Legal News

Russian National Indicted for Scripps Health Ransomware Attack; 11 TrickBot/Conti Actors Sanctioned

Posted by Steve Alder

The indictments of multiple members of the TrickBot/Conti Ransomware groups have recently been unsealed and 11 members of these cybercriminal operations have been sanctioned by the United States and the United Kingdom.

A federal grand Jury in the Southern District of California indicted and charged Russian national, Maksim Galochkin, his role in a cyberattack on Scripps Health in May 2021. Galochkin and his co-conspirators are alleged to have conducted more than 900 attacks worldwide using Conti ransomware, including the attack on Scripps Health. A federal grand jury in the Northern District of Ohio indicted Galochkin and co-conspirators Maksim Rudenskiy, Mikhail Mikhailovich Tsarev, Andrey Yuryevich Zhuykov, Dmitry Putilin, Sergey Loguntsov, Max Mikhaylov, Valentin Karyagin, and Maksim Khaliullin, over the use of TrickBot malware to steal funds and confidential information from businesses and financial institutions in the United States since 2015. A federal grand jury in the Middle District of Tennessee returned an indictment charging Galochkin and co-conspirators Rudenskiy, Tsarev, and Zhuykov with conspiring to use Conti ransomware to attack businesses, nonprofits, and governments in the United States from 2020 until June 2022 when the Conti operation was disbanded.

Galochkin was also one of 11 individuals recently sanctioned by the U.S. Department of Justice, the Department of the Treasury’s Office of Foreign Assets Control (OFAC), and the United Kingdom for being part of the Russian TrickBot cybercrime group. TrickBot was first identified in 2016 and started life as a banking Trojan. The malware was developed from the Dyre Trojan and was used to attack and steal money from non-Russian businesses. The modular malware evolved over the years and new capabilities were added which allowed the TrickBot gang to conduct a range of malicious activities, including ransomware attacks. The group is believed to have extorted more than $180 million from victims around the world and conducted many attacks on hospitals and other healthcare providers in the United States. While the TrickBot gang is a cybercriminal group, members of the group are associated with the Russian intelligence services and have conducted attacks on the U.S. government and other U.S. targets in line with the objectives of the Russian intelligence services.

The 11 sanctioned individuals materially assisted with TrickBot operations and include administrators, managers, developers, and coders. Galochkin (aka Bentley, Crypt, Volhvb) is alleged to have led a group of testers and had responsibilities for the development, supervision, and implementation of tests. The other 10 sanctioned individuals are senior administrator Andrey Zhuykov (aka Dif, Defender); lead coder Maksim Rudenskiy; human resources and finance manager Mikhail Tsarev; infrastructure purchaser Dmitry Putilin (aka grad, staff); HR manager Maksim Khaliullin (aka Kagas);  TrickBot developer Sergey Loguntsov; internal utilities group member Mikhail Chernov (aka Bullet); admin team member Alexander Mozhaev (aka Green and Rocco); and coders Vadym Valiakhmetov (aka Weldon, Mentos, Vasm) and Artem Kurov (aka Naned).

18 members of the TrickBot operation have now been sanctioned with the latest 11 adding to the 7 members sanctioned by the United States and United Kingdom in February this year. The addition of these individuals to OFAC’s sanctions list means all property and interests in property of the individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. All dealings with these individuals by U.S. persons are prohibited, including paying ransoms. Individuals who engage in transactions with sanctioned individuals may themselves be exposed to OFAC designation and any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the sanctioned individuals could be subject to U.S. correspondent or payable-through account sanctions.

All of the indicted and sanctioned individuals remain at large. That is likely to remain the case as they are believed to reside in Russia where there is no extradition treaty with the United States.

The post Russian National Indicted for Scripps Health Ransomware Attack; 11 TrickBot/Conti Actors Sanctioned appeared first on HIPAA Journal.

UnitedHealthcare Services Sued for MOVEit Transfer Data Breach

Posted by Steve Alder

A class action lawsuit has been filed against the student healthcare insurer UnitedHealthcare Services, which does business as UnitedHealthcare Student Resources, over its MOVEit Transfer data breach in May 2023. The lawsuit names Kelly Abramowitz as the plaintiff and alleges the health insurer failed to implement appropriate security measures to ensure the protected health information of plan members’ data.

Hundreds of organizations fell victim to the attacks, which mass exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. Progress Software released a patch to fix the vulnerability on May 31, 2023; however, the Clop ransomware group had already exploited the vulnerability and exfiltrated sensitive data. Ransom demands were issued, and payment was required to prevent the publication of stolen data on the group’s data leak site.

