals had been affected. The breach was reported to the HHS’ Office for Civil Rights in May 2021 by CaptureRx as affecting 1,656,569 individuals, although several of its healthcare provider clients reported the breach themselves.

Several class action lawsuits were proposed that alleged CaptureRX was negligent for failing to implement and maintain appropriate safeguards to protect patient data and other claims. CaptureRx took the decision to propose a settlement to resolve all claims associated with the data breach to avoid further legal costs. Christopher Hotchkiss, CEO of NEC Networks, CaptureRx’s parent company, said CaptureRx is facing multiple claims for indemnity from its customers, which has placed a considerable financial strain on the company. Hotchkiss said CaptureRx is not a large national or multinational company and has limited resources. The settlement was proposed to end the litigation to avoid further legal costs. Hotchkiss said if the settlement is not finalized, CaptureRx may be forced into filing for bankruptcy. “By settling now, the settlement class can take advantage of remedies that would be unavailable or worth substantially less by the time of a litigated final judgment,” said legal counsel for CaptureRx in the court filing.

The proposed settlement will see a $4.75 million fund created to cover legal costs and claims from plaintiffs and class members. Lawyers for the plaintiffs will receive around a third of the settlement, plaintiffs will receive around $2,000 each, and the remainder of the fund will cover claims from class members. CaptureRx’s insurer will be covering around half of the settlement, with CaptureRx paying the remainder. Plaintiffs will be entitled to submit claims of up to $25, regardless of whether they experienced identity theft, with claims of up to $75 possible for California residents. Under the terms of the settlement, CaptureRx is required to develop, implement, and maintain a comprehensive information security program, if such a program has not already been implemented.

CaptureRx will now seek preliminary approval for the settlement from the courts and the plaintiffs will have the opportunity to reject the settlement; however, lawyers for the plaintiffs believe the proposed settlement is fair.

The post CaptureRx Proposes $4.75 Million Settlement to End Data Breach Litigation appeared first on HIPAA Journal.

Inmediata Agrees to Settle Class Action Lawsuit for $1.125 Million

Posted by HIPAA Journal

Inmediata, a provider of clearinghouse services and business process software, has agreed to settle a class action lawsuit filed by victims of its 2019 security breach that exposed the protected health information of more than 1.56 million individuals.

In January 2019, Inmediata discovered a misconfiguration on its website resulted in internal web pages containing electronic protected health information (ePHI) being accessible over the Internet. The web pages were indexed by the search engines and could be found in the search engine listings. The exposed information was mostly limited to names, addresses, dates of birth, gender, and medical claim information. A small percentage of individuals also had their Social Security numbers exposed. When sending notification letters to affected individuals, errors were made by its mailing vendor that resulted in letters being sent to incorrect individuals. Some individuals reported receiving multiple notification letters, with some containing the names of other patients. The notification letters were sent in April 2019, three months after the data breach was discovered. Inmediata’s investigation found no evidence to suggest any information on the web pages had been viewed or copied by unauthorized individuals, but it was not possible to rule out unauthorized ePHI access.

In April 2019, a class action lawsuit – Jessie Seranno et al. v. Inmediata Corp. and Inmediata Health Group Corp – was filed on behalf of victims of the breach that alleged Inmediata had failed to implement appropriate information security measures to keep individuals’ protected health information private and confidential, and also unnecessarily delayed issuing breach notification letters.

Inmediata has not admitted any wrongdoing and does not accept any liability for the data breach but has decided to settle the case to avoid further legal costs and the uncertainty of a jury trial. Under the terms of the settlement, Inmediata will set up a $1.125 million fund to cover claims from the plaintiffs and class members.

