Akumin Agrees to Pay $1.5 Million to Settle Class action Data Breach Lawsuit

Posted by Steve Alder

Akumin, a Florida-based provider of outpatient radiology and oncology services with locations in more than 20 U.S. states, has agreed to settle a class action lawsuit stemming from an October 2023 cybersecurity incident.

Akumin identified suspicious network activity on October 11, 2023, and confirmed that a threat actor accessed its network on October 11, 2023, and used ransomware to encrypt files.  The files potentially accessed and/or copied by the threat actor included patient and employee information such as names, contact information, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, medical record numbers, Medicare/Medicaid numbers, financial account information, health information, occupational health information, medical images, biometric information, billing and claims information, health insurance information, electronic signatures and other sensitive data.

The security incident was announced by Akumin on its website on October 12, 2023, and the data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 7,127 individuals.  Notification letters were sent to those individuals on December 29, 2023, and around a year later, on December 23, 2024, notification letters were mailed to the further affected individuals.

Several class action lawsuits were filed against Akumin over the data breach, which were consolidated into a single lawsuit – Gina Letizio, et al. v. Akumin Operating Corp. – in the Circuit Court of the 17th Judicial Court in and for Broward County, Florida. The consolidated lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of fiduciary duty, breach of confidence, unjust enrichment, and declaratory judgment. Akumin denies any wrongdoing and maintains there is no liability but chose to settle the lawsuit to avoid the litigation costs and expenses, distractions, burden, and disruption to its business operations associated with continuing with the litigation. The plaintiffs believe their claims are valid but agreed to settle the lawsuit for similar reasons.

Under the terms of the settlement, Akumin has agreed to establish a $1.5 million settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for each of the named plaintiffs. After those costs have been paid, the remaining funds will be used to pay benefits to the class members. All class members are entitled to submit a claim for a cash payment to reimburse them for documented, unreimbursed losses due to the data breach up to a maximum of $2,500 per class member. In addition to the cash payment, class members may also claim one year of free medical data monitoring services.

The deadline for objection to and exclusion from the settlement is November 30, 2025, and claims must be submitted by the same date. The settlement has received preliminary approval from the court, and the final approval hearing has been scheduled for December 15, 2025. Further information can be found on the settlement website, https://akumindataincidentsettlement.com/

The post Akumin Agrees to Pay $1.5 Million to Settle Class action Data Breach Lawsuit appeared first on The HIPAA Journal.

Data Breaches Announced by Watsonville Community Hospital & Palomar Health Medical Group

Posted by Steve Alder

Data breaches have recently been announced by Watsonville Community Hospital and Palomar Health Medical Group in California, and the Phia Group in Massachusetts.

Watsonville Community Hospital

Watsonville Community Hospital in California is notifying individuals affected by a November 2024 security incident. Suspicious activity was identified within its computer systems on November 29, 2024, and the investigation confirmed that there had been unauthorized access to its network from November 25, 2024, to November 30, 2024, when the hackers were ejected from its network. The investigation confirmed that files containing patient information were either accessed or downloaded during those five days.

The file review confirmed that the data compromised in the incident included names, addresses, and driver’s license numbers or government ID numbers, with the exposed data varying from individual to individual. Notification letters started to be sent to the affected individuals on December 30, 2024; however, the file review was not completed until September 22, 2025. The final batch of notification letters started to be mailed on October 15, 2025.

The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 24 months. Watsonville Community Hospital has implemented additional cybersecurity safeguards and has provided further training to its workforce. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Palomar Health Medical Group

Arch Health Partners, Inc., doing business as Palomar Health Medical Group, in Poway, California, has started notifying patients about a data security incident first identified on May 5, 2024. Palomar Health Medical Group launched an investigation into suspicious network activity and confirmed that an unauthorized threat actor gained access to certain files on its network on April 23, 2024, and maintained access until the data breach was detected on May 5, 2024. During that time, files may have been copied that contained patient information.

The data compromised in the incident included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, military identification numbers, passport numbers, U.S. alien registration numbers, financial account information, payment card information, health savings account information, medical histories, diagnostic information, treatment information, biometric data, medical record numbers, Medicare/ Medicaid identification numbers, patient account numbers, health insurance information, email addresses and passwords, and usernames and passwords.

