Class action lawsuits have started to be filed against ESO Solutions over its recently disclosed cyberattack and data breach that affected almost 2.7 million individuals. The data breach involved sensitive information such as names, contact information, and Social Security numbers and affected many of the company’s healthcare clients.

Two lawsuits – Claybo v. ESO Solutions Inc. and Essie Jones f/k/a Essie McVay v. ESO Solutions Inc. – were filed in the U.S. District Court for the Western District of Texas Austin Division, that allege ESO Solutions failed to implement reasonable and appropriate industry-standard security measures to ensure the privacy and confidentiality of patient data. The lawsuits also allege ESO Solutions did not properly train staff members on data security protocols, failed to detect a breach of its systems and the theft of data in a timely manner, and then failed to issue timely notifications to the affected individuals. The lawsuits also allege that the data security failures violate the Health Insurance Portability and Accountability Act (HIPAA).

As a direct result of those failures, hackers gained access to the plaintiffs’ and class members’ sensitive data and the plaintiffs and class members now face an imminent and ongoing risk of identity theft and fraud and have suffered other injuries as a result of the breach and have incurred out-of-pocket expenses. The lawsuits seek a jury trial, class action certification, an award of damages, injunctive relief, and attorneys’ fees. The plaintiffs and class members are represented by Joe Kendall of Kendall Law Group PLLC, Bryan L. Bleichner and Philip J. Krzeski of Chestnut Cambronne PA, Alexandra M. Honeycutt of Milberg Coleman Bryson Phillips Grossman LLC.

December 21, 2023: ESO Solutions Data Breach: 2.7 Million Individuals Affected

ESO Solutions, a provider of software solutions for hospitals, health systems, EMS agencies, and fire departments, has confirmed that it fell victim to a ransomware attack in September 2023 that resulted in file encryption. ESO Solutions identified suspicious activity within its network on September 28, 2023, and took immediate action to isolate its systems and prevent further unauthorized access to its network.

Third-party digital forensics experts were engaged to investigate the attack and determine the extent of the unauthorized activity. The forensics team confirmed on October 23, 2023, that the attackers had access to parts of its network containing the personal and protected health information of 2.7 million individuals. The information compromised in the incident included names, dates of birth, injury type, injury date, treatment date, treatment type, and, in some cases, Social Security numbers. The attack was reported to the Federal Bureau of Investigation and ESO Systems has worked cooperatively with the FBI during its investigation. A ransom demand was issued by the attackers; however, ESO Systems was able to recover the encrypted files from backups.

ESO Systems notified its affected customers and has been in frequent contact with them to assist them with their response efforts and offered to issue notifications to patients of its customers. ESO Systems started mailing notification letters on December 12, 2023. Affected individuals have been offered complimentary credit monitoring and identity theft protection services through Kroll.

The following healthcare organizations are known to have been affected:

• Ascension – Ascension Providence Hospital in Waco
• Baptist Memorial Health Care System – Mississippi Baptist Medical Center
• CaroMont Health
• Community Health Systems – Merit Health Biloxi & Merit Health River Oaks
• ESO EMS Agency
• Forrest Health – Forrest General Hospital
• HCA Healthcare – Alaska Regional Hospital
• Memorial Hospital at Gulfport Health System – Memorial Hospital at Gulfport
• Providence St Joseph Health (AKA Providence) – Providence Kodiak Island Medical Center & Providence Alaska Medical Center
• Tallahassee Memorial HealthCare – Tallahassee Memorial
• Universal Health Services (UHS) – Manatee Memorial Hospital & Desert View Hospital
• Valley Health System  – Centennial Hills Hospital, Desert Springs Hospital, Spring Valley Hospital, Summerlin Hospital, and Valley Hospital

“Given that patient safety and personal information is at risk, organizations cannot afford to put off strengthening their cybersecurity postures. On an average day, more than 55,000 physical and virtual assets are connected to organizational networks; yet an astounding 40% of these assets are left unmonitored – leaving critical, exploitable gaps. Attackers are taking advantage of these gaps; this attack proves that improper access to one machine can mean chaos for an organization,” said Mohammad Waqas, CTO, Healthcare, of the asset intelligence cybersecurity company, Armis. “This attack also highlights the importance of educating organizations that assets incorporate more than simply hardware or medical devices. Other assets that can come under attack include virtual assets, data artifacts, personal health information, user access, among others. It’s critical for healthcare organizations to not only look at cyber risk from a vulnerability perspective, but also factor in assets supporting clinical workflows or storing patient information. By having a comprehensive view of assets, organizations can prioritize compensating controls and risk reduction tactics to help contain and mitigate cyber-attacks. Being able to monitor all assets for anomalous behaviors, connection attempts, and analyze other aspects of attempted access provides the level of visibility needed to help establish preventative policies.”

The HIPAA Journal asked Waqas about the other steps that hospitals can take to improve their defenses against ransomware attacks. “Healthcare organizations of all types must prioritize cyber exposure management to mitigate all cyber asset risks, remediate vulnerabilities, block threats and protect the entire attack surface. Security and IT pros must also consider incorporating critical strategies into their cybersecurity programs, like network segmentation, to increase healthcare cybersecurity. Segmenting a network is a massive project that can span many years, however, it is the project that will accomplish the greatest risk reduction in a healthcare environment,” explained Waqas.

“What’s key for these projects is the proper planning and understanding that a segmentation project will have multiple phases – discovery and inventory, behavioral and communication mapping, policy creation, prioritization, testing, implementation and automation. One growing trend is a risk-based prioritization approach wherein instead of a traditional method of segment lists created by manufacturer or type, organizations can achieve a much faster ROI by identifying and prioritizing the segmentation of critical vulnerable devices first to achieve maximum risk reduction upfront. Cybersecurity pros at healthcare organizations should incorporate these types of solutions and methods right away to help in preventing these types of attacks from impacting their organizations directly, and for protecting them and their patients in the wake of an attack against one of their third-party suppliers.”

The post Class Action Lawsuits Filed Against ESO Solutions Over Data Breach appeared first on HIPAA Journal.

Cardiovascular Consultants Ltd., an Arizona-based healthcare provider with offices in Phoenix, Scottsdale, and Glendale, has recently reported a data breach to the HHS’ Office for Civil Rights that involved the protected health information of 484,000 individuals.

On September 29, 2023, Cardiovascular Consultants identified suspicious activity within its computer systems and initialed its incident response and recovery procedures. An investigation was launched and a third-party cybersecurity company was engaged to assist with the investigation, which revealed unauthorized individuals had access to its systems on or before September 27, 2023.

Cardiovascular Consultants has now confirmed that the hackers exfiltrated files containing sensitive data and used ransomware to encrypt files on the network. Those files were reviewed and found to contain patient data such as names, mailing addresses, birth dates, emergency contact information, Social Security numbers, driver’s license numbers, state ID numbers, insurance policy and guarantor information, diagnosis and treatment information, and other information from medical or billing records.

The data of account guarantors was also stored on the compromised parts of the network, including names, mailing addresses, telephone numbers, dates of birth, and email addresses, and also information about insurance policy holder/subscribers such as names, mailing addresses, telephone numbers, dates of birth, insurance policy information, and, in some cases, Social Security numbers.

Affected individuals were notified about the breach on December 2, 2023, and 24 months of complimentary credit monitoring, identity theft protection, and fraud resolution services have been offered to the affected individuals.  Cardiovascular Consultants has confirmed that additional security measures have been implemented to improve its defenses against cyberattacks in the future.

The post Cardiovascular Consultants Data Breach Affects 484,000 Individuals appeared first on HIPAA Journal.