BioPlus Specialty Pharmacy Services Proposes Settlement to Resolve Data Breach Lawsuit

Posted by Steve Alder

BioPlus Specialty Pharmacy Services has proposed a settlement to resolve a class action lawsuit that was filed in response to a 2021 data breach that exposed the data of up to 350,000 patients. Hackers gained access to the BioPlus network for more than 2 weeks between October and November 2021, and potentially stole names, dates of birth, contact information, health insurance information, prescription information, and Social Security numbers. The Florida specialty pharmacy chain notified the affected individuals within a month and offered them complimentary credit monitoring services.

A lawsuit was filed over the data breach alleging BioPlus should have prevented the breach and could have if reasonable cybersecurity measures had been implemented and industry-standard security best practices had been followed. BioPlus disagreed with the allegations; however, a settlement has been proposed to bring the legal action to an end. BioPlus has not admitted liability or any wrongdoing related to the cyberattack and data breach.

Under the terms of the proposed settlement, class members may submit claims of up to $7,550 and will be reimbursed for out-of-pocket expenses incurred as a result of the data breach. The maximum claim permitted depends on whether Social Security numbers were compromised. If they were, class members can claim a cash payment of $50 and can claim up to $7,500 for documented expenses incurred as a result of the data breach, including 3 hours of lost time at $25 per hour, and any unreimbursed losses to identity theft and fraud.

Class members whose Social Security numbers were not breached cannot claim a cash payment and claims will be limited to a maximum of $750, including 2 hours of lost time at $25 per hour. Any individual who wishes to object to or be excluded from the settlement must do so by June 18, 2024, and all claims must be submitted by the same date. The settlement has received preliminary approval from the court and the final settlement hearing is scheduled for August 22, 2024. The plaintiff and class were represented by attorneys at Morgan & Morgan and Markovits, Stock, & DeMarco LLC.

The post BioPlus Specialty Pharmacy Services Proposes Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

BakerHostetler Report Identifies Healthcare Data Breach and Litigation Trends

Posted by Steve Alder

BakerHostetler has released the 10th edition of its Data Security Incident Response Report, which shares data from the incidents the law firm has helped to manage. The report provides insights into the current cyber threat landscape and litigation trends.

Data Breach Insights

Healthcare accounted for 28% of data breach incidents, followed by finance and insurance (17%), business and professional services (15%), and education (13%). The biggest known root cause of all incidents was the exploitation of unpatched vulnerabilities (23% of incidents) followed by phishing (20%). By far the most common cause of security incidents in 2023 was network intrusions, which accounted for 51% of security incidents the law firm helped to manage, followed by business email compromise incidents (26%), and inadvertent disclosures (26%).

Cybercriminals are getting better at covering their tracks, as the root cause of 36% of network intrusions could not be determined. The main known cause of these incidents was vulnerability exploitation (25% of attacks). Phishing was involved in 9% of network intrusions, 5% involved brute force or credential stuffing, 4% were due to misconfigurations, 3% were due to RDP compromise, and 3% due to social engineering. 72% of successful network intrusions involved the deployment of ransomware, 57% involved data exfiltration, and 46% saw malware installed.

The average ransom demand was $2,644,647 and the average ransom payment was $747,651 but these were considerably higher in healthcare with an average demand of $3,492,434 and an average ransom payment of $857,933. In healthcare, it took an average of 13.4 days to acceptable data restoration and an average of 158,362 notifications had to be sent. As has been seen in other data, the percentage of victims paying a ransom is falling. 27% of attacked companies paid a ransom in 2023, compared to 40% in 2022.

The was a significant increase in data breaches at vendors. In 2023, business associates were responsible for 60% of the breaches of 500 or more records that were reported to the HHS’ Office for Civil Rights (OCR), compared to 35% in 2022. There was also a major increase in the size of healthcare data breaches, jumping by almost 200% from 2022 to 2023, from 56.9 million individuals to 144.5 million in 2023. The median time from incident to discovery was 2 days, 0 days to containment, 33 days to complete the forensic investigation, and 60 days from discovery to notification. The average time from occurrence to detection was 42 days and from detection to notice was 75 days.

Phishing and social engineering attacks have been getting more sophisticated. New social engineering scams that have become common involve threat actors contacting IT helpdesks to request password resets and enroll new devices to accept MFA codes. Several business email compromise attacks occurred as a result of QR code phishing attacks (Quishing), and many phishing attacks occurred via SMS messages (smishing). While multifactor authentication was sufficient to keep threat actors out of email accounts, MFA is increasingly bypassed in attacks. 43% of incidents required notifications to be issued, with an average of 98,504 notifications required. Out of the 493 incidents that required notifications to be issued, 58% resulted in lawsuits being filed, up from 42 in 2022.

Class Action Lawsuits Over Tracking Technologies Soar

Class action lawsuits over website tracking technology breaches are increasingly being filed, especially against healthcare organizations following guidance from the HHS’ Office for Civil Rights warning that the technologies violated HIPAA. The Federal Trade Commission (FTC) is also cracking down on organizations that use the technology without informing consumers.

BakerHostetler is currently defending more than 300 privacy or data security lawsuits and over 100 of those lawsuits involve data breaches due to the use of tracking technologies. More than 200 lawsuits have now been filed against healthcare organizations as a result of the use of tracking technologies, 75% of which were filed in the past year. Many of these lawsuits are still in the early stages, with only one case so far granted class certification and one that has had class certification denied. The first trial in a healthcare website tracking technology lawsuit is due to take place this summer. Several lawsuits have been quickly settled, with each individual due to receive an average of between $4 and $5. Since those settlements have been announced there has been an increase in the initial demands for damages.

OCR Enforcement Insights

After three years of relatively high numbers of enforcement actions, 2023 saw a fall in OCR enforcement activity. In 2023 there was a notable reduction in enforcement actions over HIPAA Right of Access violations (4) than the average of 14 over the previous three years. While there was an increase in enforcement actions for other HIPAA violations – 10 in 2023 vs 5 in 2022 and 3 in 2021 – OCR only imposed 11 penalties in 2023 to resolve HIPAA violations, compared to an average of 19 in the three previous years. BakerHostetler suggests the drop off in enforcement actions may be due to OCR focusing on another enforcement priority. OCR has issued guidance on HIPAA compliance with respect to website tracking technologies, and BakerHostelter suggests that may now be an enforcement focus for OCR.

The post BakerHostetler Report Identifies Healthcare Data Breach and Litigation Trends appeared first on HIPAA Journal.