CarePro to Pay $1.3 Million to Settle Class Action Data Breach Lawsuit

Posted by Steve Alder

The Iowa-based healthcare company, CarePro Health Services, has agreed to pay $1.3 million to settle class action litigation stemming from a November 2023 cyberattack and data breach affecting up to 151,499 individuals.

The cyberattack that triggered the lawsuit was first identified by CarePro on November 16, 2023. Unauthorized individuals remotely accessed a system where unencrypted patient data was stored. Files containing patients’ protected health information were exfiltrated from the network before the intrusion was detected and blocked. Data compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial account information, and medical/health information. The affected individuals were offered complimentary credit monitoring and identity theft protection services.

A lawsuit was filed shortly after notifications were mailed to the affected individuals by CarePro patient Brandi Bell, individually and on behalf of similarly situated individuals. The lawsuit was soon followed by another complaint filed by Brandie Keegan, individually and on behalf of her minor child, and similarly situated individuals. The lawsuits were consolidated into a single complaint, Bell et al. v. C.R. Pharmacy Services, Inc. d/b/a CarePro Health Services – in the Iowa District Court for Linn County.

The lawsuit claimed that the plaintiffs suffered concrete injuries as a direct result of the data breach, including invasion of privacy, lost or diminished value of private information, lost time and opportunity costs, and loss of benefit of the bargain. The plaintiffs’ and class members’ personal and protected health information remain in the hands of cybercriminals, placing them at an increased risk of identity theft and fraud for years to come.

The plaintiffs claim that the data breach could have and should have been prevented, as the defendant failed to implement adequate and reasonable cybersecurity measures to protect patient data, recklessly maintaining patient information. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, invasion of privacy, breach of fiduciary duty, breach of confidence, unjust enrichment, invasion of privacy-intrusion upon seclusion, and violations of the Iowa Consumer Fraud Act and Iowa Personal Information Security Breach Protection Act.

CarePro denies all liability and wrongdoing and disagrees with all claims and contentions in the lawsuit. All parties agreed that further litigation, a trial, and any related appeals would likely be protracted and expensive and involve risks and uncertainties for all parties, so the decision was taken to settle the litigation. It took several months of negotiations; however, a settlement has been agreed upon that is acceptable to all parties.

The settlement includes three benefits for class members, which will be paid for from a $1,300,000 settlement fund after attorneys’ fees and expenses, class representative service awards, and settlement administration costs have been deducted.

A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. In addition to or instead of a claim for reimbursement of losses, class members may claim a pro rata cash payment, which is expected to be $100 per class member. The cash payment will be adjusted upwards or downwards depending on the number of valid claims received.

All class members are also entitled to claim two years of three-bureau credit monitoring, dark web monitoring, and identity theft protection services. The cost of the credit monitoring services will be deducted from the settlement fund before the cash payments are calculated. The deadline for exclusion from and opting out of the settlement is December 3, 2025. Claims must be submitted by December 3, 2025, and the final fairness hearing has been scheduled for January 23, 2025.

The post CarePro to Pay $1.3 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Audit Uncovers Security Weaknesses in the NIH All of Us Security Program

Posted by Steve Alder

An audit of the National Institutes of Health (NIH) All of Us Research Program has uncovered privacy and security weaknesses that put the health information of more than 1 million individuals at risk of compromise.

The All of Us Research Program was launched in 2015 as part of the NIH Precision Medicine Initiative to advance disease prevention and treatment by making the personal health and genomics data of more than 1 million individuals available for research purposes. Unlike research studies that focus on a specific disease or cohort of people, the All of Us Research database can be used to study a wide range of health conditions and diseases. The data is housed by the Data and Research Center (DRC) and is managed by an NIH award recipient, Vanderbilt University Medical Center. The All of Us database is one of the largest health research databases of its kind.

While general data about the entire group of participants can be viewed by anyone, only researchers approved by the All of Us Research Program are allowed to view data from individual participants. Such a large database of health information is extremely valuable; therefore, robust privacy and security measures must be implemented to protect research participants’ data from cybersecurity and national security threats.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has recently published the findings of a 2024 audit that sought to determine whether appropriate access controls had been implemented by the DRC award recipient, if appropriate privacy and security controls were in place, and if information security and privacy weaknesses had been addressed in accordance with federal standards.

HHS-OIG determined that the DRC award recipient had implemented some cybersecurity controls, including vulnerability scanning, penetration testing, flaw remediation, system monitoring, incident response, contingency planning, disaster recovery, and security awareness training; however, controls were inadequate in some areas, which put research participants’ data at an increased risk of compromise.

HHS-OIG identified access control weaknesses. For instance, while authorized users were permitted to remotely access the information systems from foreign countries with prior approval, there were no controls in place to restrict access to only the individuals who had received approval. As such, any authorized user could access the information systems from a foreign country. While downloads of detailed participants’ data are prohibited, there were no access controls in place to prevent data downloads.

HHS-OIG also found that the DRC award recipient failed to communicate national security concerns associated with the maintenance of genomic data to NIH and did not resolve identified weaknesses and vulnerabilities within the timeframe stipulated by NIH in its award agreement. As such, there was an increased risk of research participants’ data, including genomic data, being accessed, downloaded, and misused by bad actors, including foreign adversaries.

HHS-OIG made five recommendations to NIH to improve oversight of the All of Us Research Program and address the identified privacy and security issues. NIH concurred with all five recommendations and is implementing measures to address the privacy and security weaknesses. NIH has confirmed that measures already fully implemented include controls to resolve the remote access security issues, and access from certain countries of concern has been blocked, including China, Cuba, Iran, Russia, and North Korea.

The post Audit Uncovers Security Weaknesses in the NIH All of Us Security Program appeared first on The HIPAA Journal.

Fortinet Patches Actively Exploited FortiWeb Zero Day Flaw

Posted by Steve Alder

Patches have been released to fix a critical OS command injection vulnerability affecting Fortinet web application firewalls. The FortiWeb zero-day vulnerability is rated medium-severity with a CVSS score of 6.7 out of 10; however, the vulnerability is being actively exploited in the wild.

The vulnerability, tracked as CVE-2025-58034, can only be exploited by an authenticated attacker, hence the relatively low CVSS score, but the vulnerability can be exploited in a low-complexity attack and will allow the attacker to execute unauthorized code on the underlying system. The vulnerability can be exploited via specially crafted HTTP requests or CLI commands. The vulnerability was identified by Jason McFadyen of Trend Micro’s Trend Research team and is due to improper neutralization of special elements in an OS command.

The vulnerability affects multiple FortWeb versions:

Vulnerable Versions Fixed Versions
FortiWeb 8.0.0 through 8.0.1 FortiWeb 8.0.2 and above
FortiWeb 7.6.0 through 7.6.5 FortiWeb 7.6.6 and above
FortiWeb 7.4.0 through 7.4.10 FortiWeb 7.4.11 and above
FortiWeb 7.2.0 through 7.2.11 FortiWeb 7.2.12 and above
FortiWeb 7.0.0 through 7.0.11 FortiWeb 7.0.12 and above

This is the second vulnerability in FortiWeb to be identified and patched recently. Last week, Fortinet announced that a critical path traversal vulnerability in FortiWeb, tracked as CVE-2025-64446 (CVSS v3.1 9.4), received a silent patch on October 28, 2025. The vulnerability can be exploited by an unauthenticated attacker to execute administrative commands on the system via specially crafted HTTP or HTTPS requests.

The vulnerability affects versions 8.0.2 through 8.0.1 and versions 7.6.0 through 7.6.4. The vulnerability was fixed in version 8.0.2 and above, and version 7.6.5 and above. Defused reports that there has been active exploitation of the vulnerability, although that has yet to be confirmed by Fortinet. It is unclear why a security advisory about the flaw was not released at the time the patch was released.

The post Fortinet Patches Actively Exploited FortiWeb Zero Day Flaw appeared first on The HIPAA Journal.

St. Anthony Hospital in Chicago Notifies Patients About February Data Breach

Posted by Steve Alder

Data breaches have recently been announced by St. Anthony Hospital in Chicago, Intercommunity Action in Pennsylvania, and Munson Healthcare in Michigan.

St. Anthony Hospital

St. Anthony Hospital in Chicago, IL, has recently discovered unauthorized access to certain employees’ email accounts. The unauthorized access was identified on February 6, 2025, and third-party cybersecurity experts were engaged to determine the nature and scope of the unauthorized activity and the extent of any data exposure or theft.

The investigation confirmed that the compromised email accounts contained the personal and protected health information of patients and staff members. The HHS’ Office for Civil Rights breach portal shows that the protected health information of 6,679 was exposed. Information potentially compromised in the incident included names, addresses, telephone numbers, birth dates, Social Security numbers, dates of service, medical record numbers, patient account numbers, medical histories, diagnoses/conditions, treatment information, and prescription information. While sensitive information has been exposed, St. Anthony Hospital has not detected any misuse of the exposed data.

Intercommunity Action Inc.

Intercommunity Action, a Philadelphia, PA-based provider of resources for aging, behavioral health, and individuals with intellectual and developmental disabilities, has notified 2,680 individuals about a recent data security incident involving unauthorized access to its computer network. The security breach was identified on May 29, 2025, and the forensic investigation confirmed that unauthorized connections had been made to its network from May 28, 2025, to May 29, 2025. During that time, files were exfiltrated from its network, and Intercommunity Action warned that the stolen data had potentially been made available online. Intercommunity Action is unaware of any instances of data misuse as a result of the incident.

A review of the affected files revealed that they contained patient information such as first and last names, dates of birth, addresses, Social Security Numbers, driver’s license numbers, state identification numbers, bank account information, credit card numbers, other financial information, claims information, diagnosis/conditions, medications, or other treatment information. The types of information involved varied from individual to individual.

As a precaution against misuse of the affected data, individuals whose Social Security numbers, driver’s license numbers, state ID numbers, and/or bank account information were involved have been offered complimentary identity theft protection services. Steps have also been implemented to prevent similar incidents in the future, including changing passwords, blocking the unauthorized users’ IP addresses, and implementing additional safeguards to strengthen security.

Munson Healthcare

Munson Healthcare, the largest health system in Northern Michigan, has notified 1,186 patients about a mis-mailing incident caused by an error when migrating patient information to a new computer system. The error occurred on January 25, 2025, and resulted in the individual responsible for paying bills being accidentally changed to someone who was previously responsible. The issue was not detected until June 2, 2025.

As a result of the error, some patients’ bills were sent to the wrong individuals. An investigation was launched to determine the root cause of the error and the patients affected. The errors in the data were changed and updated to the correct bill payer, and a technical fix was implemented on June 24, 2025, to prevent further bills from being sent to incorrect individuals. Data impermissibly disclosed was limited to a patient’s name, location of services, balance owed, insurance type, and the type of service. The affected individuals have been advised to review the bills issued after January 25, 2025, to ensure that the billing information is correct.

The post St. Anthony Hospital in Chicago Notifies Patients About February Data Breach appeared first on The HIPAA Journal.