A lawsuit has been filed against the New Jersey Healthcare provider, Hackensack Meridian Health, over a December 2, 2019 ransomware attack that affected all 17 of its hospitals.

The ransomware attack temporarily disrupted medical services while its systems were offline and access to medical records was prevented. Systems remained down for several days while data was recovered, and systems were restored. Medical services continued to be provided with staff reverting to pen and paper to record patient information. However, some non-emergent medical procedures had to be cancelled.

Prompt action was taken to secure its systems and recover data and physicians, nurses, and clinical teams worked round the clock to ensure patient safety was maintained during the attack and recovery process. In order to restore systems in the fastest possible timeframe and prevent ongoing disruption to medical services, the decision was taken to pay the ransom. Hackensack Meridian Health had a comprehensive insurance policy in place, which helped cover the cost of the ransom payment, and its remediation and recovery efforts.

Forensic experts were engaged to assist with the investigation and determine whether any patient information had been compromised. No evidence was found to indicate any patient information was stolen by the attackers.

While it would appear that Hackensack Meridian Health took reasonable steps to limit the harm caused to patients and restore systems and data in the shortest possible time frame, it was not enough to prevent legal action.

Two plaintiffs have been named in a proposed class-action lawsuit filed in a district court in Newark that seeks compensation, reimbursement of out-of-pocket expenses, statutory damages and penalties, and injunctive relief requiring Hackensack Meridian Health to make improvements to its security systems, undergo annual data security audits, and provide three years of complimentary credit monitoring services to breach victims.

The plaintiffs allege Hackensack Meridian Health maintained its network in a “reckless manner” which left its systems vulnerable to attack and that the health system failed to adequately protect patient information. The lawsuit also alleges the attack caused major disruption to the medical care provided to patients, forcing them to seek alternative care and treatment.

Hackensack Meridian Health’s investigation uncovered no evidence to suggest data theft, but the plaintiffs allege their personal and protected health information has been stolen by the attackers and disclosed to “other unknown thieves,” which has placed them at heightened and imminent risk of identity theft and fraud.

The plaintiffs also allege the ransomware attack was not been reported the Department of Health and Human Services’ Office for Civil Rights, as is required by HIPAA and affected patients have not been notified about the attack.

As of February 19, 2020, the incident yet to appear on the OCR breach portal, although that does not necessarily mean the incident has not been reported as there is often a delay between a report being submitted to OCR and it being uploaded to the breach portal.

Breach notifications are often delayed while data breaches are investigated. It can take some time to determine which patients have been affected and to obtain up to date contact information in order to mail notifications. Patient notifications are usually required for ransomware attacks per previous OCR guidance, but they are not mandatory, provided covered entities can demonstrate there was a low probability that PHI has been compromised.

It is becoming increasingly common for patients to take legal action against covered entities over ransomware attacks. Several lawsuits have been filed in recent weeks on behalf of patients that have been affected by ransomware attacks. With more threat groups opting to steal data prior to the encryption of files, the number of lawsuits will undoubtedly increase.

The post Hackensack Meridian Health Faces Class-Action Lawsuit Over December Ransomware Attack appeared first on HIPAA Journal.

A former medical clinic worker in Florida who impermissibly accessed the protected health information of patients and sold the information to identity thieves has pleaded guilty to wire fraud and aggravated identity theft.

Stacey Lavette Hendricks, 49, of Leesburg, FL, had previously been employed as an administrative worker at several state medical clinics in Florida. Her role gave her access to the protected health information of patients. Hendrinks used her access to steal patient information from the unnamed medical clinics, including names, dates of birth, and Social Security numbers. That information was sold to identity thieves for cash and was also used to defraud businesses.

The United States Secret Service investigated the case. Hendricks was apprehended after she attempted to sell stolen patient information to an undercover law enforcement officer. A warrant was obtained to search her home and car and law enforcement officers found patient information stolen from the clinics related to 113 different patients.

Hendricks was charged in the United States District Court for the Middle District of Florida in Ocala and pleaded guilty to one count of wire fraud and two counts of fraud with identification documents: Aggravated identity theft and possession of means of identification with intent to commit felony. No date has currently been set for sentencing.

Hendricks now faces a maximum jail term of up to 20 years for the wire fraud charge and a mandatory 2-year consecutive term for aggravated identity theft.

The post Florida Clinic Worker Facing 22 Years in Jail for Wire Fraud and Aggravated Identity Theft appeared first on HIPAA Journal.

A second lawsuit has been filed against Kalispell Regional Healthcare in Montana over a May 2019 phishing attack that saw the email accounts of some of its employees accessed by cybercriminals.

Kalispell Regional Healthcare learned about the breach on August 28, 2019. The investigation revealed the hackers gained access to employee email accounts on May 24, 2019 and potentially accessed patient information. A forensic investigation revealed the accounts contained the protected health information of as many as 140,209 patients.

According to Kalispell Regional Healthcare’s substitute breach notification on its website, the following information was compromised in the breach: Names, addresses, email addresses, telephone numbers, dates of service, treatment information, health insurance information, treating and referring physicians’ names, and medical bill account numbers. Kalispell Regional Healthcare said 250 or fewer patients had their Social Security number exposed. Patients affected by the breach were offered complimentary credit monitoring and identity theft protection services and steps have been taken to improve email security.

The first lawsuit was filed on November 25, 2019 in the Cascade County District Court in Great Falls, MT by attorney John Heenan on behalf of William Henderson, whose personal information was exposed in the breach. The lawsuit alleges the healthcare provider was negligent for failing to take appropriate steps to secure patient data and that industry best practices for securing patient data were not followed. Henderson claims he faces an increased risk of identity theft and fraud as a result of the breach, but it does not appear that his personal information has been misused at the time that the lawsuit was filed. The lawsuit alleges violations of the Montana Uniform Health Care Information Act.

The second lawsuit was filed on December 24, 2019 by attorney William Rossbach on behalf of two patients who were impacted by the breach. The lawsuit also claims Kalispell Regional Healthcare violated the Montana Uniform Health Care Information Act. One of the patients, Annette Nevidomsky, claims she was a victim of fraud and had unauthorized charges on her accounts in the wake of the breach.

Both attorneys are seeking class action status for their lawsuits.

The post Second Lawsuit Filed Against Kalispell Regional Healthcare Over Phishing Attack appeared first on HIPAA Journal.

A lawsuit filed against Athens Orthopedic Clinic over a June 2016 cyberattack by TheDarkOverlord has been revived by the Georgia Supreme Court.

The cyberattack in question involved the theft of patient data from the clinic. A ransom demand was issued and the hacking group claimed the data would be returned if the ransom was paid.  The clinic refused to pay the ransom and, in response, the hacking group claimed to have sold some of the data. Later, the hacking group published a portions of the stolen data on Pastebin, where it was downloaded by others.

Three victims of the data breach, Christine Collins, Paulette Moreland, and Kathryn Strickland, alleged that since their personal data had fallen into the hands of cybercriminals, was offered for sale on the dark net, and had been downloaded by some individuals, they were placed at risk of identity theft and other types of fraud. 

One of the plaintiffs, Christine Collins, alleged there were fraudulent charges made to her credit card shortly after the cyberattack and that she had to spend time getting those charges reversed. She also had to place fraud alerts on her credit file to prevent further harm.

The plaintiffs sought damages based on the costs they had incurred arranging credit monitoring and identity theft protection services – which were not offered by the clinic – attorneys fees, and also sought injunctive relief under the Georgia Uniform Deceptive Trade Practices Act.

The lawsuit was granted standing by the lower court, but Athens Orthopedic clinic filed a motion to dismiss, which was granted by the Court of Appeals. The Court of Appeals found the negligence claim was invalid, as the plaintiffs were attempting to recover damages for “an increased risk of harm.” This was considered speculative harm and did not constitute a cognizable injury under Georgia tort law.

The Supreme Court has now overturned that decision and has ruled that the plaintiffs had alleged sufficient harm for the case to survive a motion to dismiss.

“The plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is “imminent and substantial.” This amounts to a factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach. As this case comes before us on a motion to dismiss, we must accept this factual allegation as true,” wrote the Supreme Court in its ruling.

The Supreme Court determined the Court Of Appeals based its ruling on two other cases that were far different from the Athens Orthopedic Clinic cyberattack. In both of the cases there was no evidence to suggest that any stolen data had been obtained by cybercriminals, therefore there was no imminent and substantial risk of identity theft and fraud.

