Group Health Cooperative of South Central Wisconsin Ransomware Attack Affects 533K Patients

Posted by Steve Alder

Group Health Cooperative of South Central Wisconsin (GHC-SCW) has notified 533,809 patients about a January cyberattack. In the early hours of January 25, 2024, an unauthorized third party accessed its network and attempted to use ransomware to encrypt files. GHC-SCW said the file encryption was not successful; however, while containing the attack and securing its systems, some of its systems were temporarily made unavailable. Third-party cybersecurity experts were engaged to investigate the incident and on February 9, 2024, evidence was uncovered that indicated the attacker had copied certain files from the network before attempting encryption. The attacker also made contact with GHC-SCW and claimed responsibility for the attack and confirmed that data had been exfiltrated from its network. The attacker, a foreign ransomware group, demanded payment to delete the stolen data. GHJC-SCW did not state whether the ransom was paid.

The review of the affected files confirmed that they contained the following types of patient information: Member/patient name, address, telephone number, e-mail address, date of birth and/or date of death, Social Security number, member number, and Medicare and/or Medicaid number.  The types of data involved varied from individual to individual. At the time of issuing notification letters, no evidence had been uncovered suggesting any stolen data had been misused or further disclosed.

GHC-SCW said it notified the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) about the attack and has been working with those agencies to mitigate any harm that may result from the incident. GHC-SCW said cybersecurity measures have been enhanced across all systems and networks to reduce the risk of similar incidents in the future, including strengthening existing privacy and security controls, data backup processes, user training and awareness, and other measures. Affected patients have been offered a one-year membership to a credit monitoring service at no cost.

The post Group Health Cooperative of South Central Wisconsin Ransomware Attack Affects 533K Patients appeared first on HIPAA Journal.

Medusa Ransomware Group Leaks Data Stolen from American Renal Associates

Posted by Steve Alder

The Medusa ransomware group has leaked data stolen from American Renal Associates. Moffitt Cancer Center has been affected by a cyberattack on a vendor, and Family Health Center in Michigan and Zuckerberg San Francisco General Hospital have reported the exposure of patient data.

American Renal Associates

American Renal Associates (ARA), one of the largest providers of dialysis services in the United States and a provider of care for patients suffering from end-stage renal disease has experienced a Medusa ransomware attack. The ransomware attack has yet to be announced by ARA, but the Medusa ransomware group has leaked data allegedly stolen in the attack. The attack occurred on March 2, 2024, and affected hundreds of computers.

According to an analysis of the leaked data by Marco A. De Felice, around 5TB of data was stolen by the Medusa group including the protected health information of an estimated 37,700 patients. The leaked data includes patient names, dates of birth, phone numbers, email addresses, medical records, Social Security numbers, copies of passports and driver’s licenses, health insurance information, and company data.

Moffitt Cancer Center

Moffitt Cancer Center in Florida has announced that it has been affected by a security incident at one of its vendors. The law firm, Gunster, Yoakley, and Stewart, was provided with patient data in connection with legal services provided to Moffitt Cancer Center. Hackers gained access to the law firm’s network and may have obtained data such as names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, other government-issued identification numbers, financial account information, and medical information, including medical records numbers, health insurance benefit information, claims data, and diagnosis and treatment information.

The law firm started notifying affected individuals in April 2023; however, as the investigation progressed, it became clear that other individuals had been affected. Further notification letters were mailed in the following months, with Moffitt Cancer Center patients notified in April 2024. It is currently unclear how many Moffitt Cancer Center patients have been affected.

Family Health Center

Family Health Center in Kalamazoo, MI, has announced that it fell victim to a cyberattack that caused network disruption and impacted the functionality and access of certain systems. Prompt action was taken to contain the attack and prevent further unauthorized access on January 25, 2024, when the breach was detected and a third-party cybersecurity firm was engaged to conduct a forensic investigation.

The investigation uncovered evidence of unauthorized access to files that contained patient information. The review of those files confirmed that they contained employee information such as names, addresses, health insurance information, and Social Security numbers, and patient information such as first names, last names, and medical information. Family Health Center has reported the breach to the HHS’ Office for Civil Rights as affecting 3,240 individuals and said it has taken steps to improve security, including expanding multi-factor authentication and increasing monitoring of its network for suspicious activity.

