MedQ Agrees to Settlement to Resolve Ransomware Attack Lawsuit

Posted by Steve Alder

MedQ Inc., an administrative service provider serving the healthcare industry, has agreed to settle class action litigation over a December 2023 ransomware attack that affected 54,725 individuals.

A ransomware group accessed its network and deployed ransomware on or around December 26, 2023. The investigation confirmed unauthorized access to its network from December 20, 2023, and the exfiltration of data from its network. The stolen data included names, dates of birth, health information, health insurance information, Social Security numbers, and driver’s license numbers. Complimentary credit monitoring services were offered, but that was not sufficient to prevent several class action lawsuits.

Five lawsuits were filed in response to the data breach by plaintiffs Sharon Klepper, Shelby D. Franklin, Cheri Ramey, Jana Harrison, and Debra Everett, individually and on behalf of similarly situated individuals. The lawsuits had overlapping claims and were consolidated into a single action – Klepper, et al. v. MedQ, Inc. – in the District Court of Oklahoma County, Oklahoma, on May 13, 2024.

MedQ disagreed with all claims in the lawsuit and maintains there was no wrongdoing or liability. MedQ filed a motion to dismiss, and in the motion to dismiss briefing, all parties decided to explore early resolution of the action and scheduled mediation on December 20, 2024. Following a second attempt at mediation on April 25, 2025, the material terms of a settlement were agreed upon by all parties. The terms of the settlement have now been agreed and have received preliminary approval from the court.

The settlement provides class members with two years of three-bureau credit monitoring services, which include dark web monitoring, public records monitoring, medical identity monitoring, and identity theft insurance. In addition, class members may choose one of two cash benefits. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, plus a cash payment of up to $90 as compensation for lost time (up to 3 hours at $30 per hour) on tasks related to the data breach, such as changing passwords, investigating accounts, and researching the data breach.  Alternatively, class members may claim a one-time cash payment of $50.

The deadline for objection to and exclusion from the settlement is December 1, 2025. The deadline for submitting a claim is December 15, 2025, and the final fairness hearing has been scheduled for December 18, 2025.

The post MedQ Agrees to Settlement to Resolve Ransomware Attack Lawsuit appeared first on The HIPAA Journal.

NHS Pathology Provider Synnovis Notifies Organizations Affected by June 2024 Ransomware Attack

Posted by Steve Alder

The UK pathology lab Synnovis suffered a ransomware attack last year. It has taken 17 months to complete the highly complex data review and notify the affected healthcare provider clients.

Synnovis provides blood, urine, and specimen testing for many healthcare organizations in the United Kingdom and has a pathology partnership with Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust in London, and SYNLANB, a provider of laboratory, diagnostic, and advisory services.

The ransomware attack occurred on June 3, 2024, when the Qilin ransomware group encrypted files on its network. Prior to encrypting files from its network, data was exfiltrated from its network. The ransomware attack caused massive disruption to business operations at Synnovis, interrupting many of its pathology services. Synnovis said that almost all of its IT systems were affected.

NHS trusts that relied on Synnovis for blood testing and other services were forced to cancel appointments, and the lack of blood testing led to a shortage of O-negative blood. The shortage continued for months, with stocks depleted across the country. Disruption to patient services was extensive, with more than 10,000 appointments cancelled in the wake of the attack.

Synnovis immediately launched an investigation and assembled a task force of experts from Synnovis, the affected NHS Trusts, NHS England, and third-party specialists to restore systems and data as quickly as possible. The UK’s National Crime Agency (NCA), the National Cyber Security Centre (NCSC), and the Information Commissioner’s Office (ICO) were notified, and Synnovis has been working closely with those agencies throughout the recovery process.

It took until late autumn 2024 to replace all of the affected IT infrastructure and restore systems and services to pre-attack operational levels. “By month four immediately after the cyberattack, we had rebuilt a new blood transfusion platform, by month five we had completed a substantial cloud migration of our core systems, and by November 2024 we had rebuilt over 75 applications and reconnected a vast pathology estate spanning seven locations from the ground up, including over 65 scientific analyzers and more than 120 individual connections”, explained Synnovis.

