NuLife Med Settles Class Action Data Breach Lawsuit – HIPAA Journal
NuLife Med Settles Class Action Data Breach Lawsuit HIPAA Journal
NuLife Med Settles Class Action Data Breach Lawsuit
The Manchester, New Hampshire-based medical equipment company, NuLife Med, has agreed to settle a class action lawsuit that was filed in response to a March 2022 data breach that affected more than 80,000 individuals.
NuLife Med identified suspicious activity within its computer network on March 11, 2022. The forensic investigation revealed hackers had access to its systems between March 9 and March 11, 2022, during which time data was viewed or exfiltrated. The compromised data included names, addresses, medical information, health insurance information, and in some cases, Social Security numbers, driver’s licenses, and financial account/credit card information.
A lawsuit was filed in the US District Court for the Southern District of Florida – Pires, et al. v. NuLife Med LLC – that alleged NuLife Med was negligent for failing to implement appropriate safeguards to keep patient data private and confidential, which allowed a data breach to occur that was entirely preventable. The lawsuit claimed that the plaintiff, Victor Pires, and similarly situated individuals, suffered an injury as a result of the negligence and incurred out-of-pocket expenses dealing with the data breach.
NuLife Med chose to settle the lawsuit to avoid the expense of ongoing litigation and the uncertainty of trial; however, admitted no wrongdoing. The total value of the settlement has not been disclosed. Individuals who received a notification letter from NuLife Med about the data breach are entitled to submit a claim if they can provide documented proof of losses and will receive a check for up to $25. Alternatively, class members can elect to receive one year of credit monitoring services instead.
The deadline for submitting a claim is June 20, 2023. The deadline for objection to or exclusion from the settlement is May 16, 2023. The final approval hearing for the settlement has been scheduled for June 5, 2023.
The post NuLife Med Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.
Security Teams Pressured into Keeping Quiet About Security … – HIPAA Journal
Security Teams Pressured into Keeping Quiet About Security Breaches
Ransomware and phishing attacks on organizations have increased over the past 12 months as have the costs associated with the attacks. In 2022, the average cost of a data breach increased to $4.35 million and $10.1 million for healthcare data breaches (IBM Security).
Due to the high costs and reputational damage caused by data breaches, cybersecurity teams are being pressured into keeping cyberattacks and data breaches quiet, even though there are often legal requirements for reporting data breaches. The recently published Bitdefender 2023 Cybersecurity Assessment has revealed the extent to which cybersecurity teams are being pressured into staying silent about data breaches. In the United States, 74.7% of respondents said they had experienced a data breach or data leak in the past 12 months and 70.7% of those respondents said they had been told to keep a security breach confidential when it should have been reported. 54.7% of respondents said they did keep a security breach confidential when they knew it should be reported.
Bitdefender’s survey suggests healthcare organizations are failing to report data breaches. 28.6% of healthcare respondents said they were told not to report a security incident that should have been reported and did not report the breach. In the United States, 78.7% of respondents said they are worried that their company will face legal action due to the incorrect handling of a security breach.
Bitdefender also asked IT professionals about the biggest threats that they now face. In the United States, the biggest perceived threats were software vulnerabilities/zero days (80%), supply chain attacks (73.3%) phishing/social engineering (58.7%), insider threats (50.7%), and ransomware (45.3%), with the human factor the biggest concern for business leaders. The biggest security challenges faced by U.S. organizations were extending security capabilities across multiple environments (49.3%), complexity (49.3%), incompatibility with other security solutions (32.1%), and reporting capabilities (40%).
Respondents were also asked about the biggest security myths that they would love to see busted. The biggest bugbear was that the organization is not a target for cybercriminals (42.7%), closely followed by using non-corporate approved apps is not a big deal (40%), that security is the sole responsibility of the IT department (36%), and emails that are delivered to inboxes are always safe to click/open (36%).
Given the increase in cyberattacks on U.S. organizations, it is reassuring that 78.7% of respondents said they are planning to increase their security budgets. 49.3% of respondents said they were planning to cut back on new cybersecurity tech purchases and 38.7% said they were cutting back on new cybersecurity hires, as organizations look to security vendors to provide assistance. 95% of respondents said they are planning on increasing the number of security vendors, and 90% said they are looking for holistic, all-in-one security solutions to ease the burden and avoid compatibility issues.
The survey for the report was conducted by Censuswide on 400 IT professionals from junior IT managers to CISOs, in organizations with 1000+ employees in the USA, UK, Germany, France, Italy, and Spain.
The post Security Teams Pressured into Keeping Quiet About Security Breaches appeared first on HIPAA Journal.
CommonSpirit Health Issues Update Confirming 164 Facilities … – HIPAA Journal
CommonSpirit Health Issues Update Confirming 164 Facilities Affected by Ransomware Attack
CommonSpirit Health has issued an update about its October 2022 ransomware attack and has confirmed that patients from 164 facilities were affected by the attack and had their sensitive data exposed or stolen. CommonSpirit Health detected the ransomware attack on October 2, 2022, and the forensic investigation revealed unauthorized individuals had access to its systems between September 16, 2022, and October 3, 2022.
In December 2022, CommonSpirit Health confirmed that the threat actor responsible for the attack had stolen patient data prior to encrypting files, and said patients of Franciscan Medical Group/Franciscan Health and Virginia Mason Franciscan Health facilities had been affected. Those individuals were notified about the data breach in December. In February 2023, CommonSpirit Health issued a further update confirming the attackers also obtained the data of patients of St. Luke’s Diagnostic Cath Lab, Diagnostic Heart Center in Houston, TX, and sent notifications to those individuals in February.
The latest update on the ransomware attack was issued on April 6, 2023, and confirmed that the breach affected patients who had received care at certain facilities operated by Catholic Health Initiatives, Dignity Health, Centura Health, and MercyOne and shared a list of 164 hospitals and care sites that are known to have been affected. The investigation confirmed that the attackers had access to two file servers that contained files that included patient data such as names, addresses, birth dates, phone numbers, email addresses, dates of service, medical record numbers, healthcare provider names, diagnosis/treatment information, medical billing/claims information, patient facility associated account/encounter numbers, and health insurance information and, for a small number of individuals, Social Security numbers.
CommonSpirit Health said the delay in issuing the latest notifications was due to the incredibly time-consuming review of all files stored on those file servers to determine if they contained patient data, and which patients had been affected. The initial phase of that process was completed on February 21, 2023, and then accurate address information needed to be found to allow notifications to be sent.
CommonSpirit Health reported the data breach to the HHS’ Office for Civil Rights on December 1, 2022, as affecting 623,774 individuals. That total has not been updated since, and CommonSpirit Health has not publicly confirmed at this stage exactly how many individuals have been affected. Given the number of hospitals now known to have been affected, that total is likely to increase by a substantial amount.
The full list of affected facilities detailed in the April 6 update is:
| Hospital/Care Site | State |
| St. Vincent Infirmary Little Rock | Arkansas |
| St. Vincent North Sherwood | Arkansas |
| St, Vincent Hot Springs Hot Springs | Arkansas |
| St. Vincent Morrilton Morrilton | Arkansas |
| CHI St. Vincent Medical Group Little Rock | Arkansas |
| CHI St. Vincent Medical Group Hot Springs | Arkansas |
| CHI Memorial Georgia Hospital Fort Oglethorpe | Georgia |
| CHI Memorial – Parkway Ringgold | Georgia |
| CHI Memorial Medical Group All Locations | Georgia |
| CHI Health Mercy Council Bluffs Council Bluffs | Iowa |
| CHI Health Missouri Valley Missouri Valley | Iowa |
| CHI Health Mercy Corning Corning | Iowa |
| Flaget Memorial Hospital Bardstown | Kentucky |
| Saint Joseph Hospital Lexington, Nicholasville | Kentucky |
| Saint Joseph Health Community Pharmacy Lexington | Kentucky |
| Saint Joseph – Berea Berea | Kentucky |
| Saint Joseph East Lexington | Kentucky |
| Saint Joseph London London | Kentucky |
| Saint Joseph Martin Martin (sold) | Kentucky |
| Saint Joseph Mount Sterling Mount Sterling | Kentucky |
| Saint Joseph Mount Sterling Outpatient Rehab Mount Sterling | Kentucky |
| Saint Joseph Mount Sterling Outpatient Rehab Flemingsburg | Kentucky |
| Continuing Care Hospital Lexington | Kentucky |
| CHI Saint Joseph Medical Groups Central & Eastern Kentucky | Kentucky |
| Jewish Hospital – Louisville (Sold), formerly part of CHI | Kentucky |
| CHI LakeWood Health Baudette | Minnesota |
| CHI St. Francis Health Breckenridge | Minnesota |
| CHI St. Joseph’s Health Park Rapids | Minnesota |
| CHI St.Gabriel’s Health Little Falls | Minnesota |
| CHI St. Francis Home Breckenridge | Minnesota |
| CHI Health at Home All locations | Minnesota |
| CHI Health Lakeside Omaha | Nebraska |
| CHI Health Midlands Papillion | Nebraska |
| CHI Health Plainview Plainview | Nebraska |
| CHI Health Creighton University Medical Center – Bergan Mercy Omaha | Nebraska |
| Lasting Hope Recovery Center Omaha | Nebraska |
| CHI Health Immanuel Omaha | Nebraska |
| CHI Health Schuyler Schuyler | Nebraska |
| CHI Health Good Samaritan Kearney | Nebraska |
| CHI Health Richard Young Behavioral Health Kearney | Nebraska |
| CHI Health Nebraska Heart Lincoln | Nebraska |
| CHI Health St. Elizabeth Lincoln | Nebraska |
| CHI Health St. Francis Grand Island | Nebraska |
| CHI Health St. Mary’s Nebraska City | Nebraska |
| The Physician Network ( including Nebraska Specialty Network, and | Nebraska |
| Lincoln Physician Network) All locations | Nebraska |
| CHI St. Alexius Medical Center Bismarck | North Dakota |
| CHI St. Alexius Health Carrington & Clinics (includes Foster County | North Dakota |
| Medical Center) Carrington | North Dakota |
| CHI St. Alexius Carrington Urgent Care Carrington | North Dakota |
| CHI Lisbon Health Lisbon | North Dakota |
| CHI St. Alexius Health Devils Lake & Clinics Devils Lake | North Dakota |
| CHI Mercy Health Valley City Valley City | North Dakota |
| CHI St. Alexius Health Williston Williston | North Dakota |
| CHI Oakes Hospital & Clinics Oakes | North Dakota |
| CHI St. Alexius Health Turtle Lake Turtle Lake | North Dakota |
| CHI St. Alexius Health Garrison & Clinics Garrison | North Dakota |
| CHI St. Alexius Health Dickenson & Clinics Dickenson | North Dakota |
| CHI Health at Home Fargo | North Dakota |
| CHI Friendship Fargo | North Dakota |
| CHI St. Alexius Physician Clinics All Locations | North Dakota |
| Trinity Medical Center East and West Steubenville | Ohio |
| Trinity Hospital Twin City Dennison | Ohio |
| Ross Park Pharmacy Steubenville | Ohio |
| Trinity Professional Group All locations | Ohio |
| Trinity Home Health All locations | Ohio |
| CHI Mercy Health Medical Center Roseburg | Oregon |
| CHI St. Anthony Medical Center Pendleton | Oregon |
| Oregon Surgery Center Roseburg | Oregon |
| Centennial Medical Group Roseburg | Oregon |
| CHI St. Joseph Children’s Health Lancaster | Pennsylvania |
| CHI Memorial Hospital Chattanooga Chattanooga | Tennessee |
| CHI Memorial Hospital Chattanooga Outpatient Pharmacy Chattanooga | Tennessee |
| CHI Memorial Hospital Hixson Hixson | Tennessee |
| Chattanooga Heart Institute Chattanooga | Tennessee |
| CHI Memorial Medical Group All Locations | Tennessee |
| CHI Baylor St. Luke’s Medical Center Houston | Texas |
| CHI St. Luke’s Health Hospital at The Vintage Houston | Texas |
| CHI St. Luke’s Health Brazosport Hospital Lake Jackson | Texas |
| CHI St. Luke’s Health Lakeside Hospital The Woodlands | Texas |
| CHI St. Luke’s Health Patients Medical Center Pasadena | Texas |
| CHI St. Luke’s Health Springwoods Village Spring | Texas |
| CHI St. Luke’s Health Sugar Land Hospital Sugar Land | Texas |
| CHI St. Luke’s Health The Woodlands The Woodlands | Texas |
| CHI St. Joseph Regional Medical Center Bryan | Texas |
| CHI St. Joseph Health Burleson Hospital Burleson | Texas |
| CHI St. Joseph Health Grimes Hospital Navasota | Texas |
| CHI St. Joseph Health Madison Hospital Madisonville | Texas |
| CHI St. Joseph Health College Station Hospital College Station | Texas |
