Onix Group Sued for Failing to Prevent a Ransomware Attack and 320K-Record Data Breach

Posted by Steve Alder

Onix Group, a Pennsylvania-based real estate development firm and provider of business management and consulting services, is being sued for failing to prevent a ransomware attack in which the hackers stole the protected health information of 320,000 individuals.

The ransomware attack was detected by Onix Group on March 27. The forensic investigation confirmed that hackers had access to its internal network between March 20 and March 27, 2023, during which time they exfiltrated files that contained employee, affiliate, and client information. The breached information included names, dates of birth, clinical information, and the Social Security numbers of patients of its healthcare clients, and the health plan enrollment and direct deposit information of employees. Healthcare clients affected by the breach included Addiction Recovery Systems, Cadia Healthcare, and Physicians Mobile X-Ray.

The lawsuit, Eric Meyers v. Onix Group LLC, was filed in the U.S. District Court for the Eastern District of Pennsylvania and alleges negligence, negligence per se, breach of implied contract, breach of fiduciary duty, and unjust enrichment. The lawsuit claims Onix group had a legal obligation to implement reasonable and appropriate safeguards to ensure the confidentiality of the data it stored, but instead stored that information in a vulnerable and dangerous condition, then unnecessarily delayed notifications to affected individuals for two months. While Onix Group offered affected individuals 12 months of complimentary credit monitoring services, the lawsuit claims the offer is wholly inadequate, as the plaintiff and class members face a lifelong risk of identity theft and fraud as a result of the theft of their sensitive data.

The lawsuit seeks class action status, a jury trial, damages, and injunctive relief, including an order from the court prohibiting Onix Group from engaging in wrongful and unlawful acts and requiring it to implement adequate cybersecurity measures. Those measures include the development, implementation, and maintenance of a comprehensive information security program, data encryption, third-party security audits and penetration tests, further information security training for all employees including tests of their security knowledge, updates to its data retention policies, and for the company to stop storing personally identifiable information and protected health information in cloud databases.

The plaintiff and class members are represented by Milberg Coleman Bryson Phillips Grossman, PLLC; Chestnut Cambronne, PA; and Sanford Law Firm, PLLC.

The post Onix Group Sued for Failing to Prevent a Ransomware Attack and 320K-Record Data Breach appeared first on HIPAA Journal.

SEC Postpones Final Rule on Cyber Incident Disclosures

Posted by Steve Alder

The Securities and Exchange Commission (SEC) was due to issue a final rule that would implement new regulatory requirements for publicly traded companies to disclose material cyber breaches in their regulatory filings within 4 days of the discovery of a breach. The decision has now been delayed until at least October 2023. A draft rule was proposed in March 2022 to improve transparency about cybersecurity incidents at publicly traded companies. The proposed rule called for publicly traded companies to ensure that investors are made aware of any material cybersecurity incidents and disclose information about cybersecurity governance, the level of board expertise in dealing with cybersecurity incidents, and the involvement of upper management in cyber risk. A new rule was also proposed for investment advisers, registered investment companies, and business development companies in February 2022 that requires them to develop, implement, and maintain written cybersecurity policies and procedures to address cybersecurity risks.

Regulatory changes to force publicly traded companies to disclose cyber incidents were seen to be necessary as many were choosing not to disclose these incidents to avoid potential lawsuits and minimize reputational harm. Only one-quarter of ransomware attacks are reported to public authorities, as the reporting of cyber incidents is voluntary. The proposed rules were subject to two comment periods, and more than 175 comments have been submitted in response to the proposed cyber rules.  The final rule was expected to be published as early as April 3, 2023; however, the SEC has now stated in a recent update to its rulemaking agenda that its new cyber rules will not be published until at least October 2023. The SEC did not provide a reason for the delay; however, there has been considerable pushback on the proposed rules.

While there has been broad support for the new cyber requirements for improving transparency, the devil is in the detail, especially the 4-day reporting requirement, which many commenters believe would hinder the ability of public companies to stop, investigate, remediate, and defend against cybersecurity incidents. The cybersecurity firm, Rapid7, warned that the 4-day disclosure deadline would mean companies that suffer security incidents would be forced to publicly disclose the incidents before they had been fully contained, and that would tip off hackers and make the companies more vulnerable and could lead to greater harm to investors. Rapid7 requested companies be allowed to delay reporting until a cyber incident has been fully remediated before being required to report the incident.

The U.S. Chamber of Commerce said the SEC is attempting to micromanage corporate cybersecurity programs and the proposed rule would not necessarily protect investors. The SEC was criticized for the 4-day reporting period as it did not give companies sufficient time to evaluate the severity of security incidents. The requirement to disclose whether the board has cybersecurity expertise was also criticized as it could lead to unwieldy and unwanted outcomes, such as giving investors a false level of confidence in the ability of a company to deal with the security incident. In its comments, the Chamber of Commerce said it would be difficult even for NIST to pinpoint what constitutes expertise or experience in cybersecurity that would earn widespread agreement among industry professionals.

The post SEC Postpones Final Rule on Cyber Incident Disclosures appeared first on HIPAA Journal.