All class members will be entitled to submit claims of up to $2,500 as reimbursement for documented out-of-pocket expenses incurred in relation to the data breach, including the costs incurred from credit monitoring services, fees, and any fraudulent charges on their accounts, as well as up to three hours of time at a rate of $15 per hour. A further $50 or more can be claimed by all breach victims who were living in California at the time of the breach, as required by the California Confidentiality of Medical Information Act (CMIA). The amount available to cover CMIA claims will be determined by the number of individuals who submit a claim. All class members will also be entitled to a complimentary membership to Kroll’s Web Watcher credit and identity theft monitoring service.

The plaintiffs and class members have until March 21, 2022, to submit their claims, exclude themselves, or object to the settlement. The final approval hearing is scheduled for April 21, 2022.

The post Inmediata Agrees to Settle Class Action Lawsuit for $1.125 Million appeared first on HIPAA Journal.

Federal Court Recommends Dismissal of PracticeFirst Data Breach Lawsuit

Posted by HIPAA Journal

The U.S. District Court for the Western District of New York has recommended a class action data breach lawsuit against Practicefirst Medical Management Solutions over a 2020 ransomware attack be dismissed.

Practicefirst, an Amherst, New York-based medical management services provider, provides billing, credentialing, bookkeeping, coding, and compliance services to medical practices. On December 30, 2020, Practicefirst discovered unauthorized individuals had gained access to its network, exfiltrated sensitive data, then attempted to deploy ransomware. The files exfiltrated from its systems included names, addresses, email addresses, Social Security numbers, usernames and passwords, financial information, and healthcare information. PracticeFirst entered into negotiations with the ransomware gang and arranged for the return of the data and received confirmation that the stolen files had been destroyed and were not further disclosed. The breach was reported to regulators as affecting more than 1.2 million individuals, including patients and employees, and affected individuals started to be notified about the data breach in July 2021. A complimentary 2-year membership to credit monitoring and identity theft protection services was offered to individuals affected by the incident.

A few days after the notification letters were sent, a lawsuit was filed naming Peter Tassmer and Karen Cannon as plaintiffs, who were patients of medical practices contracted with PracticeFirst. The lawsuit sought damages and injunctive relief and required PracticeFirst to make significant security improvements. The lawsuit alleged PracticeFirst’s security failures resulted in the unauthorized release of the plaintiffs’ and other class members’ sensitive data, which placed them at an increased and imminent risk of future identity theft, economic damages, and other injury and harm. The lawsuit claimed the plaintiffs and class members had suffered actual injuries in the form of a violation of their privacy rights, a diminished value of their personal information, and time and money had to be spent in response to the breach that could have been spent on other activities.

The District Court recommended the lawsuit be dismissed as the plaintiffs were unable to demonstrate they had suffered concrete harm as a result of the data breach. The risk of identity theft, fraud, and other injury was deemed to be too speculative and not imminent. The plaintiffs alleged that their sensitive data were stolen and because they were stolen that information would be used for identity theft and fraud. The judge said in his decision the allegation was speculative since this was a ransomware attack that was concerned with the exchange of money for access to data, not theft of data for identity theft.

The lawsuit alleged loss of value of the plaintiffs’ personal and protected health information; however, evidence was not provided to back up that claim. While there are companies that offer to purchase personal and healthcare data, the plaintiffs did not allege they had attempted to sell their information and were forced to accept a lower price as a result of the ransomware attack.

The recommendation follows the decisions of numerous circuit and district courts not to grant Article III standing for lawsuits based on the imminent risk of future identity theft when the plaintiffs have been unable to provide evidence of misuse of their personal information and actual harm. The Judge’s decision referenced the June 2021 decision of the Supreme Court in the case Transunion LLC v. Ramirez, in which the Supreme Court ruled that the risk of harm cannot qualify as concrete harm on its own, at least unless the exposure to the risk of future harm itself causes a separate concrete harm.

“The Supreme Court has made clear that allegations of a concrete harm that are tied to speculative or possible future injury are insufficient because plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is certainly impending,” said the judge in the ruling. The parties have been provided with 14 days to file objections, after which a final ruling will be issued.

The post Federal Court Recommends Dismissal of PracticeFirst Data Breach Lawsuit appeared first on HIPAA Journal.

RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach

Posted by HIPAA Journal

The Rhode Island Attorney General is investigating UnitedHealthcare and the Rhode Island Public Transit Authority (RIPTA) over a cyberattack and data breach that resulted in hackers gaining access to RIPTA’s network that contained the sensitive personal and protected health information of up to 22,000 individuals.

The Office of the Rhode Island Attorney General was notified about the security breach on December 23, 2021. RIPTA said it discovered and blocked a cyberattack on August 5, 2021, with its investigation confirming the hackers gained access to its network on August 3, 2021. Files stored on the compromised part of its network included extensive information on its employees, including names, dates of birth, Social Security numbers, and health plan ID numbers, along with the sensitive information of thousands of state employees who had never worked at RIPTA.

RIPTA reported the breach to the HHS’ Office for Civil Rights as affecting 5,015 individuals but said in its breach notice that the incident had resulted in the exposure of the personal data of 17,378 individuals. The difference in the numbers was due to UnitedHealthcare, RIPTA’s previous health insurance provider, providing RIPTA with files containing the data of non-RIPTA employees.  In total, up to 22,000 individuals had their sensitive data stolen in the attack. The files were stored on RIPTA’s servers and were not encrypted and the hackers exfiltrated approximately 40,000 files from RIPTA’s systems.

RIPTA sent notification letters to affected individuals, including those that had no association with RIPTA, triggering a barrage of complaints to the Office for the Attorney General questioning why their personal data had been compromised in a breach at RIPTA when they had never had any association with the quasi-public agency. The delay in issuing notification letters was due to each of those 40,000 files having to be manually searched, which was a labor-intensive and time-consuming process. RIPTA said only a small number of people were involved in the document review to prevent sensitive data from being further exposed.

On Monday this week, RIPTA administrators testified under oath at a Senate oversight committee hearing about the incident. RIPTA Chief Legal Counsel Steven Colantuono said at the hearing, “We don’t believe that anyone did anything wrong on our end, but we are still investigating it.”

RIPTA Director Scott Avedisian confirmed that reports downloaded by RIPTA from a UnitedHealthcare portal between 2015 and 2020 were ‘filtered files’, and the data unrelated to RIPTA was supposed to remain hidden. While not confirmed, the description suggests the downloaded files were Excel spreadsheets with certain rows hidden. The secure links to access the files on the portal were emailed to RIPTA by UnitedHealthcare.

At the hearing, officials at the state Department of Information Technology confirmed there is a statewide policy requiring the encryption of sensitive data such as personally identifiable information, personal health information, and federal tax information; however, RIPTA is not one of the agencies or quasi-state agencies assisted or supported by the Department of Information Technology, so RIPTA is not required to comply with the state’s encryption policy.

UnitedHealthcare’s VP of external affairs was scheduled to appear at the hearing but backed out after initially agreeing to appear. UnitedHealthcare said it is investigating the breach to determine what went wrong. At this stage, there is no listing of a breach at UnitedHealthcare on the HHS’ Office for Civil Rights breach portal.

In addition to the investigation by the Rhode Island Attorney General, Colantuono said there will also be a federal investigation and discussions are currently being had between the Department of Justice and the HHS’ Office for Civil Rights to determine which of the two agencies will be conducting the investigation. There is also the possibility of legal action being taken against UnitedHealthcare and RIPTA by state employees affected by the data breach.

The post RI Attorney General Subpoenas RIPTA and UnitedHealthcare Over 22,000-Record Data Breach appeared first on HIPAA Journal.

Memorial Health System Faces Class Action Lawsuit Over August 2021 Cyberattack

Posted by HIPAA Journal

Marietta Area Health Care Inc., doing business as Memorial Health System, is facing a class action lawsuit over a cyberattack and data breach that was detected by Memorial Health System on August 14, 2021.

