Reventics Facing Class Action Lawsuit Over Royal Ransomware Attack and Data Breach
Revenetics is facing a class action lawsuit over its December 2022 cyberattack and data breach that affected more than 250,000 individuals. Revenetics is a revenue cycle management company that provides its software solutions to many healthcare providers. On December 15, 2023, Revenetics detected a system intrusion and confirmed on December 27, 2022, that the attackers exfiltrated files that included names, dates of birth, clinical information, financial information, procedure and service codes, and healthcare provider and health plan names.
The Royal ransomware group claimed responsibility for the attack and issued a ransom demand to prevent the publication of the 16GB of data allegedly stolen in the attack. The Royal ransomware group is known to target healthcare organizations and typically exfiltrates data and then issues ransom demands of between $250,000 and $2 million to prevent the publication of the stolen data. When ransoms are not paid, the group published the stolen data on its data leak site. In February 2023, Royal started to publish Revenetics data on its data leak site.
The law firm Cole & Van recently filed a lawsuit in the U.S. District Court for the District of Colorado on behalf of plaintiff Paula Henderson and similarly affected individuals, alleging Revenetics was negligent for failing to implement adequate and reasonable measures to safeguard the personal and protected health information of patients. As a result of that negligence, the lawsuit claims the plaintiff and class members have suffered injury and harm such as anxiety, emotional distress, loss of privacy, and economic and non-economic losses and that their PHI is now in the hands of criminals, which means they face an imminent and elevated risk of identity theft, fraud, and abuse.
In addition to negligence, the lawsuit alleges a breach of implied contract and a breach of the implied covenant of good faith and fair dealing. The lawsuit seeks class action status, a jury trial, an award of actual, nominal, and consequential damages, equitable relief, and injunctive relief, including a court order requiring Revenetics to encrypt sensitive data, comply with applicable regulations and industry standards for data security, implement and maintain a comprehensive information security program, segment data, conduct regular database and security checks, provide regular security awareness training to employees, submit to third-party security audits, and conduct penetration tests on a regular basis.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy