Cybersecurity

Fallout Mounting From Recent Major Health Data Hacks

Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management

Post-Breach List of Affected Individuals Growing; More Lawsuits Filed

Fallout Mounting From Recent Major Health Data Hacks
Breach reports and lawsuits continue to pile up in some major health data hacks first reported months ago. (Image: Getty)

Fallout is mounting, and new developments are emerging in several high-profile health data hacks. Data breaches reported in recent weeks and months by medical transcription vendor Perry Johnson and Associates, hospital chain Prospect Medical Holdings and law firm Orrick, Herrington & Sutcliffe LLP are affecting a growing list of clients and individuals – and triggering lawsuits.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

PJ&A reported its incident to federal regulators in November as affecting nearly 9 million individuals. And since then, other PJ&A clients have disclosed breaches related to the hack. Among the most recent is Missouri-based North Kansas City Hospital and its Meritas Health Corp. subsidiary, which reported on Jan. 3 to the U.S. Department of Health and Human Services that the PJ&A hack had affected more than 502,000 of its patients.

Several other entities – including MercyHealth and Salem Regional Medical Center, both based in Ohio – also recently posted notices on their websites saying that they are among PJ&A clients affected by the Nevada-based medical transcription firm’s data theft hack, which occurred between March 27 and May 2, 2023. Neither of those two entities has yet publicly disclosed how many of their patients were affected.

Meanwhile, lawsuits continue to pile up against PJ&A involving the hack. As of Tuesday, the company – and in many cases its affected clients as co-defendants – face nearly three dozen proposed class action lawsuits in various federal courts across the country.

PJ&A did not immediately respond to Information Security Media Group’s request for comment on the incident and the lawsuits.

PJ&A and its clients are not alone in dealing with mounting data breach woes.

The impact of a ransomware attack last August on California-based hospital chain Prospect Medical Holdings also continues to expand.

As a business associate, Prospect reported the hacking incident to HHS OCR in September as a breach affecting 342,376 individuals. But since then, Prospect has updated the breach notices posted on its website to reflect additional entities also affected by the incident.

The most recent update on Prospect’s website lists nearly three dozen health plans whose members were affected by the hack.

Those health plans include AHMC Healthcare Inc., Astiva Health Plan, Brand New Day, CAL-Optima, Care First, Central Health Plan, Citizen Choice Health Plan, Clever Care, Community Health Plan, Connecticare, Easy Choice, Gold Kidney Health Plan, Golden State Senior, Great West Healthcare, Health Net, Imperial Health Plan, Inland Empire, Intervalley, Keystone First, LA Care, MD Care Health Plan, Once Care, Pacificare, Prudential HMO, Secure Horizons, United Health Plan, United Healthcare, Universal Care, and Wellcare.

In that updated notice, Prospect said the security incident had affected information pertaining to members of health plans to which Prospect Medical or its subsidiaries, including Prospect Medical Systems LLC, provide administrative services.

Prospect said it began notifying those affected health plan members on Nov. 28.

In mid-November, Prospect issued an updated breach notice saying the cybersecurity incident also had affected its ECHN Medical Group in Connecticut and several hospitals in the northeast, including Crozer-Chester Medical Center in Upland, Delaware County Memorial Hospital in Drexel Hill, Taylor Hospital in Ridley Park, Springfield Hospital in Springfield and Community Hospital in Chester.

Hackers from the Rhysida ransomware-as-a-service group claimed responsibility for an attack on Prospect Medical that forced the hospital chain’s IT systems to go offline for several weeks following the Aug. 1 discovery of the intrusion (see: California Hospital Chain Facing Ransom, Service Disruption).

The incident also led to other complications for Prospect. Yale New Haven Health – which had planned to acquire Prospect’s Waterbury and ECHN hospitals – said in the aftermath of the attack that it was reconsidering the purchase due to several reasons, including the deteriorating financial and other conditions at Waterbury and ECHN hospitals that had worsened after the cyberattack (see: Some Prospect Medical Hospitals in Dire State, Post-Attack).

But on Tuesday in a statement to ISMG, Yale New Haven Health said it was still hoping to salvage the deal.

“We continue to meet with all parties, including the Connecticut Office of Health Strategy and Prospect CT, to bring the transaction to a successful conclusion,” Yale New Haven Health said.



Prospect did not immediately respond to ISMG’s request for comment.

San Francisco-based law firm Orrick on Dec. 29 updated for the third time the number of individuals affected by a March hacking incident that affected several of its clients, including Delta Dental of California. Orrick submitted a breach report to Maine’s attorney general just as 2023 was winding down, saying the hack had affected 637,620 individuals, including 830 Maine residents.

Orrick first reported the hacking incident to HHS’ Office for Civil Rights on June 30 as a HIPAA breach affecting about 41,000 individuals. The firm then reported the incident to Maine regulators in July as affecting a total of 152,818 people and then updated that estimate again in August to 461,100, before its most recent report that pushed the tally up another nearly 177,000 people (see: Law Firm Hack Affects Victims of an Earlier Breach Again).

On Dec. 21, Orrick filed in the U.S. District Court for the Northern District of California a notice of a proposed settlement to “stay” pending litigation involving the hacking incident.

The proposed agreement, for which details have not been publicly released, settles four proposed consolidated class action lawsuits filed against the firm in the wake of the hacking incident.

“We regret the inconvenience and distraction that this malicious incident caused,” Orrick said in a statement to ISMG on Tuesday regarding the settlement.

“We made it our priority to resolve it as quickly as possible for our clients, the individuals whose data was impacted, and our team. We are pleased to reach a settlement well within a year of the incident, which brings this matter to a close, and will continue our ongoing focus on protecting our systems and the information of our clients and our firm.”

So why do the tallies of affected individuals and clients often climb in major health data breaches long after the incidents are first reported? Several factors come into play, experts say.

“When an organization discovers it has been breached, it immediately begins a containment and eradication process,” said Wendell Bobst, a partner at consulting firm tw-Security. “Getting systems back online to restore revenue and image are usually C-suite top objectives. Knowing what evidence to preserve and retain can take a back seat at the moment,” he said.

Another factor often relates to the assumption made about the extent of the impact and the determination of harm, Bobst said. “Some records may only contain name and address, while others may include Social Security number, date of birth, etc. The legal and notification processes begin. Meanwhile, forensics experts continue to look for clues, which may include the discovery of additional databases, reports/extracts and spreadsheet reports over the previous years.”

Finally, often organizations reporting suspicious activity begin looking to their third parties for answers, he said.

“The scope of the breach may get larger as the investigation continues. For example, initially it may be thought that only one or a few systems were accessed in an unauthorized manner, then it is discovered more were accessed,” Bobst said.

“This is especially true in cases where organizations do not have robust audit logging or have short log retention periods, hampering efficient investigation.”