Trinity Health Class Action Lawsuit, Russian LockBit Affiliate Arrested and Kaiser Permanente Mailing Error

21,000-Record Data Breach Prompts Trinity Health Class Action Lawsuit

The U.S. District Court for the Southern District of Iowa filed a class action lawsuit against Trinity Health, Mercy Medical Center – Clinton, and Mercy Health Network in relation to a cyberattack and data breach that impacted 21,000 individuals.

Trinity Health based in Livonia, MI manages Mercy Health Network and Mercy Medical Center – Clinton in Iowa. It reported encountering a cyberattack on April 4, 2023, which the forensic investigation confirmed. Hackers had acquired access to systems that contain patients’ protected health information (PHI) from March 7, 2023 to April 7, 2023. The following information was exposed and possibly stolen during the attack: names, dates of birth, addresses, Social Security numbers, diagnosis codes, treatment data, prescription details, and service/discharge dates. Trinity Health provided free credit monitoring services to the affected patients for one year.

The lawsuit filed on behalf of plaintiff Jennifer Medenblik on June 12, 2023 claims the defendants were unable to protect the sensitive information of patients and protect its systems from attacks, which made it possible for hackers to obtain access to its system and the PHI of 21,000 patients and stay unnoticed inside its systems for 30 days. The lawsuit alleges Health Insurance Portability and Accountability Act (HIPAA) Security Rule violations, and a failure to comply with healthcare sector best practices for securing sensitive information and Federal Trade Commission (FTC) rules.

Trinity Health advised impacted patients regarding the attack; nevertheless, the lawsuit states that the breach notifications were not enough, and did not give the required assistance. The lawsuit likewise alleges that the defendants did not provide sufficient assurances to patients that the affected information has been retrieved or removed nor that enough cybersecurity steps were executed after the data breach to avoid more security breaches down the road.

The 8-count lawsuit – Medenblik v. Trinity Health Corporation et al, consists of the following allegations: breach of contract, negligence, and breach of confidence, and asserts the plaintiff and class members have been hurt and are at an impending, immediate, and ongoing increased risk of experiencing ascertainable losses. The lawsuit wants a jury trial, a class action status, compensation for damages, and funds to pay for a lifetime membership to credit monitoring services and identity theft insurance coverage for the plaintiff and class members.

Russian National Detained and Indicted for LockBit Ransomware Attacks

A Russian was detained in Arizona and indicted for the LockBit ransomware attacks and other cyberattacks in Asia, Africa, the United States, and Europe since 2020. 20-year-old Magomedovich Astamirov from the Chechen Republic in Russia is purported to have carried out no less than 5 LockBit ransomware attacks in the U.S. and other nations as a LockBit ransomware-as-a-service (RaaS) operation affiliate. LockBit is presently the most popular ransomware variant and is employed to extort about $91 million from American companies since 2020.

Based on the Department of Justice, since August 2020, Astamirov had worked together with other LockBit RaaS operation members to deliberately damage secured computers, execute wire fraud, and use ransomware to extort funds from organizations. HE is charged for directly carrying out no less than 5 attacks in the United States and overseas. Astamirov had, managed, and utilized a number of IP addresses, email addresses, and other online service provider accounts to use ransomware and contact his victims and co-conspirators. In one attack, law enforcement was able to trace the payment of a victim in an account controlled by Astamirov.

Astamirov is accused of conspiracy to conduct wire fraud and conspiracy to deliberately damage protected computer systems and to send ransom demand letters. Astamirov is facing up to 20 years of jail term for the charge of conspiracy to commit wire fraud and a up to 5 years imprisonment for the charge of deliberately damaging protected computers. Additionally, every charge holds up to a $250,000 penalty or two times the gain or loss from the crime, whichever is higher.

Astamirov is the third LocBit affiliate who is charged regarding the cyberattacks in the U.S., and the second arrested LockBit affiliate. The other two persons are Russian-Canadian nationals Mikhail Vasilev and Mikhail Pavlovich Matreev. Vasilev is now arrested in Canada and waiting for extradition to the U.S. to deal with the charges. Pavlovich Matreev remains free and is charged with executing Babuk, LockBit, and Hive ransomware attacks on United States targets.

Kaiser Permanente to Pay $450,000 for CMIA Violations Caused by Mailing Error

The California Department of Managed Care (CDMC) fined Kaiser Permanente the amount of $450,000 for impermissible disclosure of the PHI of around 167,095 health plan members. From October 2019 to December 2019, Kaiser Permanente sent to health plan enrollees 337,755 mailings; but, a problem in its electronic medical record system update ended in sending some mailings to out-of-date addresses.

Eight individuals contacted Kaiser Permanente and said they had opened the mailings but noticed that they were not the supposed recipients. Kaiser Permanente got back 1,788 unopened packets sent by the recipients who noticed the packets were delivered to the wrong addresses. There were 167,095 mailings sent to enrollees and there is no assurance that the intended recipients received those mailings, which suggests the potential impermissible disclosure of thousands of enrollees’ PHI.

CDMC looked into the reported breach and confirmed there was an unauthorized disclosure of health data and negligent safekeeping or disposal of health data, which are a violation of the California Confidentiality of Medical Information Act (CMIA). Kaiser Permanente knew about the problem in its electronic medical record system on November 11, 2019 but was only able to stop the mailings on December 20, 2019, which is 39 days after discovering the problem. Because of that inability to do something, 175,000 more mailings were likely dispatched to the wrong addresses.

Besides the financial charges, Kaiser Permanente has consented to implement corrective actions to stop more similar data breaches, which include making updates to its software programs, performing regular checkups to verify addresses are updated, and system inspections to make sure it is utilizing the latest physical and/or mailing addresses. Kaiser Permanente will additionally work together with its call center staff to verify address details, will alert all impacted persons, and will give refresher training to its employees on the legal requirements of the Health Insurance Portability and Accountability Act (HIPAA) regarding the security of PHI.

DMHC Director Mary Watanabe states that health plans need to safeguard the privacy of enrollee information and preserve and dispose of medical data properly. Kaiser Permanente made a decision to undertake corrective actions to keep consumers’ sensitive data safe and make sure this does not occur again.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone