The Texas health system Ernest Health is being sued by patients who had their protected health information compromised in a recent cyberattack. This is likely to be one of many lawsuits filed against Ernest Health over the theft of at least 94,747 patients’ data. Ernest Health operates hospitals in Arizona, California, Colorado, Idaho, Indiana, Montana, New Mexico, Ohio, South Carolina, Texas, Utah, Wisconsin, and Wyoming. On February 1, 2024, suspicious activity was detected in its networks, with the investigation confirming there had been unauthorized access to its network between January 16, 2024, and February 4, 2024. The LockBit ransomware group claimed responsibility for the attack and threatened to publish the stolen data on its leak site. Ernest Health said the compromised information included names, contact information, dates of birth, health plan IDs, health data, Social Security numbers, and driver’s license numbers.

A lawsuit has been filed by Joe Lara and Lauri Cook on behalf of themselves and similarly situated individuals who had their personal and protected health information compromised in the Ernest Health cyberattack. The lawsuit alleges that Ernest Health lost control of the data of current and former patients due to insufficient cybersecurity safeguards and a lack of cybersecurity training for its employees, which meant it had no effective means to prevent, detect, or stop the attack. The plaintiffs argue that it took 73 days from the initial compromise for Ernest Health to issue individual notifications, which denied them the opportunity to mitigate their injuries in a timely manner.

While Ernest Health said it has implemented additional safeguards in response to the breach, the plaintiffs claim the health system has done too little, too late, and that the offer of credit monitoring and identity theft protection services is wholly insufficient. The lawsuit alleges negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty and seeks a jury trial, declaratory and other equitable relief, injunctive relief, and compensatory, exemplary, punitive damages, and statutory damages. The plaintiffs and class are represented by Joe Kendall of the Kendall Law Group, and Samuel J. Strauss and Raina Borrelli of the law firm, Turke & Strauss.

The post Ernest Health Sued Over 2024 Ransomware Attack and Data Breach appeared first on HIPAA Journal.

Last month, the Spring, TX-based revenue cycle management firm MedData agreed to a $7 million settlement to resolve a class action lawsuit filed following the exposure of the personal and health information of 136,000 individuals on a public-facing website.

MedData helps healthcare providers and health plans by processing Medicaid eligibility, third-party liability, workers’ compensation, and patient billing, including healthcare providers and health plans such as Memorial Hermann, Aspirus Health Plan, OSF HealthCare, and the University of Chicago Medical Center. All of those HIPAA-covered entities had member and patient data exposed by MedData.

Between December 2018 and September 2019, a MedData employee inadvertently uploaded the data to personal folders on GitHub Arctic Code Vault, which is a public-facing part of the GitHub website. The data remained there unprotected and exposed for more than a year. MedData was informed about the data exposure by a security researcher on December 10, 2020, and the files were removed from GitHub on December 17, 2020.

MedData has faced 5 class action lawsuits over the data breach, four of which have been dismissed. This amended lawsuit is the last remaining action against MedData over the data breach. Under the terms of the settlement, class members can choose one of two payment tiers. The first option allows class members to claim back documented, unreimbursed out-of-pocket expenses fairly traceable to the data breach up to a maximum of $5,000 per class member. Alternatively, class members can claim up to $500 for “de-minimis” or minimal affirmative action in response to being notified about the data breach. Regardless of the option chosen, class members can also claim 36 months of health data and fraud monitoring services at no cost. Those services include a $1 million identity theft insurance policy.

The settlement also requires MedData to implement and maintain an enhanced cybersecurity program, which must include robust monitoring and auditing for data security issues, annual cybersecurity testing, training on data privacy for employees, data encryption, enhanced access controls, annual penetration testing, a data deletion policy, and a monitored internal whistleblowing mechanism. The board must also consider appropriate cybersecurity spending annually, and regularly update internal security policies and procedures.

The post MedData Settles Class Action Data Breach Lawsuit for $7 Million appeared first on HIPAA Journal.