The investigation into the attack confirmed the attackers first gained access to company servers on or around July 10, 2021, and installed malware on its systems. Unauthorized access remained possible until August 15, 2021.

The breach notification letters state Memorial Health System learned on September 17, 2021, that the threat actor potentially accessed or acquired information from its systems. The review of the affected systems was completed on November 1, 2021, and affected individuals were notified on January 12, 2022, and were offered a 12-month complimentary membership to a credit monitoring service. The breach notice submitted to the Maine attorney general indicates the personal information of 216,478 was potentially accessed by the attackers.

The lawsuit was filed in the U./S. District Court of the Southern District of Ohio, Eastern Division against Marietta Area Health Care Inc. dba Memorial Health System on behalf of plaintiff Kathleen Tucker and other individuals affected by the breach.

The lawsuit alleges the plaintiff’s and class members’ personal information, which included names, dates of birth, medical record numbers, patient account numbers, Social Security Numbers, and medical information, was compromised and unlawfully accessed, and that the plaintiff and class members, “suffered ascertainable losses in the form of the loss of the benefit of their bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.”

The lawsuit alleges Memorial Health System was negligent for maintaining the private information of patients in a reckless manner by storing the information on systems that were vulnerable to cyberattacks. The lawsuit alleges the risk of cyberattacks was known to the defendant yet the necessary steps to secure private information were not taken. In addition to the negligence claim, the lawsuit alleges negligence per se, breach of implied contract, and unjust enrichment.

The plaintiff and class members are alleged to now be exposed to a heightened and imminent risk of fraud and identity theft and must now and in the future closely monitor their financial accounts to guard against identity theft. Out-of-pocket expenses have also been incurred, including the cost and time of arranging credit monitoring services, credit freezes, and credit reports.

The lawsuit seeks a jury trial and compensatory damages, treble damages, punitive damages, reimbursement of out-of-pocket costs, and injunctive relief, which should include improvements to Memorial Health System’s data security systems, future annual audits, and providing adequate credit monitoring services to individuals affected by the breach.

The lawsuit was filed by attorney Joseph M. Lyon of The Lyon Firm, LLC. The law firm of Console & Associates, P.C. has also initiated an investigation into the cyberattack and data breach.

The post Memorial Health System Faces Class Action Lawsuit Over August 2021 Cyberattack appeared first on HIPAA Journal.

Settlement Reached in Excellus Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Excellus Health Plan Inc., its affiliated companies, and the Blue Cross Blue Shield Association (BCBSA) have reached a settlement to resolve a class action lawsuit that was filed in relation to a cyberattack discovered in 2015 involving the personally identifiable information (PII) and protected health information (PHI) of more than 10 million members, subscribers, insureds, patients, and customers.

The cyberattack was detected on August 5, 2015, by a cybersecurity firm that was hired to assess Excellus’s information technology system. The subsequent investigation by Excellus and cybersecurity firm Mandiant determined hackers had first gained access to its systems on or before December 23, 2013. Evidence was found that indicated the hackers were active within its network until Aug. 18, 2014, after which no traces of activity were found; however, malware had been installed which gave the attackers access to its network until May 11, 2015. On that date, something happened that prevented the hackers from accessing its network. It took Excellus 17 months from the initial intrusion to detect the security breach.

The HHS’ Office for Civil Rights (OCR) launched an investigation into the data breach and uncovered several potential violations of the HIPAA Rules, including security failures and the impermissible disclosure of the PHI of 9.3 individuals. The case was settled in January 2021 and Excellus agreed to pay a financial penalty of $5.1 million to resolve the HIPAA violations and to implement a corrective action plan to address the security failures and the alleged HIPAA non-compliance issues.

The lawsuit was brought against Excellus, Lifetime Healthcare Inc., Lifetime Benefit Solutions Inc., Genesee Region Home Care Association Inc., MedAmerica Inc., Univera Healthcare, and the Blue Cross Blue Shield Association, on behalf of all individuals affected by the data breach. Initially, the lawsuit sought monetary damages and injunctive relief; however, for several legal reasons, the court was unable to certify classes seeking monetary damages, and only certified a class for injunctive relief.

The plaintiffs alleged the defendants had failed to implement appropriate security measures to ensure the confidentiality of PII and PHI, failed to detect the security breach for 17 months, and when the breach was detected, waited too long to notify affected individuals and then failed to provide sufficient information about how victims could protect themselves from harm. The lawsuit required the Excellus defendants and BCBSA to change their information security practices with respect to PII and PHI and to invest in information security. The Excellus defendants and BCBSA denied any wrongdoing and, to date, no court has determined the defendants have done anything wrong.

The Excellus defendants and BCBSA have agreed to cover reasonable attorneys’ fees, costs, and expenses as approved by the courts. The costs include a maximum of $3.3 million to cover attorneys’ fees and the reimbursement of expenses of no more than $1,000,000. Service awards of up to $7,500 will also be provided to class representatives.

Changes will be made to business practices regarding the safeguarding of PII and PHI which will cover the three years from the finalization of the settlement or the two years after each of the changes has been implemented. The information security requirements detailed in the settlement require the Excellus defendants and BCBSA to:

  • Increase and maintain a minimum information security budget
  • Develop a strategy and engage vendors to ensure records containing PII or PHI are disposed of within one year of the original retention period
  • Take steps to improve the security of its network, including the use of tools for detecting suspicious activity, authenticating users, responding to and containing security incidents, and document retention
  • Engage in an extensive data archiving program and provide plaintiffs with documentation confirming the extent, scope, and thoroughness of the archiving project
  • Provide the plaintiffs with copies of documents provided to OCR that demonstrate compliance with the OCR settlement and corrective action plan
  • Make an annual declaration attesting to compliance with each aspect of the items in the settlement, including the extent to which it has not been possible to comply with any of the items

If the settlement is agreed by the court – a hearing has been scheduled for April 13, 2022 – all plaintiffs and class members will be required to release all claims against the Excellus defendants and BCBSA for injunctive and declaratory relief. The settlement will not release any claims against the Excellus defendants and BCBSA for monetary damages.

The post Settlement Reached in Excellus Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach

Posted by HIPAA Journal

The first settlement of 2022 to resolve a healthcare data breach has been announced by New York Attorney General Letitia James. The Ohio-based vision benefits provider EyeMed Vision Care has agreed to pay a financial penalty of $600,000 to resolve a 2020 data breach that saw the personal information of 2.1 million individuals compromised nationwide, including the personal information of 98,632 New York residents.

The data breach occurred on or around June 24, 2020, and saw unauthorized individuals gain access to an EyeMed email account that contained sensitive consumer data provided in connection with vision benefits enrollment and coverage. The attacker had access to the email account for around a week and was able to view emails and attachments spanning a period of 6 years dating back to January 3, 2014. The emails contained a range of sensitive information including names, contact information, dates of birth, account information for health insurance accounts, full or partial Social Security numbers, Medicare/Medicaid numbers, driver’s license numbers, government ID numbers, birth/marriage certificates, diagnoses, and medical treatment information.

Between June 24, 2020, and July 1, 2020, the attackers accessed the account from multiple IP addresses, including some from outside the United States and on July 1, 2020, the account was used to send around 2,000 phishing emails to EyeMed clients. The EyeMed IT department detected the phishing emails and received multiple inquiries from clients querying the legitimacy of the emails. The compromised account was then immediately secured.

The subsequent forensic investigation confirmed the attacker could have exfiltrated data from the email account while access was possible but could not determine if any personal information was stolen. Affected individuals were notified in September 2020 and were offered complimentary credit monitoring, fraud consultation, identity theft restoration services.

The Office of the New York Attorney General investigated the security incident and data breach and determined that, at the time of the attack, EyeMed had failed to implement appropriate security measures to prevent unauthorized individuals from accessing the personal information of New York residents.