The attack on UnitedHealthcare resulted in the theft of names, dates of birth, addresses, phone numbers, email addresses, plan identification numbers, student identification numbers, healthcare information, claims information, Social Security numbers, other national identification numbers, and other sensitive data. Affected students were notified about the attack in July 2023 and were offered complimentary credit monitoring and identity theft protection services.

The lawsuit alleges UnitedHealthcare owed a duty of care to its members and should have maintained adequate safeguards to protect the information it collected and stored yet failed to do so, then delayed sending notification letters to the affected individuals. The lawsuit claims the plaintiff and class members have suffered irreparable harm from the theft of their sensitive information and now face an imminent and ongoing risk of identity theft and fraud.

The lawsuit alleges negligence, negligence per se, unjust enrichment, and breach of implied contract and seeks class action status, a jury trial, declaratory and injunctive relief, and statuary damages.  The lawsuit – Abramowitz v. United Healthcare Services Inc. d/b/a UnitedHealthcare Student Resources – was filed in the District Court for the District of Minnesota. The plaintiff and class members are represented by Nathaniel J. Weimer of Tewksbury & Kerfeld, P.A., and Mark S. Reich, Courtney Maccarone, and Gary S. Ishimoto of Levi & Korsinsky, LLP.

The post UnitedHealthcare Services Sued for MOVEit Transfer Data Breach appeared first on HIPAA Journal.

Schneck Medical Center Settles HIPAA Lawsuit with Indiana AG

Posted by Steve Alder

Seymour, IN-based Schneck Medical Center has settled a lawsuit with the Indiana attorney general, Todd Rokita, over a 2021 ransomware attack and data breach that affected 89,707 Indiana residents. Schneck Medical Center has agreed to pay a penalty of $250,000 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws and will implement additional safeguards to prevent further data breaches.

According to the lawsuit, Schneck Medical Center conducted a risk analysis in December 2020 which revealed many critical security issues, but Schneck Medical Center failed to address them. 9 months later, on or around September 29, 2021, security flaws were exploited by a malicious actor who gained access to the network, exfiltrated sensitive patient data, and then deployed ransomware to encrypt files. The information stolen in the attack included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account information, payment card information, diagnoses, and health insurance information.

Schneck Medical Center was quick to alert patients to the cyberattack through a statement on its website on September 29, 2021; however, the Indiana AG alleged that Schneck Medical Center failed to disclose the risk patients faced and did not encourage them to take steps to protect themselves against identity theft and fraud, even though Schneck Medical Center was aware at the time that a large quantity of sensitive data had been stolen.

Another statement was released two months later on November 26, 2021, confirming that files had been stolen in the attack; however, Schneck Medical Center failed to disclose that protected health information had been exposed, despite being aware that PHI had been stolen. Schneck Medical Center also failed to issue timely individual notifications, which were not mailed until May 13, 2022 – 226 days after the discovery of the data breach. Schneck Medical Center also claimed in a May 13, 2022, substitute breach notice that data theft was discovered on March 17, 2022, when Schneck Medical Center was aware on September 29, 2023, that data had been stolen.

The Indiana attorney general alleged multiple violations of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule and violations of the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act.

Schneck Medical Center Compensates Patients for Losses

Schneck Medical Center has also recently settled a consolidated class action lawsuit for $1.3 million. Two lawsuits were filed in response to the ransomware attack and data breach by patients Jalen Nierman, Bryce Sheaffer, Jennifer Renoll, Patricia White, and Nigel Myers who sought compensation for the data breach. The plaintiffs alleged Schneck Medical Center failed to implement reasonable and appropriate safeguards to ensure the confidentiality of patient data. Schneck Medical Center agreed to a settlement with no admission of wrongdoing.

Under the terms of the settlement, class members are entitled to claim up to $500 in ordinary expenses, including up to 4 hours of lost time at $15 per hour. Individuals who incurred extraordinary expenses due to the data breach can claim up to $6,000. Claims may be paid pro rata, depending on the number of claims received. The settlement also includes 27 months of free credit monitoring and identity theft protection services and coverage through a $1 million identity theft insurance policy.

The post Schneck Medical Center Settles HIPAA Lawsuit with Indiana AG appeared first on HIPAA Journal.

L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million

Posted by Steve Alder

The Local Initiative Health Authority for Los Angeles County, operating as L.A. Care Health Plan, has settled multiple violations of the HIPAA Privacy and Security Rules with the HHS’ Office for Civil Rights (OCR) and will pay a $1,300,000 penalty and adopt a robust corrective action plan.