Zuckerberg San Francisco General

Zuckerberg San Francisco General in California has announced that a medical logbook went missing in December 2023 that contained patient information. The logbook contained patient data from January 11, 2022, to December 12, 2023, including names, dates of birth, genders, medical record numbers, visit dates, dates of specimen collection, reason for specimen collection, whether a result was received, and other types of health information.

At the time of the announcement, no reports had been received to indicate any misuse of patient data. Zuckerberg San Francisco Hospital is reviewing its policies and procedures and is providing additional security awareness training to employees. The incident has been reported to the HHS’ Office for Civil Rights, but it is not yet shown on the OCR breach portal, so it is unclear how many individuals have been affected.

The post Medusa Ransomware Group Leaks Data Stolen from American Renal Associates appeared first on HIPAA Journal.

Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million

Posted by Steve Alder

Planned Parenthood Los Angeles, a provider of reproductive healthcare services in Los Angeles County, has proposed a $6 million settlement to resolve all claims related to a 2021 data breach that exposed the personal information of more than 409,437 patients.

Between October 9, 2021, and October 17, 2021, hackers accessed the Planned Parenthood Los Angeles network, exfiltrated sensitive patient data, and used ransomware to encrypt files. Planned Parenthood discovered the ransomware attack on October 17, 2021, and confirmed on November 4, 2021, that the stolen files contained patient data. The stolen data included names, addresses, dates of birth, diagnoses, health insurance information, and medical information, including procedures and prescriptions.

A lawsuitIn re: Planned Parenthood Los Angeles Data Incident Litigation – was filed in the U.S. District Court of Central California over the data breach that alleged that Planned Parenthood Los Angeles was negligent by failing to implement reasonable and appropriate cybersecurity measures in line with industry standards, and had those measures been implemented, the ransomware attack and data breach could have been avoided. The lawsuit alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and the California Consumer Privacy Act (CCPA).

According to the lawsuit, the timing of the breach was such that patients would be more likely to suffer harm, as it coincided with Supreme Court debates on abortion. The stolen data also included highly sensitive health information such as abortion procedures, treatment of sexually transmitted diseases, emergency contraception prescriptions, and cancer screening information.

Planned Parenthood Los Angeles chose to settle the lawsuit with no admission of wrongdoing. Claims will be accepted up to a maximum of $10,000 to recover documented losses incurred as a result of the data breach, including bank costs, credit expenses, fraudulent charges, and losses to identity theft and fraud. Class members can also claim up to 7 hours of lost time at $30 per hour and three years of credit monitoring and identity theft protection services, which include a $1 million identity theft protection policy.

Class members will also be entitled to statutory damages, with the payments depending on participation rates. Statutory damages will be paid from the remainder of the $6 million fund after claims have been paid. If there is a 10% participation rate, statutory damages are estimated to be around $66 per class member. Class members are individuals who were notified about the data breach by Planned Parenthood Los Angeles in or around November 2021.

Key Dates:

  • Deadline for objection/exclusion: June 6, 2024
  • Deadline for claims: June 7, 2024
  • Final Hearing: August 8, 2024

The post Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million appeared first on HIPAA Journal.

Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million

Posted by Steve Alder

Planned Parenthood Los Angeles, a provider of reproductive healthcare services in Los Angeles County, has proposed a $6 million settlement to resolve all claims related to a 2021 data breach that exposed the personal information of more than 409,437 patients.

Between October 9, 2021, and October 17, 2021, hackers accessed the Planned Parenthood Los Angeles network, exfiltrated sensitive patient data, and used ransomware to encrypt files. Planned Parenthood discovered the ransomware attack on October 17, 2021, and confirmed on November 4, 2021, that the stolen files contained patient data. The stolen data included names, addresses, dates of birth, diagnoses, health insurance information, and medical information, including procedures and prescriptions.

A lawsuitIn re: Planned Parenthood Los Angeles Data Incident Litigation – was filed in the U.S. District Court of Central California over the data breach that alleged that Planned Parenthood Los Angeles was negligent by failing to implement reasonable and appropriate cybersecurity measures in line with industry standards, and had those measures been implemented, the ransomware attack and data breach could have been avoided. The lawsuit alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), the California Confidentiality of Medical Information Act (CMIA), and the California Consumer Privacy Act (CCPA).

According to the lawsuit, the timing of the breach was such that patients would be more likely to suffer harm, as it coincided with Supreme Court debates on abortion. The stolen data also included highly sensitive health information such as abortion procedures, treatment of sexually transmitted diseases, emergency contraception prescriptions, and cancer screening information.

