Legal News

Good Samaritan Hospital Settles Class Action Data Breach Lawsuit

Posted June 28, 2023 by Steve Alder

Good Samaritan Hospital in San Jose, CA, has agreed to settle a class action lawsuit that was filed in response to a data breach that exposed the protected health information of up to 233,835 individuals. According to the hospital, unauthorized individuals gained access to an employee email account between October 28 and November 8, 2019, which contained sensitive patient data such as names, birth dates, Social Security numbers, driver’s license numbers, passport numbers, tax identification numbers, financial account numbers, treatment/diagnosis information, health insurance information, billing information, doctors’ names, medical record numbers, medical histories, prescription information, Medicare/Medicaid IDs and patient account numbers.

A lawsuit – Young, et al. v. Good Samaritan Hospital – was filed in the California Superior Court for Los Angeles County against the hospital on behalf of individuals impacted by the data breach. The lawsuit claims the hospital acted unlawfully by failing to prevent the data breach and alleged negligence, violations of the California Confidentiality of Medical Information Act (CMIA), and unlawful/unfair business practices, in violation of California Business and Professions Code.

Good Samaritan Hospital denied all of the allegations, maintains there was no wrongdoing, and claims it was fully compliant with all federal and state laws; however, the decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial. The proposed settlement has been agreed upon by all parties but has yet to receive final approval from a judge. The final approval hearing has been scheduled for Sept. 5, 2023.

The total settlement fund has not been disclosed; however, all class members are entitled to claim up to $1,500 as reimbursement for ordinary expenses, which are documented expenses that were incurred as a result of the data breach. Ordinary expenses include credit monitoring costs, phone calls, interest on loans, communication charges, card re-issuance fees, and unreimbursed bank fees. Individuals that have suffered identity theft, medical fraud, tax fraud, other forms of fraud, and other actual misuses of their personal information, can submit claims for documented, unreimbursed extraordinary losses that are reasonably traceable to the data breach of up to a maximum of $5,000.

The deadline for exclusion from and objection to the settlement is July 18, 2023, and all claims must be submitted by July 18, 2023. The class members were represented by Joshua B Swigart of Swigart Law Group AFC and Gayle M Blatt of Casey Gerry Schenk Francavilla Blatt & Penfield LLP.

The post Good Samaritan Hospital Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Intellihartx Facing Class Action Lawsuit Over 490K-Record Data Breach

Posted June 23, 2023 by Steve Alder

A lawsuit has been filed against Intellihartx, LLC, (aka ITx Companies), over a cyberattack by the Clop ransomware group that exploited a vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution. The protected health information of 490,000 patients of its healthcare clients was compromised in the attack in late January. Intellihartx was one of 130 GoAnywhere users to be affected.

Intellihartx, a revenue cycle management company, said protected health information was compromised in the January 30, 2023 cyberattack, including names, contact information, insurance information, diagnoses, medications, dates of birth, and Social Security numbers. Affected individuals were notified about the data breach on June 9, 2023, more than 4 months after the discovery of the attack.

The lawsuit, Laren Perrone v. Intellihartx, LLC, was filed in the U.S. District Court of the Northern District of Ohio Western Division and alleges the defendant failed to properly secure and safeguard the protected health information of the plaintiff and class members, did not adequately supervise its business associates, vendors, and suppliers, and did not detect the data breach in a timely manner.

The lawsuit claims the defendant was aware of the vulnerability on January 29, 2023, so could have prevented the data breach, and also prevented or limited the severity of the breach if it had limited the patient information it shared with its business associates and employed reasonable supervisory measures to ensure that adequate data security practices, procedures, and protocols were being implemented and maintained by its business associates.

The lawsuit claims the plaintiff and class members face an imminent, immediate, and continuing increased risk of suffering ascertainable losses from the data breach, including identity theft and other fraudulent misuses of their data, and have and will continue to incur out-of-pocket expenses mitigating the effects of the data breach. The lawsuit does not allege that protected health information has already been misused or that identity theft or other fraud has been experienced.

The lawsuit claims the defendant failed to comply with the standards of the Health Insurance Portability and Accountability Act (HIPAA) and FTC guidelines, citing security failures such as a lack of adequate data security systems, practices, and protocols to protect against reasonably anticipated threats or hazards and a failure to mitigate the risks of a data breach.

While monetary relief is being sought to cure some of the plaintiff’s and class members’ injuries, injunctive relief is also sought to ensure the alleged information security issues are corrected to prevent further data breaches in the future. In addition to monetary relief, the lawsuit seeks an order from the court requiring the defendant to fully and accurately disclose the nature of the information that was compromised and to adopt sufficient security practices and safeguards to prevent similar incidents in the future.

The plaintiff and class members are represented by Christopher Wiest, Atty at Law PLLC, and Mason Barney ad Tyler Bean of SIRI & GLIMSTAD LLP.

The post Intellihartx Facing Class Action Lawsuit Over 490K-Record Data Breach appeared first on HIPAA Journal.

Onix Group Sued for Failing to Prevent a Ransomware Attack and 320K-Record Data Breach

Posted June 21, 2023 by Steve Alder

Onix Group, a Pennsylvania-based real estate development firm and provider of business management and consulting services, is being sued for failing to prevent a ransomware attack in which the hackers stole the protected health information of 320,000 individuals.

The ransomware attack was detected by Onix Group on March 27. The forensic investigation confirmed that hackers had access to its internal network between March 20 and March 27, 2023, during which time they exfiltrated files that contained employee, affiliate, and client information. The breached information included names, dates of birth, clinical information, and the Social Security numbers of patients of its healthcare clients, and the health plan enrollment and direct deposit information of employees. Healthcare clients affected by the breach included Addiction Recovery Systems, Cadia Healthcare, and Physicians Mobile X-Ray.

The lawsuit, Eric Meyers v. Onix Group LLC, was filed in the U.S. District Court for the Eastern District of Pennsylvania and alleges negligence, negligence per se, breach of implied contract, breach of fiduciary duty, and unjust enrichment. The lawsuit claims Onix group had a legal obligation to implement reasonable and appropriate safeguards to ensure the confidentiality of the data it stored, but instead stored that information in a vulnerable and dangerous condition, then unnecessarily delayed notifications to affected individuals for two months. While Onix Group offered affected individuals 12 months of complimentary credit monitoring services, the lawsuit claims the offer is wholly inadequate, as the plaintiff and class members face a lifelong risk of identity theft and fraud as a result of the theft of their sensitive data.

The lawsuit seeks class action status, a jury trial, damages, and injunctive relief, including an order from the court prohibiting Onix Group from engaging in wrongful and unlawful acts and requiring it to implement adequate cybersecurity measures. Those measures include the development, implementation, and maintenance of a comprehensive information security program, data encryption, third-party security audits and penetration tests, further information security training for all employees including tests of their security knowledge, updates to its data retention policies, and for the company to stop storing personally identifiable information and protected health information in cloud databases.

The plaintiff and class members are represented by Milberg Coleman Bryson Phillips Grossman, PLLC; Chestnut Cambronne, PA; and Sanford Law Firm, PLLC.

The post Onix Group Sued for Failing to Prevent a Ransomware Attack and 320K-Record Data Breach appeared first on HIPAA Journal.

Kaiser Permanente Fined $450,000 for CMIA Violations Due to Mailing Error

Posted June 19, 2023 by Steve Alder

Kaiser Permanente has been fined $450,000 by the California Department of Managed Care (CDMC) for impermissibly disclosing the confidential and protected health information (PHI) of up to 167,095 health plan members. Between October 2019 and December 2019, Kaiser Permanente sent 337,755 mailings to enrollees of its health plan; however, an error updating its electronic medical record system resulted in some mailings being sent to outdated addresses.