Determining which organizations and individuals had been affected and the data types involved has taken considerably longer. Synnovis explained that the ransomware group stole data in haste in a random manner from its working drives, and due to the exceptional scale and complexity of the data review, it has taken more than a year to complete. That process required bespoke systems and processes to be created to reconstruct the affected data.

Synnovis said the forensic analysis confirmed that no data was taken from its primary lab databases, and the data exfiltrated in the attack was not in a form that could easily be used by anyone with ill intent”. Despite an extensive forensic investigation, it was not possible to determine how the ransomware group gained access to its network. All IT infrastructure impacted by the attack was completely replaced.

Synnovis said it consulted with its affected NHS trust partners, and the decision was taken not to pay the ransom.  Doing so would have gone against its ethical principles, and the ransom would undoubtedly have been used to fund further attacks on other critical infrastructure entities, potentially threatening national security. The amount demanded by the ransomware group was not disclosed.

Synnovis has recently completed the data analysis and restoration, and the affected organizations are now being notified. Notifications will be completed by November 21, 2025, after which the affected organizations will decide whether notifications need to be issued to the affected patients under UK data protection laws. Synnovis stressed that the company will not be contacting any of the affected patients directly. Under UK data protection laws, it is down to the data controller to conduct their own legal and risk assessments to determine whether notifications are required. Any individual receiving a communication about the data breach that purports to have come directly from Synnovis rather than one of the affected organizations should assume it is a scam.

The incident clearly demonstrates the massive impact ransomware attacks can have on critical infrastructure. In this case, this was a calculated attack designed to cause as much damage and disruption as possible for financial gain.

June 22, 2024: Ransomware Group Leaks Data from 300 Million Patient Interactions with NHS

The Russian ransomware and extortion group Qilin has added the data stolen in the attack on Synnovis to its dark web data leak site after the deadline for paying the $50 million ransom demand expired.

Synovis, a provider of pathology services to the UK’s National Health Service (NHS), was attacked by the Qilin ransomware group on June 3, 2024, resulting in disruption to many of its services. Multiple NHS trusts in London continue to be affected by the attack, with the recovery expected to take several weeks. Synnovis does not anticipate fully recovering from the attack for several months.

Two of the worst-affected NHS trusts were the King’s College Hospital Foundation Trust and Guy’s and St Thomas’ Foundation Trust, two of the busiest NHS trusts in the country. The attack affected 7 hospitals operated by those trusts, forcing them to cancel 1,134 planned operations and 2,194 outpatient appointments in the first 13 days following the attack. Blood tests in the capital are operating at around 10% of normal levels.

As is typical in ransomware attacks, Qilin exfiltrated data before encrypting files. In the early hours of Friday morning, Qilin uploaded 400 GB of confidential data to its dark web data leak site, where it can be freely downloaded by cybercriminals. The uploaded data includes information from more than 300 million patient interactions with the NHS. The data upload is currently being verified but it appears to be genuine.

The data contains personally identifying information and blood test results, including highly sensitive test results for HIV, sexually transmitted infections, and cancer. It is likely to take several weeks before the exact types of data and the number of affected individuals are known due to the scale of the data theft. The data breach does not appear to be limited to NHS patients. Synnovis also provides pathology services to private healthcare providers, and some of the stolen data is understood to include private healthcare records.

The affected patients may now be subjected to extortion attempts due to the sensitivity of some of the stolen data. For instance, cybercriminals could threaten patients who tested positive for HIV by making that information public if they do not pay to have their data deleted.

The UK’s National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) are currently considering taking retaliatory action against the hacking group. Since this was an attack that affected the NHS and included the theft of NHS data, the attack is effectively an attack on the state. One of the main priorities is to try to take down as much of the uploaded data as possible.

The NCA recently headed an international law enforcement operation against the LockBit ransomware group that resulted in the seizure of its command and control infrastructure in February 2024. While the operation was a success, it was short-lived. The LockBit infrastructure was rapidly rebuilt, and the group was able to continue its operations. According to a recent report from NCC Group, LockBit was the most active ransomware group in May 2024.