The email account was accessible via a web browser and contained large quantities of consumers’ sensitive information spanning several years, yet EyeMed had failed to implement multifactor authentication on the account. EyeMed also failed to implement adequate password management requirements for the email account. The password requirements for the account were not sufficiently complex, only requiring a password of 8 characters, when it was aware of the importance of password complexity as the password requirements for admin-level accounts required passwords of at least 12 characters. EyeMed also allowed 6 failed password attempts before locking out the user ID. EyeMed had also failed to maintain adequate logging of email accounts and was not monitoring email accounts, which made it difficult to identify and investigate security incidents. It was also unreasonable to retain consumer data in the email account for such a long period of time. Older emails should have been transferred to more secure systems and be deleted from the email account.

State attorneys general have the authority to impose financial penalties for HIPAA violations and it would have been possible to cite violations of HIPAA; however, New York only cited violations of New York General Business Law.

Under the terms of the settlement, EyeMed is required to pay a financial penalty of $600,000 and must implement several measures to improve security and prevent further data breaches. Those measures include:

  • Maintaining a comprehensive information security program that is regularly updated to keep pace with changes in technology and security threats
  • Maintaining reasonable account management and authentication, including the use of multi-factor authentication for all administrative or remote access accounts
  • Encrypting sensitive consumer information
  • Conducting a reasonable penetration testing program to identify, assess, and remediate security vulnerabilities
  • Implementing and maintaining appropriate logging and monitoring of network activity
  • Permanently deleting consumers’ personal information when there is no reasonable business or legal purpose to retain it.

“New Yorkers should have every assurance that their personal health information will remain private and protected. EyeMed betrayed that trust by failing to keep an eye on its own security system, which in turn compromised the personal information of millions of individuals,” said Attorney General James. “Let this agreement signal our continued commitment to holding companies accountable and ensuring that they are looking out for New Yorkers’ best interest. My office continues to actively monitor the state for any potential violations, and we will continue to do everything in our power to protect New Yorkers and their personal information.”

The post New York Fines EyeMed $600,000 for 2.1 Million-Record Data Breach appeared first on HIPAA Journal.

Mass General Brigham Settles ‘Cookies Without Consent’ Lawsuit for $18.4 Million

Posted by HIPAA Journal

An $18.4 million settlement has been approved that resolves a class action lawsuit against Mass General Brigham over the use of cookies, pixels, website analytics tools, and associated technologies on several websites without first obtaining the consent of website visitors.

The defendants in the case operate informational websites that provide information about the healthcare services they provide and the programs they operate. Those websites can be accessed by the general public and do not require visitors to register or create accounts.

The lawsuit was filed against Partners Healthcare System, now Mass General Brigham, by two plaintiffs – John Doe and Jane Doe – who alleged the websites contained third party analytics tools, cookies, and pixels that caused their web browsers to divulge information about their use of the Internet, and that the information was transferred and sold to third parties without their consent.

While it is normal for websites to use third-party analytics tools like those on the defendants’ websites, the plaintiffs alleged they were not informed that their information would be collected and transferred and that they did not provide consent to have their data harvested.

The defendants denied any wrongdoing or liability and maintained the plaintiffs and class members suffered no damages or injuries as a result of visiting the websites. No protected health information was disclosed, there was no data breach, and the defendants denied all allegations in the class action lawsuit; however, the plaintiffs maintained they were prepared to vigorously defend the lawsuit and the decision was taken to settle the case to avoid the costs and uncertainty of a trial and any related appeals.

The settlement names 38 healthcare providers including Massachusetts General Hospital, Brigham and Women’s Hospital, Dana-Farber Cancer Institute, and Wentworth-Douglass Hospital, and covers visitors to the website between May 23, 2016, and July 31, 2021. The $18.4 million settlement will cover attorneys’ fees and other expenses, and class members are eligible to receive a payment of up to $100, based on the number of claims filed.

