BJC HealthCare Settles Website Tracking Lawsuit for up to $9.25 Million

Posted by Steve Alder

BJC Health System, doing business as BJC HealthCare, is one of the latest healthcare organizations to settle litigation stemming from the use of website tracking tools. BJC HealthCare has agreed to pay up to $9.25 million to resolve the litigation and provide cash payments to the class members.

BJC HealthCare is a non-profit healthcare organization based in St. Louis, Missouri, which runs the Washington University-affiliated hospitals Barnes–Jewish Hospital and St. Louis Children’s Hospital. According to the lawsuit – John Doe et al v. BJC Health System – BJC HealthCare maintained various web properties, including the websites www.bjc.org and www.barnesjewish.org, through which patients could communicate with BJC HealthCare.

The plaintiffs alleged that tracking tools were added to the websites that collected web user data, including personally identifiable information, and that sensitive information was transmitted to companies such as Facebook (Meta), Google, SiteScout, Invoca, and TradeDesk, without the knowledge or authorization of web users. BJC HealthCare maintains there was no wrongdoing and is no liability; however, it agreed to settle the litigation. All parties believe that a settlement is in the best interests of all parties due to the costs, risks, and uncertainty associated with continuing the lawsuit.

The settlement covers all users who used the BJC HealthCare MyChart patient portal between June 2017 and August 2022. Under the terms of the settlement, BJC Healthcare will initially establish a $5.5 million settlement fund to cover attorneys’ fees, legal expenses, administration costs, class representative awards, and cash payments to class members, which are expected to be $35 per class member. Should the fund not be sufficient to cover claims, a further $3.75 million will be added to the settlement fund. If the $9.25 million settlement fund is not sufficient, claims will be subject to a pro rata reduction.

Attorneys’ fees will be up to $3,000,000, settlement administration costs are expected to cost up to $200,000, and service awards to the class representatives will be $15,000 in total. The deadline for claiming a cash payment is October 8, 2025, and the final fairness hearing is scheduled for October 16, 2025. Individuals wishing to opt out of or exclude themselves from the settlement must do so by September 8, 2025.

Several class action lawsuits have recently been settled over the use of these tracking tools, including lawsuits against Mount Nittany Health, Henry Ford Health, MarinHealth, and Eisenhower Medical Center. More settlements are expected to be announced in the coming weeks.

The post BJC HealthCare Settles Website Tracking Lawsuit for up to $9.25 Million appeared first on The HIPAA Journal.

Feds Confirm Seizure of BlackSuit Ransomware Infrastructure

Posted by Steve Alder

Homeland Security Investigations (HSI), the investigative arm of the Department of Homeland Security (DHS) and part of U.S. Immigration and Customs Enforcement (ICE), has released further information about last month’s seizure of dark web domains used by the BlackSuit ransomware group.

On July 24, 2025, the U.S. Department of Justice (DoJ) confirmed that an international law enforcement operation codenamed Operation Checkmate resulted in the seizure of domains used by the BlackSuit ransomware group. Banners were added to those sites confirming they were under the control of law enforcement. The sites were used by the BlackSuit ransomware group to leak data stolen and to communicate with victims to negotiate ransom payments.

The HSI confirmed in an August 7, 2025, announcement that BlackSuit was the successor to Royal ransomware. Both groups have terrorized critical infrastructure entities around the world since Royal emerged in 2022. Royal was the successor to Quantum ransomware, which is thought to be one of the groups operated by former members of the disbanded Conti ransomware operation.

Since 2022, Royal and BlackSuit have conducted more than 450 successful ransomware attacks on companies in the United States, including many critical infrastructure entities in healthcare, education, public safety, energy, and the government.  The ransomware groups engaged in double extortion, stealing data and encrypting files, demanding payment to prevent the data from being leaked and to obtain the decryption keys. Victims have paid the Royal and BlackSuit more than $370 million in ransom payments, based on current cryptocurrency values.

The operation involved the HSI Cyber Crimes Center, IRS Criminal Investigation’s Cyber Crimes Unit, the U.S. Secret Service, the FBI, Europol, and multiple international law enforcement partners, and resulted in the seizure of the group’s servers, domains, and digital assets used to support the group’s attacks, data theft, extortion, and money laundering.

“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said HSI Cyber Crimes Center Deputy Assistant Director Michael Prado. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”

A DoJ announcement on August 11, 2025, explained that laundered cryptocurrency valued at $1,091,453 had been seized as part of the operation, along with four servers and nine domains. The DoJ explained that one of the victims of the Royal ransomware group paid a 49.3120227 Bitcoin ransom to decrypt their data, which was valued at $1,445,454.86 at the time of the transaction. Some of the proceeds, $1,091,453, were repeatedly deposited and withdrawn in a virtual currency exchange to hide the source of the funds. The funds were frozen by the exchange on or around January 9, 2024, and were obtained by U.S. authorities after issuing a warrant for seizure.

“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” said Assistant Attorney General for National Security John A. Eisenberg. “The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”

July 25, 2025: BlackSuit Ransomware Dark Web Sites Seized by Law Enforcement

The dark web sites of the BlackSuit ransomware group have been seized as part of an international law enforcement operation. The takedown includes BlackSuit’s negotiation and data leak sites, following a court order that authorized the seizure.