In the case of the Athens Orthopedic Clinic cyberattack, the plaintiffs’ data was stolen by a cybercriminal who threatened to sell the data, attempted to do so, and the data was downloaded by others. “At this stage, we must presume that a criminal actor has maliciously accessed the plaintiffs’ data and has at least attempted to sell at least some of the data to other wrongdoers.” Consequently, there is an “imminent and substantial risk” of identity theft and fraud. The Supreme Court ruled that “These allegations are sufficient to survive a motion to dismiss the plaintiffs’ negligence claims.”

The post Georgia Supreme Court Overturns Ruling on Athens Orthopedic Clinic Data Breach Lawsuit appeared first on HIPAA Journal.

A lawsuit has been filed in the Western Division of U.S. District Court for the Northern District of Alabama against DCH Health System over a ransomware attack on October 1, 2019.

The ransomware attack on the 3-hospital health system forced it to take its systems offline for a period of 10 days while systems were rebuilt and data was recovered. During that time, some non-emergency appointments had to be cancelled and patients experienced delays receiving treatment and, in some cases, had to seek medical services from other medical facilities in the state.

It is the delay to treatment that has spurred the lawsuit. Four patients are named in the lawsuit and allege they have suffered harm as a result of the shutdown of its systems, which disrupted their daily lives and forced them to forego medical care and treatment or seek care and treatment from alternative facilities during the ten days when DCH Health System’s systems were offline.

One of the plaintiffs, who filed on behalf of her daughter, was told that the ransomware attack was causing delays in the emergency room and that she would be required to wait around 5 hours for her daughter to receive treatment for an allergic reaction that had caused severe swelling and forced her daughter’s eyes shut. If she was unable to wait, she was told that she could travel from Tuscaloosa to Birmingham to receive medical treatment or visit Walgreens. The patient claims that as a result of the delay receiving treatment it took 3 days before the swelling started to go down.

One patient who was staying at the hospital after surgery said that as a result of her medical records being inaccessible, she was unable to be prescribed medications during her stay. Another patient had gone to the emergency room and had x-rays taken a few days before the attack, but her orthopedic treatment was delayed as a result of the attack. The lawsuit also alleges that the plaintiffs’ protected health information was potentially compromised in the attack.

The plaintiffs claim that DCH Health System violated state laws and HIPAA and the failure to implement appropriate cybersecurity measures to safeguard its systems and data amounted to negligence. The lawsuit also alleges an invasion of privacy, breach of contract, and breach of fiduciary duty.

The post Lawsuit Filed Against DCH Health System Over October Ransomware Attack appeared first on HIPAA Journal.

In June 2016, Banner Health suffered a data breach in which the protected health information of 2.9 million individuals was allegedly stolen by hackers. In August 2016, a class action lawsuit was filed by victims of the breach. A settlement has now been reached and Banner Health has agreed to pay $6 million to breach victims to resolve the lawsuit, according to documents filed in the U.S. District Court of Arizona on December 5, 2019.

Plaintiffs alleged that the attack was financially motivated, and hackers gained access to systems containing patient information and exfiltrated the protected health information of approximately 2.9 million. The types of information stolen by the hackers included names, addresses, dates of birth, Social Security numbers, prescription information, medical histories and, for around 30,000 individuals, credit and debit card numbers. Individuals whose credit and debit card numbers were stolen had visited food and beverage outlets at Banner Health hospitals. Malware had been installed which exfiltrated card numbers when purchases were made. The hackers had access to Banner Health systems for approximately 2 weeks.

The lawsuit alleges Banner Health failed to implement appropriate safeguards to protect against cyberattacks, such as multi-factor authentication, firewalls, and data encryption.

The plaintiffs argued that the cyberattack on Banner Health placed them at “a significantly increased risk of suffering devastating and expensive financial and medical identity theft.” Some plaintiffs claimed to have suffered identity theft and fraud as a direct result of the data breach.

Under the terms of the settlement, plaintiffs will be able to submit reimbursement claims for expenses incurred as a result of the data breach. Claims will be accepted up to a maximum of $500 per person for standard expenses, and up to $10,000 for extraordinary expenses. Banner Health has placed an overall cap of $6 million on expenses claims.

Additionally, individuals affected by the breach have been offered an additional 2 years of credit monitoring and identity theft protection services. The plaintiffs have filed a motion for preliminary approval of the settlement.

The post Banner Health Agrees to Pay $6 Million to Settle Data Breach Lawsuit appeared first on HIPAA Journal.