A settlement has been finalized to resolve a litigation against Flo Health, Inc., Google LLC, and Flurry, Inc., over the use of tracking code on Flo Health’s fertility tracking app. Under the terms of the settlement, the defendants will pay almost $60 million to cover legal costs, expenses, and benefits for the plaintiffs and class members.

The Flo Health app is one of the most popular health and wellness apps and has over 38 million monthly users. Prior to using the app, users are asked a series of personal questions about their general, sexual, and gynecological health and menstrual cycles. Further questions are asked as use of the app continues, with the answers used to provide tailored health and wellness advice. Users are told that their information will remain private and confidential and will not be shared with any third parties unless consent is provided, yet code within the app (software development kits) shared that data with the defendants, without the knowledge or consent of app users.

Several lawsuits were filed against Flo Health and the other defendants, which were consolidated into a single action due to the actions having overlapping claims – Erica Frasco, et al v. Flo Health, Inc., Meta Platforms, Inc., Google, LLC, and Flurry, Inc. The lawsuit alleged common law invasion of privacy – intrusion upon seclusion, invasion of privacy, violation of the California Constitution, breach of contract, breach of implied contract, unjust enrichment, and violations of the Stored Communications Act, California Confidentiality of Medical Information Act, Cal. Bus & Prof. Code, and the comprehensive Computer Data Access and Fraud Act.

Meta Platforms Inc. was also a named defendant; however, Meta chose not to settle, and the case proceeded to a jury trial. The jury sided with the plaintiffs and found that Meta was in violation of the California Invasion of Privacy Act. Meta Platforms intends to file an appeal. While the settlement was announced in July, the details have only recently been provided to Judge James Donato in the U.S. District Court for the Northern District of California, San Francisco Division. Under the terms of the settlement, $59.5 million will be paid by the defendants: Google has agreed to pay $48 million, Flo Health will pay $8 million, and Flurry will pay $3.5 million. Flo Health has also committed to ensuring app users’ privacy, and will display a prominent notice on its website to that effect for a period of one year following final approval of the settlement.

Attorneys for the plaintiffs will receive one-third of the settlement amount, which will also cover legal expenses, settlement administration costs, and service awards for the eight named plaintiffs. The remainder of the settlement will be used to pay for benefits for the class members. The class consists of all app users who used the app between November 1, 2016, and February 28, 2019.

The post Flo Health; Google; Flurry to Pay $59.5M to Settle Privacy Lawsuit appeared first on The HIPAA Journal.

Bayhealth Medical Center in Dover, Delaware, has agreed to settle a proposed class action lawsuit stemming from a 2024 ransomware attack. The attack was detected on July 31, 2024, when suspicious activity was observed within its computer network. The forensic investigation determined that the threat actor had access to its systems from July 27 to July 31, 2024, and that files were exfiltrated during the attack. The data breach was reported to the HHS’ Office for Civil Rights on October 14, 2024, as involving the electronic protected health information of 497,047 individuals. The stolen files contained patients’ names, medical information, and Social Security numbers. The Rhysida ransomware group claimed responsibility for the attack and uploaded samples of the stolen data to its dark web data leak site, including identification documents, Social Security numbers, contact information, and other sensitive patient data.

Rhysida is a ransomware-as-a-service group that has been in operation since at least 2023. The group engages in double extortion tactics, demanding payment for the decryptor and to prevent the publication or sale of stolen data. Rhysida often states that stolen data will be auctioned to the highest bidder, only leaking the data if a buyer cannot be found. The lawsuit claims that Rhysida demanded a 25 Bitcoin ransom, which at the time was valued at approximately $1.4 million, and gave a payment deadline of August 14, 2024.

Bayhealth was quick to notify patients about the incident, adding a notice to its Facebook page on August 3, 2024. Then, on August 7, 2024, the CEO of Bayhealth confirmed publicly that the company was aware of Rhysida’s claim of data theft and the posting of certain data on the group’s data leak site. Bayhealth patient Sally Cannon Dunlop discovered in August 2024 that some of her ePHI had been published on the dark web, which she believed came from the attack on Bayhealth. Later that month, she filed a lawsuit individually and on behalf of other similarly situated individuals, alleging negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty, seeking compensatory, exemplary, punitive damages, and statutory damages.

Dunlop alleges that Bayhealth failed to implement reasonable and appropriate safeguards to protect patient data, and that the ransomware attack was the latest in a string of hacking-related data breaches that were a result of a failure of Bayhealth to follow FTC guidelines and comply with the HIPAA Rules. Bayhealth denies any wrongdoing; however, last month, following mediation, it agreed to settle the litigation. The details of the settlement are being finalized, and the settlement agreement is due to receive preliminary approval in early October.

The post Bayhealth Medical Center Agrees to Settle 2024 Data Breach Lawsuit appeared first on The HIPAA Journal.