Kaiser Permanente was contacted by 8 individuals who said they had opened the packets but realized that they were not the intended recipients and 1,788 of the packets were returned unopened as the recipients realized they had been sent to the wrong addresses. The mailings were sent to 167,095 enrollees and Kaiser Permanente could not be sure that those mailings had been received by the intended recipients, which meant thousands of enrollees’ PHI may have been impermissibly disclosed.

CDMC investigated the reported breach and determined there had been an unauthorized disclosure of medical information and negligent maintenance or disposal of medical information, both of which violated the California Confidentiality of Medical Information Act (CMIA). On November 11, 2019, Kaiser Permanente became aware that an error in its electronic medical record system that had resulted in a data breach but failed to stop the mailings until December 20, 2019, 39 days after the error was discovered. As a result of that failure to act, a further 175,000 mailings were potentially sent to incorrect addresses.

In addition to the financial penalty, Kaiser Permanente has agreed to take corrective actions to prevent further data breaches of this nature, including updating its software systems, conducting periodic checks to confirm addresses are in synch, and system checks to ensure it is using the most current physical and/or mailing addresses. Kaiser Permanente will also work with its call center employees to confirm address information, will notify all affected individuals, and will provide refresher training to its staff on the legal standards of the Health Insurance Portability and Accountability Act (HIPAA) concerning the protection of PHI.

“Health plans must protect the confidentiality of enrollee records and maintain and dispose of medical information correctly,” said DMHC Director Mary Watanabe. “Kaiser Permanente agreed to take corrective actions to protect consumers’ confidential information and ensure this doesn’t happen again.”

The post Kaiser Permanente Fined $450,000 for CMIA Violations Due to Mailing Error appeared first on HIPAA Journal.

Russian National Arrested and Charged for LockBit Ransomware Attacks

Posted June 16, 2023 by Steve Alder

A Russian national has been arrested in Arizona and charged in connection to LockBit ransomware and other cyberattacks conducted on targets in the United States, Europe, Asia, and Africa since 2020. Magomedovich Astamirov, 20, of the Chechen Republic in Russia, is alleged to have conducted at least 5 LockBit ransomware attacks in the United States and other countries as an affiliate of the LockBit ransomware-as-a-service (RaaS) operation. LockBit is currently the most widely used ransomware variant and has been used to extort around $91 million from U.S. organizations since 2020.

According to the Department of Justice, from at least August 2020, Astamirov conspired with other members of the LockBit RaaS operation to intentionally damage protected computers, commit wire fraud, and deploy ransomware to extort money from companies. HE is accused of directly executing at least 5 attacks on targets in the United States and abroad. Astamirov owned, controlled, and used a variety of email addresses, IP addresses, and other online provider accounts to deploy the ransomware and communicate with his co-conspirators and victims. In one of the attacks, law enforcement successfully traced a payment from a victim to an account under Astamirov’s control.

Astamirov has been charged with conspiracy to commit wire fraud and conspiracy to intentionally damage protected computers and to transmit ransom demands. Astamirov faces a maximum jail term of 20 years for the conspiracy to commit wire fraud charge and a maximum penalty of 5 years in jail for the intentionally damaging protected computers charge. In addition, each charge carries a maximum fine of $250,000 or twice the gain or loss from the offense, whichever is greater.

Astamirov is the third alleged LocBit affiliate to be charged in connection with the attacks in the United States, and the second LockBit affiliate to be arrested. The other two individuals are dual Russian and Canadian national, Mikhail Vasilev, who is currently in custody in Canada and awaiting extradition to the United States to face the charges, and Mikhail Pavlovich Matreev, who is still at large and has been accused of conducting LockBit, Babuk, and Hive ransomware attacks on targets in the United States.

“The FBI is committed to pursuing ransomware actors like Astamirov, who have exploited vulnerable cyber ecosystems and harmed victims,” said FBI Deputy Director Paul Abbate. “We, in collaboration with our federal and international partners, are fully committed to the permanent dismantlement of these types of ransomware campaigns that intentionally target people and our private sector partners. We will continue to leverage every resource to prevent this type of malicious, criminal activity.”

