$6 Million Settlement Proposed to Resolve UKG/Kronos Data Breach Lawsuit

Posted by Steve Alder

UKG (Ultimate Kronos Group), a multinational provider of workforce management and human resources (HR) management services, has proposed a $6 million settlement to resolve claims related to a ransomware attack and data breach that was discovered in 2021. The breach affected several of its healthcare clients, including Allegheny Health Network, Highmark Health, Baptist Health, UF Health, Ascension, Shannon Medical Center, and Franciscan Missionaries of Our Lady Health System.

UKG was formed in 2020 when Ultimate Software acquired Kronos, a Lowell, MA-based workforce management and human capital management cloud provider. On December 11, 2021, suspicious activity was detected in the Kronos private cloud where UKG solutions were deployed, including UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling. Those solutions were disrupted at a time when its healthcare provider clients were experiencing patient surges due to COVID-19 and flu, which left them unable to process employee paychecks for weeks. UKG also confirmed that the hackers exfiltrated sensitive data from the private cloud. The attack reportedly affected around 2,000 of its clients.

Legal action – In re: UKG Inc. Cybersecurity Litigation – was taken by the victims of the breach who alleged UKG had failed to implement reasonable and appropriate safeguards to protect against ransomware attacks, and if those measures had been taken, the ransomware attack would not have succeeded and millions of individuals would not have had their sensitive data compromised and had their paychecks delayed.

UKG chose to settle the lawsuit with no admission of wrongdoing. Under the terms of the proposed settlement, class members are entitled to submit claims of up to $1,000 for unreimbursed ordinary expenses, which include losses traceable to the data breach such as communication charges and bank fees but not lost wages, along with up to 4 hours of lost time at $25 per hour. Any individual that experienced identity theft or fraud can submit a claim for up to $7,500 to recover documented, unreimbursed extraordinary losses.

Members of two subclasses are entitled to additional payments. Individuals who were notified that their sensitive data was exfiltrated and were offered credit monitoring services are entitled to receive a payment of $100 in addition to any claims for ordinary and extraordinary losses. Individuals who were residents of California at the time of the attack will be entitled to receive an additional payment of $30 in addition to any claims submitted.

The deadline for exclusion from and objection to the settlement is September 18, 2023. The deadline for submitting claims is October 3, 2023. The final fairness hearing has been scheduled for November 17, 2023.

The post $6 Million Settlement Proposed to Resolve UKG/Kronos Data Breach Lawsuit appeared first on HIPAA Journal.

Imagine360 Suffers Breaches of Two File-Sharing Platforms

Posted by Steve Alder

Imagine360, a Wayne, PA-based provider of a self-funded health plan solution for employers, was the victim of two cyberattacks this year involving its file-sharing solutions. The first attack was detected on or around January 30, when suspicious activity was detected within its Citrix file-sharing solution, which Imagine 360 uses to securely exchange files related to self-insured health plans. Steps were immediately taken to secure the platform by taking it offline, passwords were reset, and an investigation was launched into the attack.

A few days later, while Imagine360 was investigating the Citrix breach, a vulnerability was exploited in another file-sharing platform – Fortra’s GoAnywhere Transfer solution. Fortra determined that an unauthorized actor – now known to be the Clop ransomware group – exploited a zero-day vulnerability and stole sensitive data.

Imagine360 independently investigated both security incidents and confirmed that its own systems were unaffected and remained secure at all times; however, files were stolen in both attacks between January 28 and January 30, 2023. The stolen files included names, medical information, health insurance information, and Social Security numbers, with the impacted data varying from individual to individual.

The review of the affected files took until June 1, 2023, after which contact information was verified to allow notification letters to be sent. Imagine360 said the decision was taken to suspend the use of the Fortra file transfer solution, and additional safeguards have been added to its policies, processes, and security measures to prevent similar breaches in the future.

The notification letter to the California Attorney General and the version uploaded to the Imagine360 website make no mention of credit monitoring and identity theft protection services being offered to the affected individuals. It is also unclear at this stage how many individuals have been affected as the incident has yet to appear on the HHS’ Office for Civil Rights breach portal.

The post Imagine360 Suffers Breaches of Two File-Sharing Platforms appeared first on HIPAA Journal.