L.A. Care Health Plan is the largest publicly operated health plan in the United States and has more than 2.7 million members. OCR said it launched two separate investigations of L.A. Care Health Plan to assess the state of HIPAA compliance, the first of which was in response to a media report about impermissible disclosures of protected health information (PHI) via its member portal and the second was in response to a breach that was reported to OCR involving the PHI of 1,498 members.

In 2016, a media outlet reported that members of the health plan were able to access the protected health information (PHI) of other members via the online member portal over a 2-day period in 2014 due to a manual processing error. OCR informed L.A. Care Health Plan it had initiated a compliance review and in February 2016, L.A. Care Health Plan reported the breach to OCR as affecting fewer than 500 individuals. In March 2019, L.A. Care Health Plan notified OCR about a 1,498-record data breach caused by a mailing error that saw members receive the ID cards of other health plan members.

OCR determined that there had been several failures to fully comply with the requirements of the HIPAA Privacy and Security Rules. The resolution agreement lists 6 potential HIPAA violations identified by its investigators.

  1. A failure to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).
  2. A failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level – 45 C.F.R. § 164.308(a)(1)(ii)(B).
  3. A failure to implement sufficient procedures to regularly review records of information system activity – 45 C.F.R. § 164.308(a)(1)(ii)(D).
  4. A failure to perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI – 45 CFR F.R. § 164.308(a)(8).
  5. A failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI – 45 C.F.R. 164.312(b).
  6. The impermissible disclosure of the ePHI of 1,498 individuals – 45 C.F.R. § 164.502(a).

L.A. Care Health Plan chose to settle the investigations with no admission of liability and agreed to pay a $1,300,000 financial penalty and adopt a corrective action plan to correct the alleged HIPAA violations. The corrective action plan includes the requirement to conduct a comprehensive, organization-wide risk analysis, develop a risk management plan, develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, report to OCR when evaluations of environmental and operational changes are conducted, and to report HIPAA violations by employees to OCR within 30 days.

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

The post L.A. Care Health Plan Settles Multiple HIPAA Violations for $1.3 Million appeared first on HIPAA Journal.

Medtronic & Edward-Elmhurst Health Sued Over Web Tracker Use

Posted by Steve Alder

The Minneapolis, MN-based medical device manufacturer Medtronic & the Illinois health system Edward-Elmhurst Health are facing class action lawsuits over the use of website tracking technologies, which passed sensitive customer data to third parties such as Google and Meta.

Medtronic MiniMed and MiniMed Distribution Corp

A lawsuit has been filed against Medtronic MiniMed Inc. and MiniMed Distribution Corp (Medtronic) over the use of tracking technologies in its InPen diabetes management app.

The lawsuit – A.H. v. Medtronic MiniMed Inc. and MiniMed Distribution Corp – was filed in District Court for the Central District of California on behalf of plaintiff A.H, and similarly situated individuals who had their sensitive information disclosed to third parties via Google Analytics, Firebase, and Crashlytics.

Medtronic reported the data breach to the HHS’ Office for Civil Rights in April as affecting 58,374 individuals and notified customers that email addresses, IP addresses, phone numbers, InPen App usernames and passwords, timestamp information for InPen App events, and unique identifiers tied to InPen accounts or mobile devices had been impermissibly disclosed. Medtronic no longer uses Google Analytics and is transitioning from Crashlytics and Firebase authentication to other reporting and authentication platforms.

The lawsuit claims Medtronic placed profit over privacy when it deliberately added these tools to the app to access and monetize user data and claims that Medtronic violated its own privacy policy as it maintained it would keep InPen app user data private and would not share user information with third parties for marketing purposes unless written authorization was obtained.

The lawsuit alleges common law invasion of privacy – intrusion upon seclusion, breach of confidence, breach of fiduciary duty, negligence, breach of implied contract, breach of implied covenant & fair dealing, unjust enrichment, and violations of the Electronic Communications Privacy Act (ECPA), California Invasion of Privacy Act (CIPA), and New York General Business Law.

The lawsuit seeks class action status, a jury trial, damages, extended credit monitoring services, attorneys’ fees, and equitable and injunctive relief to ensure that users of its app have their privacy protected. The plaintiffs and class are represented by attorneys from the law firms Milberg Coleman Bryson Phillips Grossman, PLLC, Markovits, Stock & Demarco, LLC, and Chestnut Cambronne PA.

