Bone & Joint Clinic Settles Ransomware Class Action Lawsuit for $575,000

Posted by Steve Alder

Bone & Joint Clinic S.C. has agreed to pay $575,000 to settle a class action lawsuit stemming from a January 2023 security incident that affected 105,094 current and former patients and employees.

Bone & Joint is an orthopedic and pain management clinical practice in Northcentral Wisconsin. On January 16, 2025, a security incident was identified that caused network disruption. An unauthorized third party accessed its network, used ransomware to encrypt files, and may have obtained protected health information such as names, contact information, dates of birth, Social Security numbers, health insurance information, diagnoses, treatment information, and other sensitive data.

Lawsuits were filed by four Bone & Joint Clinic patients, which were consolidated into a single complaint – Keith Tesky, et al. vs. Bone & Joint Clinic, S.C., – in the U.S. District Court for the Western District of Wisconsin. The lawsuits claimed that the practice failed to implement reasonable and appropriate safeguards to protect sensitive employee and patient data. The consolidated lawsuit asserted claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, invasion of privacy, unjust enrichment, unfair and deceptive business practices, and a violation of Wisconsin law, which prohibits the unauthorized release of healthcare information.

Bone & Joint Clinic denies any wrongdoing and maintains there is no liability; however, a settlement was agreed to avoid the burden and expense of litigation. Under the terms of the settlement, class members may submit a claim for reimbursement of documented, unreimbursed out-of-pocket losses fairly traceable to the data breach up to a maximum of $5,000 per class member.

Class members may also submit a claim for a pro rata cash payment, which is expected to be $75, but may be higher or lower depending on the number of valid claims received. The cash payments will be paid from the remainder of the settlement after attorneys’ fees (up to $191,475), attorneys’ expenses (up to $20,000), service awards (up to $2,000 for each of the four named plaintiffs), and settlement administration costs have been deducted.

The deadline for exclusion from and objection to the settlement is September 15, 2025. Claims must be submitted by October 15, 2025, and the final fairness hearing has been scheduled for January 7, 2025.

The post Bone & Joint Clinic Settles Ransomware Class Action Lawsuit for $575,000 appeared first on The HIPAA Journal.

HHS-OIG Audit Finds Security Gaps at Large Northeastern Hospital

Posted by Steve Alder

An audit of a large northeastern hospital by the Department of Health and Human Services Office of Inspector General (HHS-OIG) has identified cybersecurity gaps and weaknesses that are likely to be present in similarly sized hospitals across the country.

Cyberattacks on healthcare organizations have increased sharply in recent years. Between 2018 and 2022, there was a 93% increase in large data breaches reported to the HHS’ Office for Civil Rights (OCR) and a 278% increase in large data breaches involving ransomware. In 2022 alone, OCR received 64,592 reports of healthcare data breaches, across which the protected health information of 42 million individuals may have been exposed or stolen.

The HHS plays an important role in guiding and supporting the adoption of cybersecurity measures to protect patients and healthcare delivery from cyberattacks. The large number of successful cyberattacks raises questions about whether the HHS, including the Centers for Medicare and Medicaid Services (CMS) and OCR, could do more with its cybersecurity guidance, oversight, and outreach to help healthcare organizations implement robust cybersecurity controls and better protect their networks from attack.

While OCR usually conducts audits of HIPAA-regulated entities to assess cybersecurity and compliance with the HIPAA Rules, HHS-OIG’s 2025 Work Plan includes a series of 10 audits of U.S. hospitals to gain insights into healthcare cybersecurity and assess the cybersecurity measures that have been put in place. A northeastern hospital with more than 300 beds agreed to an audit to assess whether appropriate cybersecurity controls had been implemented for preventing and detecting cyberattacks, whether protocols had been developed for ensuring the continuity of care during a cyberattack, and the controls in place to protect Medicare enrollee data. The audited entity was not named due to the threat of cyberattacks.

The hospital is part of a network of providers that share protected health information for treatment, payment, and healthcare operations, and is a covered entity under HIPAA required to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information. As a provider of healthcare services under the Medicare program, the hospital is also required to comply with the CMS Conditions of Participation (CoPs). The hospital had implemented measures to comply with the CoPs and HIPAA, and had voluntarily implemented the NIST Cybersecurity Framework to reduce and better manage cybersecurity risks

The hospital was found to have implemented data security measures to protect Medicare data and had effective cybersecurity controls to ensure continuity of care in the event of a cyberattack, including appropriate network architecture, backup strategies, incident response plans, and disaster recovery controls. HHS-OIG did, however, identify several cybersecurity weaknesses and security gaps.

HHS-OIG conducted several simulated cyberattacks on Internet-facing systems and found its cybersecurity controls, which included a web application firewall (WAF), were generally effective at blocking or limiting malicious requests. Simulated phishing emails were also sent to employees, and no employee responded or interacted with the fake website HHS-OIG had set up for the phishing scam.

HHS-OIG analyzed 26 internet-accessible systems and discovered two had weaknesses in their cybersecurity controls that could potentially be exploited by threat actors to gain access to systems. HHS-OIG also identified 13 web applications with cybersecurity weaknesses related to configuration management controls, and 16 Internet-accessible systems had weaknesses in their cybersecurity controls regarding identification and authentication that left them susceptible to interactions and manipulations by threat actors

HHS-OIG explained that the weaknesses occurred due to the integration of two systems with its existing IT environment without following security best practices. Further, while there were procedures for periodically assessing web application security controls, they were not effective at identifying weaknesses before they were potentially exploited, and industry web application security best practices had not been effectively implemented.

While the systems that were susceptible to some of the HHS-OIG’s simulated attacks did not contain patient data, compromising those systems could potentially provide attackers with a launch pad for conducting additional attacks against other systems, including systems that contained patient data. A threat actor could also use information gathered in an attack on a vulnerable system to conduct more convincing social engineering campaigns on the workforce.

The hospital concurred with all five HHS-OIG recommendations:

  • Enforce and periodically assess compliance with its configuration and change management policy.
  • Periodically assess and update its identification and authentication controls.
  • Periodically assess and update its configuration management controls.
  • Establish a policy or process to periodically assess its internet-accessible systems and application security controls for vulnerabilities.
  • Ensure developers follow secure coding practices.

The post HHS-OIG Audit Finds Security Gaps at Large Northeastern Hospital appeared first on The HIPAA Journal.