Adena Health to Pay $17.8 Million to Settle Pixel Lawsuit

Posted by Steve Alder

Adena Health System, a nonprofit health system serving patients in south central and southern Ohio, has agreed to pay $17.8 million to resolve claims that it unlawfully disclosed patient data to third parties via tracking pixels on its MyChart patient portal.

Adena Health is one of many health systems to use tools such as Meta Pixel and Google Analytics code to track users on its website; however, these tools were also implemented on its patient portal, which requires users to log in. Whilst on the website and patient portal, users’ data was collected, which may have included personally identifiable information (PII) and protected health information (PHI). That information was automatically sent to companies such as Meta and Google.

A lawsuit was filed over the disclosures, which were alleged to have occurred without the knowledge or consent of the data subjects. Users of the patient portal could book appointments, research medical conditions, learn about treatment options, and communicate with their providers. The lawsuit alleged that health conditions, preferred treatment options, physicians’ details, and search queries were all collected by the tracking tools and were transmitted to third parties. If a user was logged into their Facebook account at the time, the lawsuit claims the unique Facebook identifier was also transmitted, allowing them to be personally identified. The lawsuit claims the tools were knowingly added to the website and that Adena Health unjustly profited from the disclosures.

The lawsuit alleged negligence, breach of confidence, breach of fiduciary duty, unjust enrichment, invasion of privacy, and a violation of the Electronic Communications Privacy Act, and claimed that there is civil liability for criminal actions – the knowing disclosure of individually identifiable health information to a third party. Adena Health denies wrongdoing and liability and disagrees with the claims and contentions in the lawsuit; however, it agreed to a settlement to bring the litigation to an end to avoid the risks and uncertainties of trial and further litigation costs.

Under the terms of the settlement, the 89,000 class members who visited the patient portal between November 1, 2022, and June 3, 2024, are entitled to claim a cash payment of $21 and a year of credit monitoring and identity theft protection services, valued at $179 per person. The settlement now awaits approval from the court.

The post Adena Health to Pay $17.8 Million to Settle Pixel Lawsuit appeared first on The HIPAA Journal.

Feds Offer $10 Million Reward for Ransomware Administrator Who Attacked U.S. Healthcare Orgs

Posted by Steve Alder

The U.S. Department of Justice has charged a Ukrainian serial ransomware criminal who is alleged to have been the administrator of multiple ransomware operations. Volodymyr Viktorovich Tymoshchuk, through online monikers including deadforz, Boba, msfv, and farnetwork, is alleged to have been the administrator of the LockerGaga, MegaCortex, and Nefilim ransomware operations between December 2018 and October 2021.

Tymoshchuk, along with his accomplices, conducted or played a key role in ransomware attacks on more than 250 victims in the United States between July 2019 and June 2020 using the LockerGaga and MegaCortex ransomware variants, as well as hundreds of victims worldwide. An international law enforcement operation targeting the LockerGoga and MegaCortex ransomware schemes in September 2022 obtained decryption keys, which were made available to victims via the No More Ransom Project. Many potential victims were able to prevent file encryption after receiving prompt notifications from law enforcement that their networks had been compromised.

Under the Nefilim ransomware scheme, Tymoshchuk and his accomplices claimed many more victims in the United States and worldwide between July 2020 and October 2021. Through those attacks, Tymoshchuk caused millions of dollars in losses due to disruption to business operations, damage to computer systems, and ransom payments. As administrator of the ransomware operations, Tymoshchuk recruited and provided access to the infrastructure and encryptor to conduct attacks.

One of the affiliates of the Nefilim ransomware operation was Ukrainian national Artem Stryzhak, who was arrested in Spain in June 2024 and extradited to the United States on April 30, 2025. Stryzhak has been charged with conspiracy to commit fraud and related activity. Stryzhak primarily targeted companies in the United States, Canada, or Australia that had annual revenues of over $100 million, although a Nefilim administrator encouraged him to target larger companies with more than $200 million in annual revenues. The Nefilim administrators allowed Stryzhak to keep 80% of any ransoms he generated, while they would retain 20%. Any victim who refused to pay had their stolen data leaked on the group’s Corporate Leaks websites.

Tymoshchuk has been charged with two counts of conspiracy to commit fraud and related activity in connection with computers, three counts of causing intentional damage to a protected computer, one count of unauthorized access to a protected computer, and one count of transmitting a threat to disclose confidential information. “Tymoshchuk is a serial ransomware criminal who targeted blue-chip American companies, health care institutions, and large foreign industrial firms, and threatened to leak their sensitive data online if they refused to pay,” said U.S. Attorney Joseph Nocella Jr. for the Eastern District of New York. “For a time, the defendant stayed ahead of law enforcement by deploying new strains of malicious software when his old ones were decrypted. Today’s charges reflect international coordination to unmask and charge a dangerous and pervasive ransomware actor who can no longer remain anonymous.”

The U.S. Department of State is offering up to $10 million as a reward for information leading to the location, arrest, or conviction of Tymoshchuk, plus a further $1 million reward for information that leads to convictions of other members of the LockerGaga, MegaCortex, and Nefilim ransomware groups. The rewards are offered under the Transnational Organized Crime (TOC) Rewards Program.

The post Feds Offer $10 Million Reward for Ransomware Administrator Who Attacked U.S. Healthcare Orgs appeared first on The HIPAA Journal.