Cardiovascular Consultants in Arizona has settled a class action lawsuit stemming from a 2023 data breach involving the protected health information of 484,000 individuals. The data breach was detected on September 29, 2023, and the forensic investigation determined that a hacker had gained access to its network two days previously. Files containing patient information were exfiltrated before ransomware was used to encrypt files.

The compromised files contained patient and guarantor information, including names, mailing addresses, birth dates, emergency contact information, Social Security numbers, driver’s license numbers, state ID numbers, insurance policy and guarantor information, diagnosis and treatment information, and other information from medical or billing records. Notification letters were mailed on December 2, 2023.

A class action complaint was filed in December 2023 by plaintiffs Michele Stroup and Georgios Asimakopoulos, and additional plaintiffs later joined the litigation as class representatives. The defendant denied all claims in the lawsuit and sought to have the lawsuit dismissed. That attempt was only partially successful, with a judge granting and denying the motion to dismiss in part. An amended complaint – Stroup, et al. v. Cardiovascular Consultants Ltd. – was filed, which is pending in the Superior Court of the State of Arizona, County of Maricopa.

The lawsuit alleged that the defendant failed to implement reasonable security protections to safeguard its information systems and databases, and that the handling of the data breach was deficient, with notifications unreasonably delayed. The lawsuit asserted claims for negligence, negligence per se, breach of implied contract, unjust enrichment, breach of fiduciary duty, violation of the Arizona Consumer Fraud Act, and invasion of privacy, all of which were denied by the defendant.

Following mediation, a settlement was agreed that was acceptable to all parties, allowing them to avoid further litigation costs and the uncertainty of a trial. Under the terms of the settlement, Cardiovascular Consultants has agreed to establish a $3,850,000 settlement fund to cover all costs associated with the litigation, including attorneys’ fees and expenses, notice and administration costs, and service awards for the class representatives.

The remainder of the settlement fund will be used to pay benefits to the class members. Class members may claim two years of medical monitoring plus one or two cash payments – a claim for reimbursement of documented, unreimbursed out-of-pocket losses up to a maximum of $5,000 per class member and/or a pro rata cash payment, which is estimated to be $75 per class member, but may be higher or lower depending on the number of valid claims received.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 18, 2026. Individuals wishing to object to the settlement or exclude themselves must do so by June 1, 2026. The deadline for submitting a claim is July 1, 2026.

The post Cardiovascular Consultants Pays $3.85M to Settle Data Breach Litigation appeared first on The HIPAA Journal.

Iowa Attorney General Brenna Bird has filed a lawsuit against Change Healthcare, UnitedHealth Group, and Optum over the February 2024 ransomware attack that resulted in the theft of the electronic protected health information of 192.7 million Americans, including 2.2 million Iowans.

AG Bird accuses the defendants of making false representations about their cybersecurity practices and systems before and after the cyberattack. AG Bird claims the defendants played down the seriousness of the incident in the February 21, 2024, filing with the U.S. Securities and Exchange Commission (SEC), which stated that a suspected nation state actor had gained access to some of its information systems and that the affected systems had been isolated.

AG Bird said what was described as a relatively benign isolation of systems was in fact the largest healthcare data breach in U.S. history, and one of the largest data breaches of any kind in the United States. “The breach and subsequent shutdown of services, without warning and without adequate backup and redundancies, was so great that it sent the entire U.S. healthcare system into a virtual meltdown,” AG Bird stated in the lawsuit.

Cybercriminals have long targeted U.S. healthcare organizations, and given the high volume of attacks, the defendants should have known that they would be a huge target for cybercriminals, given the volume of sensitive data that flowed through Change Healthcare’s systems and the impact a ransomware attack would have. Despite this, AG Bird alleged that the measures implemented were insufficient and did not match the standards claimed by the defendants. AG Bird alleged that the Change Healthcare cyberattack and data breach “occurred because Change’s systems were insecure, outdated, and lacked appropriate segmentation and redundancies—in violation of Change’s advertised practices, company policies, federal privacy requirements, and basic standards of enterprise information security.”

According to the lawsuit, following a Congressional inquiry into the incident, and over the course of many months, “it became clear that defendants materially misrepresented the quality and characteristics of their cybersecurity systems to Iowans and to Iowa healthcare providers, in violation of Iowa law.” In addition to failing to adequately secure its systems and sensitive data, AG Bird took issue with the time taken to notify the affected individuals, some of whom only learned that their data had been compromised 20 months after their data was stolen.

The lawsuit asserts claims of violations of the Iowa Consumer Fraud Act, Iowa Code, and the Personal Information Security Breach Protection Act. The lawsuit seeks civil monetary penalties of $40,000 per violation of Iowa Code § 714.16(7), civil penalties of $5,000 for each violation of the Iowa Consumer Fraud Act, for all moneys or property acquired in violation of the Iowa Consumer Fraud Act to be disgorged to the Attorney General, and awards of damages on behalf of all persons injured due to the violations of the Iowa Personal Information Security Breach Protection Act. Further, the lawsuit seeks to enjoin the defendants from continuing to commit further unlawful practices pursuant to Iowa Code.

The post Iowa AG Sues Change Healthcare Over 2024 Ransomware Attack appeared first on The HIPAA Journal.