Edward-Elmhurst Health

The lawsuit against Edward-Elmhurst Health – Arnold Stein and Diane Miller V. Edward-Elmhurst Health -was filed in Cook County Circuit Court and alleges patient privacy was violated due to the use of the Meta Pixel tracking tool on its web portals, which patients use for booking appointments and finding treatment facilities and other healthcare services.

According to the lawsuit, the Meta Pixel tracking code was added to the web portals without users’ knowledge, and transmitted “every click, keystroke and detail about their medical treatment” to Facebook. That information was tied to individual users through their Facebook IDs. The lawsuit alleges the information transmitted to Facebook was used for marketing purposes in an effort to bolster Edward-Elmhurst Health’s profits.

The lawsuit alleges the disclosures violated HIPAA, the Illinois Eavesdropping Statute, and the Illinois Consumer Fraud and Deceptive Business Practices Act. The lawsuit seeks actual and punitive damages, attorneys’ fees, and an injunction against Edward-Elmhurst Health preventing further patient privacy violations through tracking technologies. The lawsuit was filed by attorneys from Almeida Law Group LLC and Stephan Zouras, LLP.

The post Medtronic & Edward-Elmhurst Health Sued Over Web Tracker Use appeared first on HIPAA Journal.

CentroMed Facing 2 Class Action Lawsuits Over 350,000-Record Data Breach

Posted by Steve Alder

El Centro Del Barrio, dba CentroMed in San Antonio, TX, is facing at least two class action lawsuits over a June 2023 cyberattack in which hackers gained access to the personal and protected health information (PHI) of 350,000 patients.

The attack was detected on June 12, 2023, and the forensic investigation confirmed unauthorized access to IT systems first occurred on June 9, 2023. The information accessed in the attack included names, addresses, dates of birth, Social Security numbers, financial account information, medical record numbers, health insurance plan member IDs, and claims data. The affected individuals were notified by mail on August 11, 2023.

CentroMed patients Jasmine Grace and Dawn Leal have each taken legal action against CentroMed over the impermissible disclosure of their personal information and allege CentroMed was negligent for failing to properly secure and safeguard their personally identifiable information, which is now in the hands of cybercriminals.

They both claim they face an imminent, ongoing, and substantial risk of identity theft and fraud and have had to invest considerable time and money into protecting themselves against the misuse of their personal information. The lawsuits also take issue with the length of time it took CentroMed to issue notification letters to patients. CentroMed took two months to issue notifications, although this was within the time allowed under the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule.

The lawsuits allege the defendant violated HIPAA by failing to adequately protect their data and allege negligence, breach of fiduciary duty, and unjust enrichment. Jasmine Grace’s lawsuit was filed in District Court in San Antonio, and she is represented by attorney Samantha Holbrook. The lawsuit seeks $1 million in damages. Dawn Leal’s lawsuit was filed in San Antonio federal court by attorney Joe Kendall and seeks $5 million in damages.

The post CentroMed Facing 2 Class Action Lawsuits Over 350,000-Record Data Breach appeared first on HIPAA Journal.

Allwell Behavioral Health Settles Data Breach Class Action for $650,000

Posted by Steve Alder

Allwell Behavioral Health has proposed a $650,000 settlement to resolve a class action lawsuit that was filed on behalf of victims of a March 2022 data breach that affected 29,972 patients.

The breach was detected on March 5, 2022, and sensitive data was found to have been accessed by unauthorized individuals on March 3, 2022. The compromised data included names, dates of birth, Social Security numbers, phone numbers, treatment activity, treatment provider, treatment date, treatment location, and payer information. The lawsuit alleged Allwell Behavioral Health was negligent for failing to adequately secure patient data.

Allwell Behavioral Health admitted no wrongdoing; however, chose to settle the lawsuit to prevent further legal costs and to avoid the uncertainty of trial. Under the terms of the settlement class members are entitled to receive a $50 payment, which may be increased depending on the number of claims received. Claims of up to $4,000 may be submitted to cover extraordinary, unreimbursed monetary losses, which can include up to 5 hours of lost time at $25 per hour.

Class members have until September 11, 2023, to object to or exclude themselves from the settlement and must submit claims by October 11, 2023, and by October 2, 2023, if they did not receive a Notice ID. The final fairness hearing has been scheduled for November 9, 2023.

The post Allwell Behavioral Health Settles Data Breach Class Action for $650,000 appeared first on HIPAA Journal.

