Almost as surely as summer follows spring, lawsuits follow breaches of protected health information. Here’s a roundup of recent HIPAA breach lawsuits and settlements.
Lawsuits Increasing Following HIPAA Breaches – Facts and Figures
The law firm BakerHostetler published its annual Data Security Incident Response Report based on findings from 1,270 data security incidents managed by the firm in 2021.
Highlights included:
- 23% of all incidents affected healthcare organizations – the most targeted sector of the economy
- 35% of healthcare breaches involved ransomware attacks, vs. 20% in 2020
- The average ransomware payment for healthcare was $875,784, about one-third less than the 2020 payment
- 82% of ransomware attacks claimed to have removed data before encryption
- The average number of patient notifications was 81,679
The firm also noted a trend of increased lawsuit filings and increased numbers of filings within the same jurisdictional areas, such as federal or state. From the pool of 1,270 incidents, 58 data breach lawsuits were filed related to 23 incidents, including three involving breaches of 8,000 or less. Healthcare organizations were targeted in 43 of the lawsuits.
Partnership Health Plan (California)
Partnership Health Plan in Northern California was the victim of a cyberattack by the Hive ransomware group. The cybercriminals stole more than 400GB of data before encrypting the organization’s files on March 19, 2022.
A pair of California law firms have filed a class-action lawsuit on behalf of an anonymous plaintiff “John Doe” and others affected by the breach. The lawsuit alleges the healthcare organization was negligent for failing to implement and maintain appropriate cybersecurity measures to prevent ransomware attacks and data breaches. The lawsuit further states that warnings had been issued to the healthcare sector about the threat of Hive ransomware attacks as early as June 2021.
The breach impacts the protected health information (PHI) of as many as 850,000 individuals. More plaintiffs are expected to join the suit following Partnership’s issuance of breach notification letters. No damages have been claimed, but the lawsuit requests a jury trial.
Oregon Anesthesiology Group
Oregon Anesthesiology Group in Portland, OR, faces a class-action lawsuit after a data breach affected the protected health information of more than 750,000 patients. On July 3, 2021, the organization was victimized by a cyberattack from the HelloKitty ransomware group based in Ukraine. Affected persons received notification letters in December 2021.
On April 7, 2022, attorneys filed a lawsuit on behalf of an individual claiming to have identified suspicious activity in his bank account. The suit seeks class-action status and claims that OAG was negligent for failing to protect the sensitive data of at least 750,000 individuals and claims the delay of five months in issuing notification letters violated Oregon laws, which require notification letters to be issued within 60 days of the discovery of the breach.
HIPAA regulations also require notification of affected individuals within 60 days of its discovery if the breach affects more than 500 individuals. Exceptions to the rule may be allowed if notification was delayed at the direction of authorized law enforcement officials as part of their active investigation.
SuperCare Health (California)
SuperCare Health, Inc of California was hit with a third proposed class-action lawsuit following a breach affecting more than 300,000 current and former patients.
The suit includes allegations of negligence, breach of implied contract, invasion of privacy, and violations of the California Confidentiality of Medical Information Act. The complaint further alleges that the affected patients have suffered anxiety and loss of time and now face a substantial risk of fraud and identity theft due to this data breach.
Two of the cases have been filed in the U.S. District Court for the Central District of California, and one has been filed in the U.S. District Court for the District of Nevada.
South Shore Hospital (Chicago)
Three patients have filed suit against South Shore Hospital in Chicago, IL, following a December cyberattack that exposed the protected health information of more than 115,000 patients. The lawsuits allege that the hospital failed to protect patient data adequately.
The attackers accessed files containing patients’ and employees’ first and last names, addresses, dates of birth, Social Security numbers, financial information, health insurance information, medical information, diagnoses, health insurance policy numbers, and Medicare and Medicaid information.
The hospital has provided those affected with a 12-month membership to credit monitoring services, a $1 million identity-theft reimbursement insurance policy, and access to identity theft recovery services if necessary.
The hospital has also pledged to implement additional security controls, such as enforcing more robust password requirements, enabling multi-factor authentication, and creating more training surrounding data privacy and security for the hospital’s employees.
Solara Medical Supplies Settlement (California)
Preliminary approval has been granted for a proposed $5+million class action settlement following a data breach at Solara Medical Supplies of California that exposed the data of more than 114,007 individuals following an email phishing cyberattack. The company provides medical devices, disposable medical products, and registered pharmacy services direct to consumers.
Four class-action lawsuits were consolidated into a single suit, and the proposed settlement does not include any admission of wrongdoing by Solara.
Under the settlement terms, Solara has agreed to pay $5,060,000 to cover claims from the plaintiffs and class members and will take steps to improve data security to prevent further security breaches. Solara will pay the six plaintiffs named in the lawsuits $4,000 each, and all class members who file timely claims will receive $100, plus a pro-rated payment of up to $1,000 if any funds remain in the fund after the $100 cash payments have been made. The settlement amount includes $2.3 million in attorneys’ fees. Any funds remaining will be donated to the Juvenile Diabetes Research Foundation.
Solara has also agreed to undergo a SOC 2 Type 2 audit for the next two years, which will be repeated until it is passed, engage an independent third party to perform a HIPAA IT assessment, conduct at least one cybersecurity incident response test a year, and undergo third-party phishing and external-facing vulnerability tests at least twice a year.
Solara Medical will also implement a security information event and management (SIEM) tool with a 400-day lookback on activity logs. Improved versions of the remedial actions or the same actions will be conducted for three years.