The post Russian National Arrested and Charged for LockBit Ransomware Attacks appeared first on HIPAA Journal.

21,000-Record Data Breach Sparks Trinity Health Class Action Lawsuit

Posted June 15, 2023 by Steve Alder

A class action lawsuit has been filed in the U.S. District Court for the Southern District of Iowa against Trinity Health, Mercy Health Network, and Mercy Medical Center – Clinton over a cyberattack and data breach that affected 21,000 patients.

Livonia, MI-based Trinity Health, which operates Mercy Health Network and Mercy Medical Center – Clinton in Iowa, discovered a cyberattack on April 4, 2023, the forensic investigation of which confirmed hackers had gained access to systems containing patients’ protected health information on March 7, 2023, and maintained access to those systems until April 7, when its systems were secured. The data exposed and potentially stolen in the attack included names, addresses, birth dates, Social Security numbers, diagnosis codes, treatment information, prescription information, and service/discharge. Trinity Health offered affected individuals complimentary credit monitoring services for 12 months.

On June 12, 2023, a lawsuit was filed on behalf of plaintiff Jennifer Medenblik that alleges the defendants failed to protect the sensitive data of patients and monitor its systems for intrusions, which allowed hackers to gain access to its network and the protected health information of 21,000 patients and remain undetected within its systems for a month. The lawsuit alleges violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and a failure to follow healthcare industry best practices for protecting sensitive data and Federal Trade Commission (FTC) guidelines.

Trinity Health notified affected patients about the attack; however, the lawsuit claims those notifications were inadequate, and failed to provide the necessary support. The lawsuit also claims that the defendants have not provided satisfactory assurances to patients that the impacted data has been recovered or deleted nor that adequate cybersecurity measures have been implemented post-data breach to prevent further security breaches in the future.

The 8-count lawsuit – Medenblik v. Trinity Health Corporation et al, includes allegations of negligence, breach of contract, and breach of confidence, and claims the plaintiff and class members have suffered and are at an imminent, immediate, and continuing increased risk of suffering ascertainable losses. The lawsuit seeks class action status, a jury trial, an award of damages, and funds to cover a lifetime of credit monitoring services and identity theft insurance for the plaintiff and class members.

The post 21,000-Record Data Breach Sparks Trinity Health Class Action Lawsuit appeared first on HIPAA Journal.

Senate Committee Advances Rural Hospital Cybersecurity Enhancement Act

Posted June 15, 2023 by Steve Alder

The Senate Homeland Security and Governmental Affairs Committee has advanced a bill that seeks to address the current shortage of cybersecurity skills in rural hospitals, which are increasingly targeted by cybercriminals. Rural hospitals do not have the resources available to invest in cybersecurity and struggle to recruit skilled cybersecurity professionals and, as such, are seen as soft targets by cybercriminals.

The Rural Hospital Cybersecurity Enhancement Act, which was introduced by Sen. Josh Hawley (R-MO) and co-sponsored by Sens. Gary Peters (D-MI) and Jon Ossoff (D-GA), calls for the development of a comprehensive rural hospital cybersecurity workforce development strategy to address the current shortage of cybersecurity staff at rural hospitals. The Rural Hospital Cybersecurity Enhancement Act requires the Secretary of the Department of Homeland Security to develop a comprehensive rural hospital cybersecurity workforce development strategy to address the growing need for skilled cybersecurity professionals in rural hospitals within a year of enactment of the act.

When developing the cybersecurity workforce development strategy, the Secretary should consider partnerships between rural hospitals, private sector entities, educational institutions, and non-profits to expand cybersecurity education and training programs tailored to the needs of rural hospitals, the development of a cybersecurity curriculum and teaching resources for rural educational institutions, and make recommendations for legislation, rulemaking, and/or guidance for implementing the strategy.

Rural hospitals are operating under increasing financial pressure and lack the necessary funding for cybersecurity. Currently, few rural hospitals have dedicated cybersecurity workers and IT staff are generally in short supply and overworked. Cybersecurity positions in rural hospitals typically have low remuneration, and the lack of funding means individuals who take on cybersecurity roles do not have access to the latest cybersecurity tools that would be at their disposal in other positions. The global shortage of skilled cybersecurity professionals is unlikely to be resolved in the short to medium term, so the aim of the bill is to address the shortage through teaching programs at rural educational institutions and developing rural hospital workforces through education on fundamental aspects of cybersecurity.

Sen. Rand Paul (R-TX) tabled an amendment to the original bill, stipulating that CISA should not ask for additional funds for the proposed measures, and the amended bill will now head to the Senate floor for a vote. The advancement of the Rural Hospital Cybersecurity Enhancement Act occurred a few days after the announcement that a rural hospital in Illinois will permanently close on June 16, 2023, due, in part, to the financial pressures caused by a ransomware attack.

“I am encouraged Congress is taking bipartisan action to shore up the ability of small-town hospitals to defend themselves from cyberattacks,” said Senator Hawley. “We must continue working diligently to improve cybersecurity preparedness in rural hospitals to both protect the sensitive medical and personal data of American patients and defend our national security.”

The post Senate Committee Advances Rural Hospital Cybersecurity Enhancement Act appeared first on HIPAA Journal.

Ransomware Attack Triggers Multiple Lawsuits Against Harvard Pilgrim Healthcare & Point32Health

Posted June 13, 2023 by Steve Alder

Harvard Pilgrim Health Care and its parent company, Point32Health, are facing multiple class action lawsuits after hackers gained access to the protected health information (PHI) of more than 2.5 million individuals in an April 2023 ransomware attack.

Point32Health is the second largest insurer in Massachusetts and serves more than 2.4 million customers. Point32Health was formed following the merger of Harvard Pilgrim Health Care and Tufts Health Plan in 2021. According to Point32Health, hackers gained access to Harvard Pilgrim’s systems on March 28, 2023, and maintained access to those systems until April 17, 2023, when the intrusion was detected and blocked. The attack was detected when ransomware was used to encrypt and prevent access to files. The forensic investigation confirmed the affected systems contained PHI such as names, addresses, phone numbers, birthdates, health insurance account information, Social Security numbers, provider taxpayer ID numbers, and clinical information and that information was in the files exfiltrated from its systems. Credit monitoring and identity theft protection services have been offered to affected individuals at no cost for 2 years. Progress has been made in recovering from the attack over the past 7 weeks; however, the IT systems that support the Harvard Pilgrim Health Care commercial and Medicare Advantage Stride health plans have yet to be brought back online and Point32Health expects the recovery process to take a few more weeks.

At least 4 lawsuits have now been filed in the U.S. District Court for the District of Massachusetts in response to the attack that claim the Massachusetts health insurer failed to implement reasonable cybersecurity measures to ensure the confidentiality of members’ information. One of the lawsuits – Salerno Gonzalez v. Harvard Pilgrim Health Care Inc. et al – was filed on behalf of Harvard Pilgrim Health Care member, Valeria Salerno Gonzales. The 4-count lawsuit alleges the defendants “intentionally, willfully, recklessly, or negligently” maintained the sensitive data of customers and, as a result of the grossly negligent actions of the defendants, hackers were able to gain access to and steal the sensitive data of plan members. The lawsuit alleges the plaintiff and class members have been placed at imminent risk of harm and face an ongoing risk of identity theft and fraud. The lawsuit alleges negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment.

