LivaNova Facing Multiple Class Action Lawsuits Over October 2023 Cyberattack
The Houston, TX-based medical device company, LivaNova, is facing multiple class action lawsuits over an October 2023 cyberattack that exposed the protected health information of 180,000 patients.
The attack was detected on November 19, 2023, and the investigation confirmed that unauthorized individuals first accessed its network on October 26, 2023. The data compromised in the incident included names, addresses, phone numbers, Social Security numbers, birth dates, diagnoses, treatment information, prescriptions, physician names, medical record numbers, device serial numbers, and health insurance information. Notifications were issued in May 2024, and complimentary credit monitoring services were offered to the affected individuals.
At least two lawsuits have now been filed by patients whose information was exposed in the incident. One of those lawsuits was filed in the U.S. District Court for the Southern District of Texas, Houston Division, on behalf of J.W., by and through her guardian, Angela Johnson. The lawsuit alleges LivaNova maintained sensitive information in a reckless manner and despite its legal obligations and promises to secure the data it held, failed to implement reasonable and appropriate cybersecurity measures. The lawsuit alleges the cyberattack and data breach were foreseeable and preventable, and occurred as a result of inadequate cybersecurity measures.
The lawsuit also accuses the defendant of failing to issue prompt and accurate breach notifications to the affected individuals. The notification letters were sent 6 months after the security breach was detected and 7 months after it occurred. The lawsuit alleges the plaintiff and class members face an ongoing risk of fraud, identity theft, and other misuses of their sensitive information as a result of the data breach.
The lawsuit alleges negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and a violation of the Illinois Consumer Fraud Act and seeks damages, injunctive relief, an award of attorneys’ fees, court costs, and litigation costs, and equitable relief, including an order from the court compelling LivaNove to implement a long list of security measures to prevent similar breaches in the future. The plaintiff and class are represented by Joe Kendall of Kendall Law Group PLLC and Mariya Weekes of Millberg, Coleman, Bryson, Phillips, Grossman PLLC.
Another lawsuit was filed by plaintiff Arthur Podroykin in the U.S. District Court for the Southern District of Texas that alleges LivaNova breached its duties under common law, contract, the Federal Trade Commission Act, and the Health Insurance Portability and Accountability Act.
The post LivaNova Facing Multiple Class Action Lawsuits Over October 2023 Cyberattack appeared first on The HIPAA Journal.
SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks – HIPAA Journal
SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks
SouthCoast Health and Privia Medical Group in Georgia have notified patients about a cyberattack and data breach that occurred in June 2023. Unauthorized activity was identified in South Coast Health’s network on June 18, 2023, and assisted by forensic specialists, it was determined that its network was accessed by an unauthorized third party between June 15 and June 18, 2023. During that time, files on the network were viewed or copied.
South Coast Health confirmed that the intrusion was limited to its own network, with Privia Medical Group’s network unaffected; however, some Privia Medical Group patients did have their information exposed. The substitute breach notice provided to the South Carolina Attorney General does not list the types of data compromised in the attack, but that information is detailed in the individual notifications.
A substitute notice was posted on its website last year warning patients that they may have been affected, but at the time it was unclear how many patients had been affected or the types of data involved. The review of the affected files was not completed until June 13, 2024. South Coast Health said it had strict security measures in place to prevent unauthorized access to its network, but those measures were circumvented. Additional security measures have now been implemented to prevent similar incidents in the future. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The HHS Office for Civil Rights breach portal still shows the interim figure of 501 affected individuals.
Call 4 Health Issues Notifications About March 2024 Cyberattack
Call 4 Health, Inc., a Delray Beach, FL-based medical call center operator and nurse triage service provider, has recently issued individual notifications to individuals affected by a data security incident that occurred on March 20, 2024. Unauthorized network access was detected on May 6, 2024, and immediate action was taken to prevent further unauthorized access.
Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that its network had been hacked, and its systems were accessible for around 6 weeks. In addition to investigating the breach, assistance was provided in securing its digital environment and hardening network security. Call 4 Health also said it will be enhancing its cyber preparedness through additional awareness training and updating its procedures.
In its notice to the Maine Attorney General, Call 4 Health confirmed that the breached data included information related to employment and human resources, with the July 8, 2024 breach report stating that 3,210 individuals had been affected, including 1 Maine resident. The incident was reported to the Department of Health and Human Services on March 17, 2024, indicating the protected health information of 10,434 individuals had been exposed. Complimentary credit monitoring and identity restoration services are being offered to some of the affected individuals.
Clear Spring Health Notifies Patients About Change Healthcare Data Breach
Clear Spring Health, a Miramar, FL-based provider of PPO, HMO, and PDP advantage plans, has notified Medicare beneficiaries that their data may have been compromised in the February 2024 ransomware attack on Change Healthcare. In a website notice, Clear Spring Health explained that Change Healthcare confirmed on or around March 7, 2024, that the attackers had exfiltrated a substantial amount of data in the attack, which had potentially affected one in three Americans.
Change Healthcare is still conducting the document review to determine exactly which individuals have had their data exposed or stolen, and notification letters are expected to be mailed on behalf of its clients by the end of the month. Clear Spring Health said the types of data that may have been exposed include contact information, health insurance information, health information, billing information, and personal information, including Social Security numbers, driver’s license numbers, state ID numbers, and passport numbers. Clear Spring Health has advised the affected Medicare beneficiaries to take advantage of the two years of free credit monitoring services that Change Healthcare is offering.
The post SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks appeared first on The HIPAA Journal.
SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks
SouthCoast Health and Privia Medical Group in Georgia have notified patients about a cyberattack and data breach that occurred in June 2023. Unauthorized activity was identified in South Coast Health’s network on June 18, 2023, and assisted by forensic specialists, it was determined that its network was accessed by an unauthorized third party between June 15 and June 18, 2023. During that time, files on the network were viewed or copied.
South Coast Health confirmed that the intrusion was limited to its own network, with Privia Medical Group’s network unaffected; however, some Privia Medical Group patients did have their information exposed. The substitute breach notice provided to the South Carolina Attorney General does not list the types of data compromised in the attack, but that information is detailed in the individual notifications.
A substitute notice was posted on its website last year warning patients that they may have been affected, but at the time it was unclear how many patients had been affected or the types of data involved. The review of the affected files was not completed until June 13, 2024. South Coast Health said it had strict security measures in place to prevent unauthorized access to its network, but those measures were circumvented. Additional security measures have now been implemented to prevent similar incidents in the future. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The HHS Office for Civil Rights breach portal still shows the interim figure of 501 affected individuals.
Call 4 Health Issues Notifications About March 2024 Cyberattack
Call 4 Health, Inc., a Delray Beach, FL-based medical call center operator and nurse triage service provider, has recently issued individual notifications to individuals affected by a data security incident that occurred on March 20, 2024. Unauthorized network access was detected on May 6, 2024, and immediate action was taken to prevent further unauthorized access.
Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that its network had been hacked, and its systems were accessible for around 6 weeks. In addition to investigating the breach, assistance was provided in securing its digital environment and hardening network security. Call 4 Health also said it will be enhancing its cyber preparedness through additional awareness training and updating its procedures.
In its notice to the Maine Attorney General, Call 4 Health confirmed that the breached data included information related to employment and human resources, with the July 8, 2024 breach report stating that 3,210 individuals had been affected, including 1 Maine resident. The incident was reported to the Department of Health and Human Services on March 17, 2024, indicating the protected health information of 10,434 individuals had been exposed. Complimentary credit monitoring and identity restoration services are being offered to some of the affected individuals.
Clear Spring Health Notifies Patients About Change Healthcare Data Breach
Clear Spring Health, a Miramar, FL-based provider of PPO, HMO, and PDP advantage plans, has notified Medicare beneficiaries that their data may have been compromised in the February 2024 ransomware attack on Change Healthcare. In a website notice, Clear Spring Health explained that Change Healthcare confirmed on or around March 7, 2024, that the attackers had exfiltrated a substantial amount of data in the attack, which had potentially affected one in three Americans.
Change Healthcare is still conducting the document review to determine exactly which individuals have had their data exposed or stolen, and notification letters are expected to be mailed on behalf of its clients by the end of the month. Clear Spring Health said the types of data that may have been exposed include contact information, health insurance information, health information, billing information, and personal information, including Social Security numbers, driver’s license numbers, state ID numbers, and passport numbers. Clear Spring Health has advised the affected Medicare beneficiaries to take advantage of the two years of free credit monitoring services that Change Healthcare is offering.
The post SouthCoast Health; Call 4 Health Notify Patients About Cyberattacks appeared first on The HIPAA Journal.
RansomHub Claims to Have Stolen and Leaked 100 GB of Florida Department of Health Data – HIPAA Journal
RansomHub Claims to Have Stolen and Leaked 100 GB of Florida Department of Health Data
The Florida Department of Health has confirmed to FOX 35 in Orlando that it is investigating a cyberattack. The attack has affected its Vital Statistics System, which is used to process birth and death certificates. The disruption to the system has been causing problems for funeral homes across the state for the past two weeks. Some funeral homes have postponed their services or have been forced to physically visit healthcare providers to get signed copies of death certificates.
The Department of Health has released few details about the attack but this appears to have been a ransomware attack involving the exfiltration of a large volume of data. The RansomHub group claimed responsibility for the attack and said it had stolen around 100 gigabytes of data from the Department and started to leak the stolen data when the ransom was not paid by its deadline of July 1, 2024. The Department of Health has not commented on the validity of the group’s claims nor the extent of any data breach.
The failure to pay the ransom should not have come as a surprise, as Florida amended its State Cybersecurity Act to prohibit state agencies, counties, and municipalities that experience a ransomware attack from paying or otherwise complying with a ransom demand. The ban on ransom payments took effect on July 1, 2022.
There are no reasons to believe that the hacking group’s data theft claims are not genuine. RansomHub has conducted many attacks in the United States, including attacks on healthcare organizations and government departments. The group was also indirectly involved in the February ransomware attack on Change Healthcare, having obtained the data stolen in the attack from a BlackCat ransomware group affiliate after BlackCat performed an exit scam, pocketed the $22 million ransom, and refused to pay the affiliate.
The post RansomHub Claims to Have Stolen and Leaked 100 GB of Florida Department of Health Data appeared first on The HIPAA Journal.