The dark web sites have been replaced with banners advising visitors about the seizure by U.S. Homeland Security Investigations, part of Operation CheckMate. Several law enforcement partners assisted with the operation, including the U.S. Department of Justice, Federal Bureau of Investigation (FBI), the U.S. Office of Foreign Assets Control (OFAC), Europol, the UK National Crime Agency, and law enforcement agencies in Canada, Germany, Ukraine, Lithuania, Ireland, and France. The Romanian cybersecurity firm BitDefender also assisted during the operation. The authorities have yet to make an announcement about the operation and any other achievements.

BlackSuit ransomware first appeared in June 2023, having rebranded following an attack on the City of Dallas in Texas. The group previously operated under the name Royal from September 2022 to June 2023. Prior to that, Royal operated under the name Quantum and is believed to have been started by members of the Conti ransomware group. Operating as BlackSuit, the group is thought to have claimed more than 180 victims worldwide and more than 350 victims under the name Royal.

While the takedown is good news, researchers have suggested that BlackSuit may have already rebranded or that some former members of BlackSuit have formed a new group, Chaos ransomware. Researchers at Cisco Talos explained in a June 24, 2025, blog post that they have assessed with moderate confidence that the new group was formed by members of the BlackSuit ransomware group due to similarities in the encryption methodology, ransom note, and toolset used in attacks. Chaos has already conducted at least ten attacks, mostly in the United States. The new group does not appear to be targeting any specific industries.

“The disruption of BlackSuit’s infrastructure marks another important milestone in the fight against organized cybercrime,” stated a representative of the Draco Team, Bitdefender’s cybercrime unit, who participated in the takedown. “We commend our law enforcement partners for their coordination and determination. Operations like this reinforce the critical role of public-private partnerships in tracking, exposing, and ultimately dismantling ransomware groups that operate in the shadows. When global expertise is aligned, cybercriminals have fewer places to hide.”

On July 28, 2025, FBI Dallas announced the seizure of 20 Bitcoins (now valued at $2.3 million) from a cryptocurrency address belonging to a member of the Chaos ransomware group. The funds were tracked to a Bitcoin wallet used by an affiliate with the moniker “Hors” who is suspected of conducting attacks and extorting payments from companies in the Northern District of Texas and elsewhere. The U.S. Department of Justice filed a civil complaint in the Northern District of Texas on July 24, 2025, seeking the forfeiture of the funds, which were seized by the FBI in Dallas in mid-April.

The post Feds Confirm Seizure of BlackSuit Ransomware Infrastructure appeared first on The HIPAA Journal.

MedStar Health Agrees to $1.35 Million Settlement to Resolve Class Action Data Breach Litigation

Posted by Steve Alder

MedStar Health has agreed to settle class action litigation stemming from a 2023 data breach that affected more than 183,000 individuals. MedStar Health will create a $1.35 million settlement fund to cover attorneys’ fees, legal costs and expenses, and claims from class members for reimbursement of out-of-pocket expenses fairly traceable to the data breach.

MedStar Health, the largest healthcare provider in Maryland and Washington, D.C., provides medical services through 120 entities, including 10 hospitals. Between January 25, 2023, and October 18, 2023, an unauthorized third party gained access to the email accounts of three employees and accessed or obtained the protected health information of 183,079 patients. The individuals were notified about the data breach on May 4, 2024.

Shortly after mailing notification letters, a class action lawsuit was filed by Gwendolyn Riddick individually and on behalf of similarly situated individuals. A further five class action lawsuits were filed by other MedStar Health patients. Since all six lawsuits were materially and substantively identical and had overlapping claims, they were consolidated into a single action, In re MedStar Health Data Security Incident, in the U.S. District Court for the District of Maryland. The plaintiffs alleged that MedStar Health failed to implement reasonable and appropriate safeguards to protect the sensitive data it stored on its network.

MedStar Health denies any wrongdoing and disagrees with the claims and contentions in the lawsuit; however, MedStar agreed to a settlement to avoid the cost and risk of a trial and any possible appeals. The $1,350,000 settlement fund will be used to pay attorneys’ fees up to $450,000, settlement administration costs up to $250,000, class representative awards of $2,500 for each of the six named plaintiffs, attorneys’ expenses, and medical data monitoring costs. The remainder of the settlement fund will be used to cover claims from class members, who are U.S. residents who are current or former MedStar patients or employees who were notified that their data was exposed between January 25, 2023, and October 18, 2023.

Under the terms of the settlement, class members may claim one of two cash payments plus a one-year membership to a medical and healthcare data monitoring service. Class members may submit a claim for reimbursement of documented losses up to a maximum of $5,000 per class member, or they may alternatively claim a cash payment, which is estimated to be $100. The cash payments may be adjusted based on the number of valid claims received.

The deadline for objecting to and opting out of the settlement is September 14, 2025. The deadline for filing a claim is October 14, 2025. The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 4, 2025.

The post MedStar Health Agrees to $1.35 Million Settlement to Resolve Class Action Data Breach Litigation appeared first on The HIPAA Journal.