Another lawsuit – Tracie Wilson v. Harvard Pilgrim Health Care, Inc. and Point32Health, Inc. was filed on behalf of Harvard Pilgrim Health Care plan member, Tracie Wilson. The 4-count lawsuit makes similar claims and alleges violations of the HIPAA Security Rule. The lawsuit also takes issue with the time it took the defendants to detect and report the breach. The delay in detection and notification meant the plaintiff and class members were unaware that their sensitive data had been stolen and that they needed to take action to protect against identity theft and fraud. The plaintiff claims to have had an increase in spam texts and phone calls following the data breach and has and will continue to spend considerable time and effort monitoring her accounts to protect against identity theft. She also claims she has experienced anxiety, sleep disruption, stress, fear, and frustration due to the data breach.

The lawsuits seek class action status, a jury trial, damages, declaratory and other equitable relief, and injunctive relief, and call for an order from the courts to prevent the defendants from engaging in further deceptive practices and to require them to implement reasonable security measures and adhere to FTC guidelines.

The post Ransomware Attack Triggers Multiple Lawsuits Against Harvard Pilgrim Healthcare & Point32Health appeared first on HIPAA Journal.

Blackbaud Had No Common Law Duty to Ensure the Confidentiality Trinity Health’s Data

Posted June 9, 2023 by Steve Alder

A district court judge in Indiana has ruled in favor of the plaintiff in a lawsuit alleging negligence for failing to prevent a breach of protected health information, ruling that there is no common law duty in Indiana to ensure the confidentiality of data provided to a vendor.

The lawsuit was filed by Trinity Health and its insurer, Aspen American Insurance Company (AAIC), against Blackbaud, a provider of software and support services. In order to perform the contracted duties, Blackbaud was provided with the protected health information of patients and donors. In 2020, Blackbaud was the victim of a ransomware attack that affected more than 13,000 customers. Trinity Health was one of the worst affected customers and had more than 3.2 million records stolen in the attack.

There has been a long-running legal battle to recover losses incurred due to the data breach. The same district court previously dismissed Trinity Health/AAIC’s complaint against Blackbaud due to a lack of alleged causation for each of their claims. Trinity Health and AAIC filed an amended complaint which Blackbaud also sought to have dismissed, but on May 31, 2023, District Court Judge Jon E. DeGuilio of the U.S. District Court for the Northern District of Indiana allowed the lawsuit to proceed.

Trinity Health had entered into a Master Application Services Provider Agreement (MSA) with Blackbaud, which also signed a HIPAA business associate agreement (BAA). in the MSA and BAA, Blackbaud agreed to treat Trinity Health’s data in the strictest confidence, exercise reasonable care with the data, and implement reasonable physical, technical, and administrative safeguards to keep the data private and confidential. However, the issue that needed to be resolved was whether Blackbaud had a common law duty to prevent data breaches under Indiana law.

Judge DeGuilio ruled that the amended Trinity Health/AAIC complaint provided a sufficient basis for the claims that it had incurred expenses due to the failure of Blackbaud to comply with its contractual obligations under the MSA and BAA and that most of the incurred expenses were compensable and denied the motion to dismiss on two counts – breach of the MSA and breach of the BAA; however, granted the motion to dismiss the remaining claims of negligence, gross negligence, negligent misrepresentation, and breach of fiduciary duty.

Blackbaud argued that the negligence and gross negligence claims do not state a plausible claim, as there is no common law duty to safeguard the public from the risk of data exposure. Blackbaud argued that the negligent misrepresentation claim is barred by the economic loss rule and that the breach of fiduciary duty claim should be dismissed as no fiduciary duty was plausibly alleged.

With regard to the negligence and gross negligence claims, Judge DeGuilio ruled that there are no laws or statutes in Indiana that call for the prevention of data breaches. Even the data breach notification law in Indiana only creates a duty to issue notifications about data breaches when they occur, not prevent them from occurring. While the lawsuit has been allowed to proceed, the tossing of the negligence and grows negligence claims will severely limit the damages that could be awarded, which will be limited to economic damages suffered by Trinity Health and AAIC.

The post Blackbaud Had No Common Law Duty to Ensure the Confidentiality Trinity Health’s Data appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information