BianLian Threat Group Claims Responsibility for Cyberattack on Tennessee Eye Clinic Network

Posted by Steve Alder

Politzer and Durocher, PLC, which does business as Optometric Physicians of Middle Tennessee (OPMT), has recently reported a hacking incident to the HHS Office for Civil Rights involving the personal and protected health information of 29,000 individuals. The Lebanon, TN-based eye clinic chain said it detected unauthorized access to its network on March 25, 2024. The attackers had circumvented its security controls, and accessed one of its servers and exfiltrated files containing “a very limited amount of healthcare information.” The investigation confirmed that other identifying information may have been accessed in the attack. A forensic investigation is currently underway to determine the exact types of information involved and notification letters will be mailed to the affected individuals when that process is completed. OPMT said, “Even though it is not specifically required by HIPAA, we will offer identity theft protection services to all affected individuals; we feel that this is an important precaution to protect our patients.”

The BianLian group has claimed responsibility for the attack. Like several other cybercriminal groups, BianLian tends not to use ransomware anymore and just steals data and demands payment to prevent the exposure or sale of the data. The BianLian has added OPMT to its leak site and claims to have exfiltrated 1.5TB of data in the attack, including financial information, HR data, biometric data, contracts and confidential agreements, SQL databases, and patients’ PII and PHI.

Moffitt Cancer Center Affected by Data Breach at Advarra

Moffitt Cancer Center has recently announced that it has been affected by a security breach at one of its vendors, Advarra.  Advarra provided services to Moffitt Cancer Center related to the care and treatment of patients and a research study. On October 26, 2023, Advarra discovered suspicious activity in an employee’s user account. The forensic investigation confirmed it had been accessed by an unauthorized individual on October 25, 2023, who acquired a limited amount of data. On or around February 8, 2024, Advarra completed its file review and confirmed that the compromised data belonged to Moffitt Cancer Center.

Moffitt Cancer Center was notified about the breach by Advarra on February 21, 2024, and completed its review of the affected data on March 13, 2024. Moffitt Cancer Center has confirmed that its own systems were not accessed and that the information exposed was limited to names, dates of birth, and Social Security numbers. Advarra is notifying the affected individuals on behalf of Moffitt Cancer Center.

Advarra has recently reported the breach to the HHS’ Office for Civil Rights as affecting 596 individuals and Moffit Cancer Center has reported the breach to the Maine Attorney General as affecting 26,577 individuals. Advarra said it has implemented additional measures to further strengthen its internal files system and is offering the affected individuals complimentary identity theft monitoring through Kroll. Moffitt Cancer Center also recently announced that it was affected by a data breach at another vendor, the law firm Gunster, Yoakley, and Stewart.

Patient Data Stolen in Cyberattack on Somerset Dental Las Vegas

Somerset Dental Las Vegas in Nevada has notified 11,321 patients that some of their protected health information has been exposed. The security breach was detected on February 16, 2024, and a third-party forensic investigation confirmed that certain files were exfiltrated from its network in the attack. The stolen data varied from individual to individual and may have included names, dates of birth, addresses, telephone numbers, email addresses, Social Security numbers, driver’s license numbers, health information, and dental insurance information.  Somerset Dental Las Vegas said it is reviewing its security safeguards and will strengthen security. Complimentary identity protection and credit monitoring services have been offered to individuals whose Social Security numbers and/or driver’s license numbers were involved.

The post BianLian Threat Group Claims Responsibility for Cyberattack on Tennessee Eye Clinic Network appeared first on HIPAA Journal.

City of Hope Settles Class Action Data Breach Lawsuit

Posted by Steve Alder

City of Hope, a Duarte, California-based non-profit clinical research and cancer treatment center, has agreed to settle a class action lawsuit stemming from a 2023 data breach that affected more than 827,000 individuals. Hackers had access to the City of Hope network between September 2023 and October 2023, and exfiltrated sensitive data.

Several class action lawsuits were filed over the data breach, as detailed in previous coverage by The HIPAA Journal below. The lawsuits had overlapping claims and were consolidated – In re City of Hope Data Security Breach Litigation – in the Superior Court of the State of California for the County of Los Angeles. The consolidated lawsuit asserted claims of negligence, breach of fiduciary duty, breach of implied contract, and invasion of privacy. City of Hope maintains there was no wrongdoing or liability. Following mediation, all parties reached an agreement in principle to settle the lawsuit to avoid the cost, time, risks, and uncertainty associated with continuing with the litigation. The terms of the settlement have now been agreed, and the settlement has received preliminary approval from the court.

City of Hope has agreed to establish an $8,500,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards, and benefits for the class members. Class members may claim up to $5,000 in reimbursement for documented, unreimbursed losses fairly traceable to the data breach, which may include up to four hours of lost time at $25 per hour. Alternatively, class members may submit a claim for a cash payment estimated to be $100. The cash payments may be increased or decreased pro rata depending on the remaining funds after attorneys’ fees, expenses, administration costs, service awards, reimbursement claims, and credit monitoring costs have been paid.

All class members who submit a claim for reimbursement of documented losses or the alternative cash payment will receive a code that can be used to enroll in a medical information and protection service from CyEx, which includes single-bureau credit monitoring and protection against medical fraud. Class members who resided in California at any point between September 19, 2023, and January 13, 2026, are entitled to claim an additional cash payment of $250, which may also be adjusted pro rata.

Individuals who wish to object to or be excluded from the settlement have until December 15, 2025, to do so, and all claims must be submitted by January 13, 2026. The final approval hearing has been scheduled for February 20, 2026.

April 25, 2024: Multiple Class Action Lawsuits Filed Against City of Hope National Medical Center Over Data Breach

Several class action lawsuits have been filed against City of Hope National Medical Center, a National Cancer Institute (NCI)-designated cancer treatment and research center, over a recently disclosed data breach that exposed the protected health information of more than 827,000 individuals.

City of Hope National Medical Center identified suspicious activity within its network on October 13, 2023, and the forensic investigation confirmed there had been unauthorized access by a third party between September 19, 2023, and October 12, 2023. During that time, files containing patient data were exfiltrated from its network. The exposed and stolen data included contact information, Social Security numbers, driver’s license numbers, financial information, health insurance information, medical records, medical histories, diagnoses/conditions, and health insurance information. City of Hope National Medical Center issued notification letters on April 2, 2024, and offered the affected individuals complimentary credit monitoring services.

Class action lawsuits started to be filed soon after notification letters were mailed. The lawsuits make similar claims, that City of Hope National Medical Center failed to implement reasonable and appropriate cybersecurity safeguards, did not follow industry best practices for cybersecurity, and that the cyberattack that exposed their sensitive data could have been prevented. The plaintiffs allege that City of Hope National Medical Center should have been aware that it was a likely target for cybercriminals due to the high value of healthcare data on the black market and numerous warnings from federal agencies about the high risk of cyberattacks on the sector. The plaintiffs also allege an unnecessary delay in issuing notifications – five months after the cyberattack was detected.

The plaintiffs allege that injuries have been sustained as a result of the data breach. They face an imminent and increased risk of identity theft and fraud since their sensitive data is now in the hands of cybercriminals, and have and will continue to need to spend time and money protecting themselves from fraud, identity theft, and medical identity theft. At least 8 lawsuits have been filed to date in response to the data breach that make claims of negligence, breach of fiduciary duty, breach of implied contract, and invasion of privacy. The lawsuits seek class action certification, a jury trial, damages, and injunctive relief.

The post City of Hope Settles Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.