| St. Joseph Encompass Health Rehab Bryan | Texas |
| St. Joseph Skilled Nuring and Rehab Bryan and Caldwell | Texas |
| CHI St Luke’s Health Memorial Lufkin Lufkin | Texas |
| CHI St Luke’s Health Memorial Livingston Livingston | Texas |
| CHI St Luke’s Health Memorial St. Augustine St. Augustine | Texas |
| CHI St. Luke’s Medical Group All locations | Texas |
| CHI St. Joseph Health Medical Group All locations | Texas |
| CHI St. Luke’s Health Memorial Clinics All locations | Texas |
| St. Michael Medical Center (formerly Harrison Hospital) Bremerton & Silverdale | Washington |
| St. Anne Hospital (Formerly Highline Hospital) Burien | Washington |
| St. Anthony Hospital Gig Harbor | Washington |
| St. Clare Hospital Lakewood | Washington |
| St. Elizabeth Hospital Enumclaw | Washington |
| St. Francis Hospital Federal Way | Washington |
| St. Joseph Hospital Tacoma | Washington |
| The former CHI Franciscan Health System Tacoma | Washington |
| Franciscan Health Medical Group All locations | Washington |
| Franciscan Hospice and Palliative Care Tacoma | Washington |
The breach also affected patients who received care through CHI Health at Home at the following facilities:
| Hospital/Care Site |
| Albany Area Home Health and Hospice North Dakota – closed |
| American Nursing Care Columbus IN |
| American Nursing Care Dayton, OH |
| American Nursing Care Marion, OH |
| American Nursing Care Zanesville, OH |
| American-Mercy Home Care Cincinnati, OH |
| Amerimed Home Infusion Indianapolis, IN |
| Amerimed Home Infusion Lexington & Louisville, KY |
| Amerimed Home Infusion West Chester, OH |
| CHI Franciscan Health at Home University Place, WA |
| CHI Franciscan Hospice and Palliative Care Tacoma, WA |
| CHI Health at Home Breckenridge & Little Falls, MN |
| CHI Health at Home |
| Bismark, Dickinson, Valley City, & |
| Williston, ND |
| CHI Health at Home Plainview, NE |
| CHI Health at Home Milford Cincinnati, OH |
| CHI Health at Home Hospice Lincoln & Omaha, NE |
| CHI Health at Home Infusion Omaha, NE |
| CHI Health at Home, Home Care Grand Island, Lincoln, Omaha, NE |
| CHI Health Pharmacy Omaha, NE |
| CHI Memorial Health at Home Chattanooga, TN |
| CHI St. Joseph’s Hospice Park Rapids, MN |
| CHI St. Vincent Health at Home Hot Springs, Little Rock & Morrilton, ARK |
| Community Health at Home Indianapolis, IN |
| Community Mercy Home Care Springfield, OH |
| Community Mercy Home Care Pharmacy West Chester, OH |
| Cornerstone Medical Services (closed) Cincinnati, Columbus, & Akron OH |
| Deaconess Home Health Evansville, IN |
| Good Samaritan Home Care Vincennes, IN |
| Good Samaritan Home Care Lawrenceville, IL |
| Great Plains Rehabilitation Services Bismarck, Dickinson, ND |
| Hospice House University Place Tacoma, WA |
| Josie Harper Hospice House Omaha, NE |
| MedQuest Home Medical Equipment Williston, ND |
| Mercy Home Health Roseburg, OR |
| Reid Home Health Care Eaton, OH |
| Reid Home Health Care Richmond, IN |
| Southeastern Home Care Barnesville & Cambridge, OH |
| St. Elizabeth Home Care Florence, KY |
| St. Elizabeth Home Care Lawrenceburg, IN |
| St. Elizabeth Home Medical Equipment Lincoln NE |
| St. Vincent Heatlh at Home Arkansas |
| Virginia Mason Franciscan Pharmacy & Home Care Tacoma, WA |
| VNA Health at Home Clarksville, IN |
| VNA Health at Home Bardstown, Campbellsville, Elizabethtown, |
| Lexington, London, & Louisville, KY |
| VNA Health at Home Hospice Bardstown & London, KY |
| Associated and Former CommonSpirit/CHI Facilities |
| Centura Health System Colorado and Kansas |
| Jewish Hospital Louisville, KY |
| Mercy Medical Center Des Moines and Affiliates Des Moines, Iowa |
| Mercy Home Health Services – Iowa Iowa |
| Mercy Hospice Johnston-Iowa Iowa |
| St. Clare’s Hospital Denville, NJ |
| St. Joseph Medical Center, Reading Reading, PA |
| University of Louisville Medical Center Louisville, KY |
The post CommonSpirit Health Issues Update Confirming 164 Facilities Affected by Ransomware Attack appeared first on HIPAA Journal.