The post Mass General Brigham Settles ‘Cookies Without Consent’ Lawsuit for $18.4 Million appeared first on HIPAA Journal.

Accellion Proposes $8.1 Settlement to Resolve Class Action FTA Data Breach Lawsuit

Posted by HIPAA Journal

The Palo Alto, CA-based technology firm Accellion has proposed an $8.1 million settlement to resolve a class action data breach lawsuit filed on behalf of victims of the December 2020 cyberattack on the Accellion File Transfer Appliance (FTA).

The Accellion FTA is a legacy solution that is used for securely transferring files that are too large to be sent via email. The Accellion FTA had been in use for more than 20 years and was at end-of-life, with support due to end on April 30, 2021. Accellion had developed a new platform, Kiteworks, and customers were encouraged to upgrade from the legacy solution; however, a significant number of entities were still using the FTA solution at the time of the cyberattack.

In December 2020, two previously unknown Advanced Persistent Threat (APT) groups linked to FIN11 and the CLOP ransomware gang exploited unaddressed vulnerabilities in the Accellion FTA, gained access to the files of its clients, and exfiltrated a significant amount of data. Following the breach, four vulnerabilities associated with the breach were disclosed and issued CVEs.

Accellion clients affected by the breach included banks, law firms, universities, and healthcare organizations. Many of the files belonging to healthcare organizations contained sensitive patient and health plan member data. Healthcare organizations affected by the breach include Health Net Community Solutions, Health Net of California, California Health & Wellness, Trinity Health, The University of California, Stanford University School of Medicine, University of Miami Health, Kroger, Trillium, Community Health Plan, Arizona Complete Health, CalViva Health, and Health Employees’ Pension Plan.

Following the attack, several lawsuits were filed against Accellion and its clients over the data breach. The class action lawsuit against Accellion alleged the company had failed to implement and maintain appropriate data security practices to protect the sensitive data of its clients, failed to detect security vulnerabilities in the Accellion FTA, failed to disclose its security practices were inadequate and failed to prevent the data breach. As a result of the attack, highly sensitive information was stolen, including names, contact information, dates of birth, Social Security numbers, driver’s license numbers, and healthcare data.

Accellion denied all of the allegations in the lawsuit and accepts no liability for the data breach. The company said in the settlement agreement that it is not responsible for managing, updating, and maintaining customers’ instances of the FTA software. Accellion also said the company does not collect any customer data, does not access the content of files shared or stored via the FTA solution, and provided no guarantees to customers that the FTA software was secure.

It is unclear how many individuals will be covered by the settlement, but the number is certainly in excess of 9.2 million individuals. Accellion will attempt to obtain up-to-date contact information for those individuals in order to send notices of the proposed settlement. The proposed settlement includes a cash fund of $8.1 million to cover claims, notices, administration costs, and service awards to affected users of the Accellion FTA. $4.6 million of the fund will be made available within 10 days, with the remainder made available within 10 days of the settlement being approved.

Affected individuals will be entitled to sign up for 24 months of three-bureau credit monitoring and insurance services, or receive reimbursement for documented losses up to a maximum value of $10,000, or receive a cash payment, which is expected to be in the region of $15 to $50. Accellion will also fully retire the Accellion FTA and take steps to ensure the security of its replacement Kiteworks solution. Those measures include increasing its bug bounty program, maintaining FedRAMP certification, employing individuals with responsibility for cybersecurity, providing cybersecurity training to its workforce, and undergoing regular assessments to confirm continued compliance with the cybersecurity measures outlined in the settlement.

The proposed settlement will resolve all claims against Accellion only. There are still lawsuits and settlements outstanding against clients affected by the breach. The supermarket chain Kroger has proposed a $5 million settlement to resolve lawsuits filed on behalf of the 3.8 million employees and customers affected by the breach.

The post Accellion Proposes $8.1 Settlement to Resolve Class Action FTA Data Breach Lawsuit appeared first on HIPAA Journal.