Palomar Health Medical Group had previously announced the cyberattack and data breach; however, it took until September 4, 2025, to finish the review of the affected files to allow notification letters to be sent. Complimentary credit monitoring and identity theft protection services have been made available for 12 or 24 months, and steps have been taken to improve security to prevent similar incidents in the future. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The Phia Group

The Phia Group, a Canton, Massachusetts-based provider of outsourced cost containment and payment integrity solutions to healthcare payers, has recently notified the Massachusetts Attorney General about a recent data security incident. The notice is a copy of the data breach notifications sent to the affected individuals, and it provides no information about the nature of the data breach, such as when it occurred, when it was detected, or the cause of the breach. The data potentially compromised in the incident includes names, Social Security numbers, and medical record numbers. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. The incident is not currently shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

This post will be updated when further information becomes available.

The post Data Breaches Announced by Watsonville Community Hospital & Palomar Health Medical Group appeared first on The HIPAA Journal.

Cybersecurity Firm Reports 36% YOY Increase in Ransomware Attacks

Posted by Steve Alder

Cybersecurity firm Black Fog has released its Q3 2025 State of Ransomware Report, which shows ransomware attacks have increased by 36% compared to the same quarter in 2024. Each month in the quarter saw an increase in attacks compared to the corresponding month last year, with July the worst month with a 50% increase. Over the whole quarter, 270 ransomware attacks were reported, although Black Fog notes that the majority of attacks remain in the shadows and go unreported. In Q3, an estimated 1,510 ransomware attacks were not disclosed, which represents a 21% increase from the previous quarter.

Healthcare remains a key target for ransomware groups, with the sector experiencing 86 attacks, which represents 32% of all disclosed attacks – more than twice as many ransomware attacks as were disclosed by entities in the next most attacked sectors, government and technology, which each had 28 disclosed incidents. Black Fog reports that 85% of ransomware attacks are not reported, and taking those attacks into account, manufacturing was the hardest hit sector, accounting for 22% of the 1,510 undisclosed attacks, followed closely by the services sector. Even with the HIPAA reporting requirements, healthcare ranked 5th for undisclosed incidents, which suggests that healthcare organizations are slow to investigate and report attacks. Law firms are increasingly being targeted, with the sector experiencing at least 79 attacks, the highest level since Black Fog started publishing ransomware reports in 2020.

Data theft almost always occurs with ransomware attacks, with some groups now abandoning encryption altogether. Black Fog reports that a new record was set in Q3 for data exfiltration, with 96% of attacks involving data theft. As reported by the Identity Theft Resource Center this month in its Q3 analysis of compromises, almost three-quarters (71%) of victim notifications do not mention the root cause of the attack, such as whether ransomware was used, which puts victims at a great risk of identity theft and fraud. Black Fog identified 449 victim listings on ransomware groups’ dark web data leak sites in Q3, 2025, with an average of 527.65 GB exfiltrated per victim. Black Fog CEO, Darren Williams, recommends that organizations should be more proactive at detecting the signs of data exfiltration by looking for unusual patterns in outbound traffic, anomalous MFA behaviors, and sudden file movement, as by the time files are encrypted, the damage from an attack is often irreversible.

The Qilin ransomware group retained its position as the most prolific ransomware group with 20 disclosed attacks (7%) and 242 undisclosed attacks (16%). INC Ransom ranked second with 18 (7%) disclosed attacks and 111 (7%) undisclosed attacks. Akira remains a highly active group with 139 (9%) undisclosed attacks. In Q3, a further 18 ransomware groups emerged, bringing the total number of active groups engaging in double extortion up to 80.

One notable newcomer is the Devman ransomware group, which has conducted 19 attacks in just a few months. The group stands out due to the high number of attacks for a new group, together with exorbitant ransom demands, including a $93 million ransom demand in the attack on the Chinese real estate firm, Shimao Group, which ranks as the largest ransom demand of the year.

“As ransomware volumes show a continued upward trend, the best option for organizations is to make it as hard as possible for cybercriminals to take advantage of them. That means protecting data so that they have no leverage for extortion and, critically, no incentive to return,” suggests Williams. That means improving monitoring and encrypting stored data.

The post Cybersecurity Firm Reports 36% YOY Increase in Ransomware Attacks appeared first on The HIPAA Journal.