June 18, 2024: More Than 1,500 Appointments Cancelled Following Ransomware Attack on NHS Pathology Vendor

At least 1,500 operations and outpatient appointments had to be canceled at two NHS trusts – King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust – following the ransomware attack on Synnovis. The affected NHS hospitals remain open and are continuing to provide care as normal; however, appointments have been postponed that rely heavily on pathology services, and blood testing is being prioritized for the most serious cases. For instance, many individuals have had phlebotomy appointments canceled. The canceled appointments included more than 100 cancer treatments and 18 organ transplants.

That number is likely to grow considerably as other NHS trusts were also affected by the attack, and the 1,500 canceled appointments were only for the period from 3-9 June. Synnovis is expecting to be able to restore some of its IT functionality in the coming weeks but anticipates that disruption will likely continue to be experienced for several months.

The attack is continuing to disrupt blood-matching tests, which has forced the affected hospitals to use O Negative and O Positive blood for patients who can’t wait for alternative matching methods. That has led to a shortage of O-type blood, with the NHS responding to the shortage by calling for the public to urgently arrange blood donation appointments across the country, with the high demand likely to continue for several weeks.

The Qilin ransomware group behind the attack told Bloomberg that they demanded a $50 million ransom payment and required payment to be made within 120 hours. They also claimed to have gained access to the Synnovis network by exploiting a zero-day vulnerability, although they did not state what vulnerability they exploited. The Qilin group has yet to add Synnovis to its data leak site, which could indicate Synnovis is negotiating with the group.

June 5, 2024: Care Disrupted at London Hospitals Due to Ransomware Attack on Pathology Vendor

A ransomware attack on a UK-based provider of medical laboratory services is disrupting patient services at multiple NHS hospitals in London, including Guy’s Hospital, St Thomas’ Hospital, King’s College Hospital, Royal Brompton Hospital, Evelina London Children’s Hospital, and other care sites in six London boroughs – Bexley, Greenwich, Lewisham, Bromley, Southwark, and Lambeth. The attack has had a much wider impact than initially thought, with the South London and the Maudsley (Slam) trust also affected, the largest provider of mental health services in the country, and GP surgeries throughout South London.

Synnovis, a provider of diagnostic and pathology services, published an alert on its customer service portal on Monday, warning that all of its systems are currently unavailable. An investigation has been launched, and its IT team is trying to determine the cause of the outage. The attack has now been linked to a Russian cybercriminal group called Qilin, which is known for using ransomware to encrypt files on victims’ networks and demanding ransom payments to decrypt files and prevent the release of stolen data. The attack appears to be confined to Synnovis. Hospitals connected to the IT systems of Synnovis do not appear to have had their own systems infiltrated.

On Monday, Synnovis notified the affected NHS Trusts that it had experienced a malware attack, and later confirmed in email messages that it was a ransomware attack. A critical incident emergency status has been declared in the region. Synnovis is working with the National Cyber Security Centre and the Cyber Operations Team to investigate and recover from the attack, but cannot yet say how long its systems will be offline.

The affected hospitals have tried and tested business continuity plans for critical incidents such as ransomware attacks, and they are continuing to provide care for patients, although the attack is having a significant impact on the delivery of services at the affected hospitals. Emergency services are still available, but the hospitals have lost pathology services, cannot perform quick-turnaround blood tests, and blood transfusions are particularly affected, so much so that a nationwide appeal has been launched by the NHS for O blood-type donors.

As a result, all non-emergency pathology appointments have been canceled or redirected to other hospitals, and hospital staff have been instructed only to request emergency blood samples. Synnovis can still conduct blood tests, but the results are being printed out when obtained from its laboratories, and they are being hand-delivered, as the lack of access to computer systems is preventing electronic transmission.

One of the problems with an attack such as this is that until it can be determined exactly what the hackers have done while inside the compromised systems, data cannot be trusted. The hackers could have manipulated test results on which decisions about patient care are made. As a result, test results need to be re-run and results re-recorded due to the risk of data manipulation.

According to data from the Information Commissioner’s Office (ICO), there have been 215 ransomware attacks on hospitals in the United Kingdom since 2019. Last year, ransomware attacks reached record levels, with at least 1,231 attacks conducted across all industry sectors in the UK. Government officials are concerned that many attacks are not being reported.

This is also not the first ransomware attack to affect Synnovis in 2024. The BlackBasta ransomware group attacked Synnovis in April this year and published all the data stolen in the attack on its leak site when the ransom was not paid. Cybercriminal groups are known to work together and provide access to compromised networks to other groups. It is unclear if the BlackBasta attack is linked to the Qilin attack.

The post NHS Pathology Provider Synnovis Notifies Organizations Affected by June 2024 Ransomware Attack appeared first on The HIPAA Journal.

First Choice Dental Agrees to Pay up to $1,225,000 to Settle Data Breach Lawsuit

Posted by Steve Alder

First Choice Dental, a network of 12 dental clinics in Dane and Madison counties in Wisconsin, experienced a ransomware attack on October 22, 2023. A settlement has recently been agreed to resolve litigation stemming from the data breach.

As reported by The HIPAA Journal in January 2024, First Choice Dental issued an interim notification about the incident, alerting patients to the exposure of some of their protected health information. At the time of issuing, the investigation into the cyberattack was ongoing. The HHS’ Office for Civil Rights was provided with an interim total of 1,000 affected individuals.

First Choice Dental explained that unauthorized network activity was first identified on October 22, 2023, but it had yet to be determined how many individuals had been affected or the types of data involved. On July 12, 2024, 9 months after the attack, individual notification letters started to be mailed. Patients were told that the compromised information included names, dates of birth, Social Security numbers, passport numbers, driver’s license numbers/government ID numbers, credit/debit card numbers, and health information. The HHS’ Office for Civil Rights breach portal still lists the data breach as affecting 1,000 individuals, although the breach was far more extensive than the breach portal suggests, affecting more than 159,000 individuals.

The first class action lawsuit over the data breach was filed by plaintiff Kelly Gorder on July 17, 2024, in the Dane County Circuit Court of the State of Wisconsin against FCDG Management, LLC, d/b/a First Choice Dental. A further six lawsuits were subsequently filed in response to the data breach, which were consolidated in a single action in the same court – Kelly Gorder, et al., v. FCDG Management, LLC d/b/a First Choice Dental.

According to the consolidated class action complaint, the data breach could have been prevented if First Choice Dental had implemented reasonable and appropriate safeguards and followed industry-standard data security practices. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, breach of fiduciary duty, and violations of Wisconsin Statute § 146.82.

First Choice Dental denies the claims and contentions in the lawsuit and maintains there was no wrongdoing and no liability, and on January 6, 2025, sought to have the class action lawsuit dismissed in its entirety. That attempt was partially successful, with the court dismissing the claims of invasion of privacy and unjust enrichment, but the other claims were allowed to proceed. After considering the time and expense of litigation and the uncertainty of a trial and related appeals, all parties engaged in mediation on July 1, 2025, and the principal terms of a settlement were agreed upon. The settlement has now been finalized and has received preliminary approval from the court.

The settlement class consists of 159,145 individuals who were notified about the data breach. Those individuals are entitled to claim a three-year membership to the CyEx Medical Shield Monitoring product, which includes a $1 million identity theft insurance policy. In addition, class members may claim one of two benefits. A claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket expenses due to the data breach up to a maximum of $6,000 per class member. Alternatively, a one-time cash payment of $50 may be claimed.

Claims will be paid after settlement administration costs, attorneys’ fees and expenses, and service awards have been paid, along with $225,000 of security improvements. The total settlement costs, inclusive of the above, have been capped at $1,225,000. Claims will be prorated downward if that total is exceeded.

The deadline for submitting a claim is January 28, 2026, and the final fairness hearing has been scheduled for January 12, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by December 29, 2025. Further information can be found on the settlement website: https://www.fcdgdatasettlement.com/

The post First Choice Dental Agrees to Pay up to $1,225,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.