Great Valley Cardiology Sued over 181,000-Record Data Breach
Great Valley Cardiology (GVC), a Commonwealth Health cardiology group, is facing a lawsuit in relation to a recently reported security breach wherein hackers acquired access to the computer network of GVC and the protected health information (PHI) of 181,764 people.
GVC discovered the data breach on April 13, 2023; but according to the forensic investigation, hackers initially acquired access to its system two months ago on February 2, 2023. The analysis of the files possibly viewed or stolen affirmed the inclusion of PHI like names, health data, Social Security numbers, debit/credit card details, and banking data. Victims only began receiving notifications concerning the security breach on June 12, 2023, because it took a lot of time to determine all impacted persons and confirm contact details to enable the mailing of the notification letters. Impacted people were provided free credit monitoring and identity theft protection services for two years.
Attorney Andrew W. Ferich of the law company Ahdoot & Wolfson, PC filed a lawsuit in Lackawanna County Court against Commonwealth Health Physician Network, also known as Great Valley Cardiology and Scranton Cardiovascular Physician Services LLC. The plaintiffs are Michele Jarrow and likewise situated persons whose PHI was compromised in the data breach.
The defendants didn’t find any misuse of patient data due to the breach; nevertheless, the lawsuit alleges the exposure of patient data and there’s no way to make sure that the compromised data won’t be misused. Therefore, the plaintiff and class members must spend time and resources safeguarding themselves against fraud and identity theft for years, and possibly for a lifetime. The plaintiff stated that her security software has notified her about her personal data that was published on the dark web, where cybercriminals could access it.
Besides not being able to stop the data breach, the lawsuit brings up the issue of the delayed breach notification of the impacted persons. Notification letters were released two months after discovering the breach and four months after its occurrence, which the lawsuit claims compounded the possible harm. The lawsuit claims negligence, breach of contract, breach of fiduciary duty, and unjust enrichment. It demands a jury trial, damages, class action status, and attorneys’ service fees.
Lawsuits are frequently filed after healthcare data breaches, however, Article III standing is usually only approved when the plaintiffs could show proof that they have endured a real injury. Lawsuits that simply assert a potential risk of injury or hurt because of a security breach are generally not given standing, regardless if stolen information was released on the dark web.
On March 27, Onix Group became aware of a ransomware attack that had targeted their network. A forensic investigation subsequently revealed that hackers had gained unauthorized access to their internal network from March 20 to March 27, 2023. During this period, the hackers managed to extract files containing sensitive employee, client and affiliate data. The compromised data consisted of sensitive details such as patient names, birth dates, clinical data, and Social Security numbers belonging to individuals under the care of their healthcare clients. Additionally, the breach also exposed the employees’ direct deposit details and the health plan enrollment details. The breach impacted the following healthcare clients: Physicians Mobile X-Ray, Addiction Recovery Systems, and Cadia Healthcare.
The legal action, Eric Meyers v. Onix Group LLC, was submitted to the U.S. District Court for the Eastern District of Pennsylvania and asserts negligence per se, negligence, breach of fiduciary duty, breach of implied contract, and unjust enrichment. The lawsuit alleges that Onix Group had a legal responsibility to establish adequate and effective measures to safeguard the confidentiality of stored data. However, the company failed in this duty by storing the information in a vulnerable and risky state. Furthermore, the lawsuit asserts that Onix Group unreasonably delayed sending the breach notifications for two months. Although Onix Group provided free credit monitoring services for 12 months to the affected individuals, the lawsuit states that the offer is insufficient, because the plaintiff and class members will have to deal with a long-term risk of identity theft and fraud because of their stolen sensitive information.
The lawsuit is pursuing class-action status and requesting a jury trial, seeking both compensatory damages and injunctive relief. In addition, the lawsuit wants a court order that would prohibit Onix Group from taking wrongful and unlawful activities, as well as implement and ensure robust cybersecurity measures. Those measures consist of the creation, implementation, and upkeep of a complete data security program, third-party security audits and penetration tests, data encryption, more IT security training for all workers including testing of their security understanding, changes to its data retention guidelines, and for the organization to stop holding personally identifiable information (PII) and protected health information (PHI) in the cloud storage.
Milberg Coleman Bryson Phillips Grossman, PLLC; Sanford Law Firm, PLLC, and Chestnut Cambronne, PA represent the plaintiff and class members.
HIPAA Business Associate to Pay $75,000 Fine for Keeping ePHI on an Unsecured Server
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has made a decision to resolve iHealth Solutions, LLC’s potential HIPAA violations for $75,000.
Business associate iHealth Solutions, also known as Advantum Health, was unable to protect one of its servers from unauthorized access, thereby allowing the exfiltration of files that comprised the electronic protected health information (ePHI) of 267 persons. The HIPAA enforcement action indicates that OCR investigates even fairly small data breaches and issues a financial penalty. The last three penalties enforced by OCR to settle HIPAA violations were all associated with data breaches that impacted less than 500 people.
Similar to numerous HIPAA-regulated entities that have undergone investigations by OCR following data breaches, iHealth Solutions was found to be non-compliant with one of the core provisions of the HIPAA Rules – risk analysis. Every HIPAA-regulated entity is obligated to carry out a comprehensive and precise risk analysis across its entire organization. This analysis aims to identify all potential risks and vulnerabilities that may compromise the confidentiality, integrity, and availability of electronic protected health information (ePHI) as stated in 45 C.F.R. §164.502(a).
On August 22, 2017, OCR received notification about a data breach where the ePHI of 267 individuals was stolen from an unsecured server on May 2, 2017. As a result of the impermissible disclosure of ePHI and the failure to conduct a proper risk analysis, a fine was imposed.
Aside from the financial penalty, iHealth Solutions is required to adopt a corrective action plan that includes the following:
- perform a precise and comprehensive analysis of the prospective security threats and risks to the integrity, confidentiality, and availability of ePHI of iHealth
- create a risk management program to deal with and minimize all security threats found in the risk analysis, create a procedure to assess any ecological or operational modifications that impact the safety of iHealth ePHI
- create, maintain, and modify, as needed, written guidelines and procedures to make sure adherence to the HIPAA Privacy and Security Regulations.
iHealth Solutions is under monitoring by OCR for two years to ascertain compliance with the HIPAA Regulations.
This enforcement action by OCR is the 7th to be issued a financial penalty in 2023. It is also the third enforcement action that OCR announced this month. To date, OCR has issued a total of $1,976,500 in penalties to HIPAA-regulated entities to settle HIPAA Rules violations.