Settlement Agreed to Resolve Comprehensive Health Services Data Breach Lawsuit

Posted by Steve Alder

Acuity International (formerly known as Comprehensive Health Services, LLC / CHS, LLC), a provider of medical management support services, has agreed to a settlement to resolve a class action lawsuit that was filed in response to a 2020 cyberattack and data breach that impacted 106,910 individuals.

Suspicious activity was detected within the systems of Comprehensive Health Services on September 30, 2020, following the discovery of fraudulent wire transfers; however, it took until November 3, 2022, to determine that personal and protected health information had been compromised in the incident, including names, dates of birth, and Social Security numbers. Affected individuals were notified about the breach on January 20, 2022, and February 14, 2022.

On April 4, 2022, a lawsuit – Arbuthnot v. CHS, LLC – was filed in the US District Court for the Middle District of Florida in response to the breach that alleged a failure to protect sensitive data against unauthorized access, violations of the HIPAA Security Rule, and unreasonable delay of more than 16 months to inform individuals that their personal and protected health information had been compromised. As a result of the alleged negligence, plaintiff Shannon Arbuthnot and the class members claim they suffered harm and incurred out-of-pocket expenses dealing with the breach and protecting themselves against misuse of their information.

A settlement was proposed in February 2023 to resolve the lawsuit that has now been finalized, pending final approval by a judge. Acuity maintains there was no wrongdoing and proposed the settlement to avoid the cost, disruption, and distraction of further litigation. The settlement has been approved by Acuity, the class representative, and their legal teams, and is believed to be fair, reasonable, and adequate.

Under the terms of the settlement, individuals who were notified that they had been impacted by the data breach can submit a claim for compensation for ordinary out-of-pocket losses and lost time up to a maximum of $500 per class member, which can include up to 3 hours of lost time at $20 per hour. The claim can include documented losses due to bank fees, phone charges, data charges, postage, costs of credit reports, and any credit monitoring or identity theft protection services purchased between September 30, 2020, and the date of the settlement.

Individuals who were victims of documented identity theft that is reasonably traceable to the data breach are entitled to submit a claim for compensation for extraordinary losses up to a maximum of $3,500 per class member. Extraordinary losses include actual, documented, and unreimbursed monetary losses incurred between September 30, 2020, and the date of the settlement that were more likely than not due to the data breach. In addition, Acuity will cover the cost of two years of credit monitoring services for all class members.

In addition to reimbursing class members for expenses and losses, Acuity has agreed to make security improvements to reduce the risk of future data breaches, many of which have already been implemented. The deadline for exclusion from or objection to the settlement is July 5, 2023, the deadline for submitting a claim is August 3, 2023, and the final approval hearing has been scheduled for August 11, 2023.

The plaintiff was represented by Jon Kardassakis of Lewis Brisbois Bisgaard & Smith, LLP, and the class was represented by John A Yanchunis of Morgan & Morgan and David K Lietz of Milberg Coleman Bryson Phillips Grossman PLLC.

The post Settlement Agreed to Resolve Comprehensive Health Services Data Breach Lawsuit appeared first on HIPAA Journal.

Guide Released on Securing Remote Access Software

Posted by Steve Alder

Remote access software is used by organizations and their vendors to improve efficiency and productivity and cut costs; however, the same remote access tools can be leveraged by cyber threat actors for a range of malicious purposes while evading detection by security solutions.

Benefits and Risks of Remote Access Software

Remote access software is used for a wide range of purposes and is especially useful for remotely managing and monitoring IT systems and devices. IT support teams use the software to troubleshoot IT issues, provide IT helpdesk support, perform backups and data recovery, reconfigure devices, install new software, apply patches to fix vulnerabilities, and monitor for suspicious network activity. Managed Service Providers (MSPs) extensively use these tools to access clients’ networks to perform a wide range of contracted services.