Orrick, Herrington & Sutcliffe Sued Over Ransomware Attack and Data Breach

Posted by Steve Alder

The San Francisco, CA-based law firm, Orrick, Herrington & Sutcliffe LLP, is facing a class action lawsuit over a ransomware attack and data breach that was detected on March 13, 2023. The law firm determined that part of its network had been compromised by an unauthorized third party, which gained access to a file share that was used to store client files. The unauthorized access was immediately blocked; however, the forensic investigation confirmed that files containing personal information had been exfiltrated from its servers between February 28 and March 13, 2023. The compromised information included names, addresses, dates of birth, and Social Security numbers. The law firm offered the affected individuals complimentary credit monitoring and identity theft protection services.

On August 11, 2023, a lawsuit was filed in the U.S. District Court for the Northern District of California on behalf of plaintiff Dennis R Werley, and more than 152,818 similarly situated individuals who had their personal information compromised in the attack. The lawsuit alleges the law firm failed to implement adequate and reasonable measures to protect its computer systems, failed to take adequate steps to prevent and stop the breach, did not detect the breach in a timely manner, failed to disclose material facts that adequate system security measures were not in place to prevent data breaches, failed to honor repeated promises and representations to protect the information of the breach victims, then failed to provide timely notifications. According to the lawsuit, “Thanks to Defendant’s failure to protect the Breach Victims’ Personal Information, cyber criminals were able to steal everything they could possibly need to commit nearly every conceivable form of identity theft and wreak havoc on the financial and personal lives of potentially millions of individuals.”

The lawsuit alleges the plaintiff and class members have had their privacy violated and have been victims of identity theft and fraud or have been exposed to a heightened and imminent risk of fraud and identity theft, and have and will continue to incur out-of-pocket costs for credit monitoring services, credit freezes, and other protective measures. The lawsuit includes a long list of cybersecurity measures that the law firm could and should have implemented to prevent the data breach but failed to do so.

The lawsuit alleges negligence, negligence per se, breach of fiduciary duty, breach of confidence, breach of implied contract, and invasion of privacy and seeks a jury trial, compensatory damages, adequate credit monitoring services, and injunctive relief, including an order from the court requiring the law firm to implement a swathe of security measures to prevent future data breaches.

The post Orrick, Herrington & Sutcliffe Sued Over Ransomware Attack and Data Breach appeared first on HIPAA Journal.

Lawsuit Alleges Unum Group at Fault for MOVEit Data Breach

Posted by Steve Alder

A Florida resident is taking legal action against the employee benefits provider, Unum Group, over its MOVEit Transfer data breach and alleges a failure to safeguard the personal information stored within its network. Unum Group was one of hundreds of victims of the mass exploitation of a zero-day vulnerability in the MOVEit Transfer solution. Progress Software issued a security alert about the vulnerability on May 31, 2023, and released a patch the same day; however, the vulnerability had already been exploited in attacks by the Clop group, resulting in the theft of sensitive data.

Unum Group announced on August 3, 2023, that it had been affected and there had been unauthorized access to the protected health information of former and current customers of its subsidiary insurance companies, including names, birth dates, addresses, Social Security numbers, and health insurance claim information. The breach was reported to the HHS’ Office for Civil Rights as affecting 531,732 individuals.

The lawsuit argues that Unum Group had an obligation to keep consumers’ data private and confidential under the Federal Trade Commission Act and HIPAA, yet failed to do so. A company cannot reasonably be expected to prevent a vulnerability from being exploited that is unknown at the time of exploitation when the software vendor has not confirmed a vulnerability exists and has not released a patch or suggested any mitigations.

The lawsuit – Williams v. Unum Group – alleges Unum was at fault for the data breach because it failed to properly encrypt data transmitted through the file transfer solution, did not redact consumers’ private information, and failed in its legal duty to audit, monitor and verify the security practices of its IT vendors. The lawsuit also takes issue with the time it took Unum Group to issue notifications – more than two months after the suspicious activity was detected – and for the lack of information in the notifications about the root cause of the breach. The lack of information made it difficult for victims of the breach to mitigate harm.

The lawsuit alleges the plaintiff and class members now face a present and continuing risk of identity theft and fraud and are required to pay out-of-pocket expenses to prevent, detect, and recover from the misuse of their information, which is now in the hands of criminals. The lawsuit seeks class action certification, a jury trial, an award of actual damages, compensatory damages, statutory damages, and nominal damages, an award of punitive damages, and attorneys’ fees.

The post Lawsuit Alleges Unum Group at Fault for MOVEit Data Breach appeared first on HIPAA Journal.