Federal Judge Tosses CommonSpirit Health Data Breach Lawsuit Due to Lack of Standing

Posted by Steve Alder

A federal court judge has recommended a class action lawsuit against CommonSpririt Health over its 2022 data breach should be dismissed due to the failure of the plaintiff to demonstrate that they had been harmed by the data breach.

CommonSpirit Health suffered a ransomware attack on October 2, 2022, that affected more than 100 CommonSpirit Health facilities across the United States. A threat actor gained access to its systems on September 16, 2022, and had access to those systems until October 3, 2022. The forensic investigation and document review confirmed that the protected health information of more than 623,000 patients had been exposed. The exposed data included full names, addresses, healthcare providers, medical record numbers, treatment/prescription information, dates of medical services, other health insurance information, and patient’s facility/account numbers.

Multiple class action lawsuits were filed against CommonSpririt Health over the cyberattack and data breach which made similar claims. The lawsuits alleged CommonSpirit Health was negligent due to the failure to implement reasonable and appropriate safeguards to ensure the privacy of the protected health information it held and delayed issuing breach notifications, which were not sent until April 5, 2023.

One of those lawsuits, Bonnie Maser v. CommonSpirit Health, alleged that the plaintiff suffered injuries as a result of the breach, including more than $3,000 in bank account fraud that led to the closure of her account. As a result of the fraud, the plaintiff could not afford to pay her rent, lost her housing, her credit score dropped 60 points, and she claimed to continue to suffer harm, including panic attacks caused by the stress of the data breach. Maser’s lawsuit alleged negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and unjust enrichment.

CommonSpirit Health argued that the plaintiff failed to allege a concrete or imminent harm to support Article III standing, failed to adequately allege the minimum amount in controversy under the Class Action Fairness Act, and failed to state a claim upon which relief could be granted. U.S. Magistrate Judge Suan Prose recommended that the lawsuit be dismissed due to a lack of Article III standing, as the plaintiff failed to demonstrate that the fraudulent charges were fairly traceable to the data breach.

This was the second such lawsuit against CommonSpirit Health to be tossed due to a lack of standing.  Two lawsuits against CommonSpirit Health that were filed in Illinois and were consolidated into a single lawsuit – Jose Antonio Koch individually and on behalf of his two minor children, and another by Leeroy Perkins – was also dismissed due to a lack of standing by District Court Judge Harry D. Leineweber.

The post Federal Judge Tosses CommonSpirit Health Data Breach Lawsuit Due to Lack of Standing appeared first on HIPAA Journal.

Verizon 2024 DBIR: 70% of Healthcare Data Breaches Caused by Insiders

Posted by Steve Alder

On May 1, 2024, the 2024 Verizon Data Breach Investigations Report (DBIR) was released, which this year involved an analysis of a record number of security incidents (30,458), and more than double the number of confirmed data breaches as last year (10,626). The report includes 1,378 security incidents at healthcare organizations and 1,220 confirmed healthcare data breaches.

Credential theft was the most common method of breaching networks and was the initial access vector in 38% of all data breaches, followed by phishing (15%). Vulnerability exploitation was the third most common initial access vector and the root cause of 14% of breaches, but what is particularly concerning is the increase in exploit-related data breaches, which are up 180% year over year. Also concerning is the time it takes organizations to patch disclosed vulnerabilities. On average, it took 55 days for organizations to patch 50% of their critical vulnerabilities, which gives threat actors a significant window for exploiting vulnerabilities.

Top causes of non-erro, non-misuse data breaches. Source Verizon 2024 DBIR

Top causes of non-erro, non-misuse data breaches. Source Verizon 2024 DBIR

Ransomware groups were behind many of the attacks targeting unpatched vulnerabilities, with the Clop ransomware group’s mass exploitation of a zero day vulnerability in Progress Software’s MoveIT Transfer solution a significant factor in the large increase in exploit-related breaches. Clop also mass exploited a zero-day vulnerability in GoAnywhere MFT in January and a SysAid zero-day flaw in November.

While ransomware groups were a major threat in 2023 and were behind some of 2023’s largest data breaches, there was a slight decline in attacks year-over-year. Law enforcement actions against ransomware groups, non-payment of affiliates, and falling numbers of victims paying ransoms have resulted in some ransomware affiliates reconsidering their options; however, Verizon’s figures suggest that threat actors are simply switching to extortion-only attacks, where sensitive data is stolen without file encryption.

In response to the threat of ransomware attacks, organizations have improved their backup processes and disaster recovery plans, and an increasing number of victims do not need to pay to recover their files; however, the threat of the sale or publication of stolen data is often enough to get victims to pay. The attack on Change Healthcare shows that there is no guarantee that data will be deleted if the ransom is paid. In 2023, 23% of data breaches were due to ransomware attacks, and around one in three data breaches (32%) involved extortion, with two-thirds of financial-motivated attacks involving either ransomware or extortion. 15% of data breaches involved third parties such as software supply chains, hosting providers, and data custodians, up 68% year-over-year.

Over the past few years, Verizon has highlighted the extent to which the human element is involved in data breaches, such as accidental misconfigurations, falling for social engineering scams, and phishing attacks. In 2021, the human element was a factor in 85% of data breaches, falling to 82% in 2022. In the 2024 DBIR, Verizon changed how these incidents are recorded, eliminating actions by malicious insiders. Non-malicious human error was involved in 68% of data breaches, however, if malicious insiders were included in the figures, the percentage of incidents involving the human factor would have been at around the same level.

In healthcare, the biggest cause of data breaches was miscellaneous errors, followed by privilege misuse, and system intrusions, with those three causes behind 83% of data breaches. In contrast to other sectors, 70% of the threat actors behind data breaches were internal, reversing a trend of declining breaches by malicious insiders in recent years.

Patterns in healthcare data breaches. Source: 2024 Verizon DBIR

Patterns in healthcare data breaches. Source: 2024 Verizon DBIR

98% of all healthcare attacks are financially motivated and personal data was compromised in 75% of incidents. Verizon said threat actors are increasingly targeting personal information over medical data. Verizon points out that privilege misuse by malicious insiders was not even a top three breach cause in 2022 but rose to 2nd place in 2023. The most common error resulting in a data breach was misdelivery of paper records or misdirected emails, followed by loss of data, with the third most common being gaffes – disclosures of patient information when others were in earshot.

The post Verizon 2024 DBIR: 70% of Healthcare Data Breaches Caused by Insiders appeared first on HIPAA Journal.