Planned Parenthood Los Angeles chose to settle the lawsuit with no admission of wrongdoing. Claims will be accepted up to a maximum of $10,000 to recover documented losses incurred as a result of the data breach, including bank costs, credit expenses, fraudulent charges, and losses to identity theft and fraud. Class members can also claim up to 7 hours of lost time at $30 per hour and three years of credit monitoring and identity theft protection services, which include a $1 million identity theft protection policy.

Class members will also be entitled to statutory damages, with the payments depending on participation rates. Statutory damages will be paid from the remainder of the $6 million fund after claims have been paid. If there is a 10% participation rate, statutory damages are estimated to be around $66 per class member. Class members are individuals who were notified about the data breach by Planned Parenthood Los Angeles in or around November 2021.

Key Dates:

  • Deadline for objection/exclusion: June 6, 2024
  • Deadline for claims: June 7, 2024
  • Final Hearing: August 8, 2024

The post Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million appeared first on HIPAA Journal.

New Federal Data Privacy and Protection Legislation Introduced

Posted by Steve Alder

A federal data privacy law is inching closer to reality, with House and Senate Committee leaders reportedly having reached an agreement on data privacy measures, and have proposed the American Privacy Rights Act of 2024.

In July 2022, the American Data Privacy and Protection Act (ADPPA) was proposed. ADPPA was a bipartisan effort to introduce much-needed protections for consumer data and, if enacted, would regulate how organizations could collect and use consumer data. The landmark federal data privacy bill was the first federal data privacy legislation to pass committee markup, succeeding where many attempts over the past two decades have failed.

In the absence of a federal data privacy law, many states have introduced their own laws, with California being the first state to introduce a comprehensive consumer data privacy law, followed by 14 others: Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire. Seven other states have introduced narrow privacy laws: Maine, Michigan, Minnesota, Nevada, New York, Vermont, and Washington, and legislation is pending in several other states. The problem with this patchwork of data privacy laws is it makes compliance complex for companies that operate in more than one state, and individuals living just a few miles apart over a state line could have vastly different rights and protections.

ADPPA underwent some revisions and advanced to the House floor, but Republicans and Democrats were unwilling to compromise on key parts of the bill. One of the key sticking points was the preemption of state laws, with ADPPA setting a ceiling rather than a floor for data privacy and protection, with individual states unable to improve the protections from the basic protections set by ADPPA. That would mean that states such as California would have to water down the protections that have been in place for state residents for several years.

Another sticking point was the private cause of action, with Democrats backing a private cause of action that allowed individuals to bring lawsuits for privacy violations, whereas Republicans largely opposed a private cause of action. Last Congress, leaders of the House Committee on Energy and Commerce and Senate Commerce Committee agreed to amendments to ADPPA that would see the federal privacy law pre-empt some state laws and include limited privacy cause of action; however, even with this proposal, there was insufficient support. Californian Democrats opposed the preemption of state laws and refused to give their support, and former House Speaker Nancy Pelosi and Sen. Maria Cantwell (D-WA), Chair of the Senate Committee on Commerce, Science, and Transportation, also refused to support ADPPA. As such, the proposal was rejected and ADPPA was not reintroduced to Congress.

According to a press release issued by Rep. Cathy McMorris Rodgers (R-WA), Chair of the House Energy and Commerce Committee, a deal has been agreed on new federal data privacy legislation – The American Privacy Rights Act of 2024, the successor of ADPPA. “This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said Chairs Rodgers and Cantwell. “This landmark legislation represents the sum of years of good faith efforts in both the House and Senate. It strikes a meaningful balance on issues that are critical to moving comprehensive data privacy legislation through Congress. Americans deserve the right to control their data and we’re hopeful that our colleagues in the House and Senate will join us in getting this legislation signed into law.”

“This landmark legislation gives Americans the right to control where their information goes and who can sell it. It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act,” said Chair Rodgers. “I’m grateful to my colleague, Senator Cantwell, for working with me in a bipartisan manner on this important legislation and look forward to moving the bill through regular order on Energy and Commerce this month.”

A discussion draft of the American Privacy Rights Act of 2024 is available here,  and a section-by-section discussion draft can be downloaded here.

The post New Federal Data Privacy and Protection Legislation Introduced appeared first on HIPAA Journal.