While the software can improve efficiency and productivity and reduce costs, there is considerable potential for misuse of the software, and remote access solutions are actively targeted by cyber threat actors. By abusing these tools, cyber threat actors can gain broad access to internal systems, and since these tools are legitimately used by members of the workforce and third-party contractors, connections are often not flagged as malicious by security solutions which means malicious actors can hide their activities.

Remote access software is used to gain access to internal networks and maintain persistence, and it is common for threat actors to leverage the software and tools that are already present on the compromised system to sustain their malicious activities. By using these living-off-the-land (LOTL) techniques malicious actors do not need to download additional software, scripts, and tools, which makes intrusions, lateral movement, and data exfiltration difficult to detect.

Remote access software is one of the main ways that ransomware actors gain initial access to victims’ networks and evade security solutions. Cyber threat actors may also exploit vulnerabilities to gain access to systems then install legitimate remote access software or use social engineering techniques to trick individuals into installing the software to provide access to victims’ devices and the networks to which they connect.

Guidance on Securing Remote Access Software

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Israel National Cyber Directorate (INCD), have recently published a guide for all organizations that use remote access software for regular business purposes, especially managed service providers, to help them defend against malicious use of the software.

The guide includes best practices, protections, and mitigations developed by CISA and the National Institute of Standards and Technology (NIST) based on existing cybersecurity frameworks to help organizations protect against the most common cyber threats and tactics, techniques, and procedures used by cybercriminal groups and nation-state threat actors. The guidance can be used by organizations of all types and sizes and includes specific best practices and recommendations for IT support teams and managed service providers.

Guide to Securing Remote Access Software – PDF

The post Guide Released on Securing Remote Access Software appeared first on HIPAA Journal.

Compliancy Group Confirms MailHippo is HIPAA Compliant

Posted by Steve Alder

MailHippo, an encrypted email provider, has been awarded the HIPAA Seal of Compliance by Compliancy Group, confirming that MailHippo is HIPAA compliant.

Encryption of electronic protected health information (ePHI) is an addressable implementation specification of the HIPAA Security Rule, which means it is not required, provided that an alternative safeguard is implemented that provides an equivalent level of protection. If HIPAA-regulated entities sent any ePHI via email beyond the protection of a firewall, then emails must be encrypted to prevent unauthorized access to the ePHI they contain.

MailHippo provides an encrypted email solution that works with all email providers that protects email with AES 256-bit end-to-end encryption, ensuring all emails are protected in transit and at rest. The platform allows users to send and receive encrypted emails from anyone – even individuals who do not subscribe to the service – and track all message access, obtain full message details on demand, and set expiry dates for messages. MailHippo also offers signable HIPAA-compliant forms.

As a provider of those services to HIPAA-regulated entities, MailHippo is classed as a business associate under HIPAA, is required to sign a business associate agreement, and must comply with the HIPAA Rules. MailHippo opted to demonstrate compliance with the Health Insurance Portability and Accountability Act’s Privacy, Security, Breach Notification, Omnibus Rules, and the requirements of the HITECH Act by partnering with Compliancy Group. MailHippo used Compliancy GRoup’s proprietary HIPAA compliance process to confirm that it has achieved compliance with all aspects of the HIPAA Rules that are applicable to business associates, and tracked progress throughout that process using Compliancy Group’s HIPAA compliance software – The Guard.

Compliancy Group’s methodology includes a 6-stage HIPAA risk analysis and remediation process, and after completing the compliance program, through the use of The Guard, Compliancy Group’s HIPAA compliance experts assessed MailHippo’s good faith effort toward maintaining HIPAA compliance and awarded the company the HIPAA Seal of Compliance.

The HIPAA Seal of Compliance demonstrates to current and future HIPAA-regulated entity clients that MailHippo’s encryption solutions are fully compliant with the HIPAA Rules and the HITECH Act and confirmed that MailHippo has implemented an effective HIPAA compliance program to ensure HIPAA compliance is maintained.

The post Compliancy Group Confirms MailHippo is HIPAA Compliant appeared first on HIPAA Journal.