A Florida healthcare group has settled a class-action lawsuit after thieves stole more than 447,000 patients’ names, Social Security numbers, and sensitive medical information, from its servers.
Under the settlement [PDF], Orlando Family Physicians, which operates 10 clinics in central Florida, will reimburse affected patients who submit a claim by July 1, and provide them with two years of free credit monitoring. Depending on what type of private data the crooks stole, patients may receive up to $225 or, for those whose SSNs were swiped, up to $7,500.
Also under the settlement the physicians group doesn’t admit any culpability following the data heist.
The theft occurred in April 2021 after criminals gained access to four employees’ email accounts via a phishing scam, according to court documents [PDF].
Orlando Family Physicians said it “immediately” took steps to contain the intrusion and hired a “leading” security shop to determine the scope of the intrusion.
A few months later, the health group posted a notice on its website and sent letters to individuals whose personal information was exposed.
This included names; demographic information; health information, including diagnoses, providers and prescriptions; health insurance information, including legacy Medicare beneficiary number derived from the individual’s Social Security number or other subscriber identification number; medical record numbers; patient account numbers; and passport numbers.
“However, the available forensic evidence indicates that the unauthorized person’s purpose was to commit financial fraud against OFP and not to obtain personal information about the affected individuals,” the physicians group said at the time.
OFP also reported the crime to the US Department of Health and Human Services, and said it potentially affected 447,426 individuals.
The group declined to comment to The Register about the settlement.
Is your PII worth $250? Or $75k?
And now, those hundreds of thousands of individuals whose personal information likely ended up for sale on a hacking forum are eligible for a payout, after the attorneys take their cut, natch. The total amount of the settlement remains undisclosed.
There are two levels of class members who may benefit financially. The first, those who had to pay out-of-pocket expense because of the theft, can submit a claim for up to $225 for documented expenses. This includes costs related to freezing or unfreezing credit reports and paying for credit monitoring services, or anything related to communicating with banks about the incident: notary, fax, postage, copying, mileage, and long-distance telephone charges.
These individuals can also submit a claim for up to three hours of time lost due to the security breach at a rate of $25 per hour.
The second group are those whose Social Security numbers were stolen. These individuals can submit a claim for up to $7,500 for documented cases of identity theft, falsified tax returns, or other types of fraud that can be traced to the original hack.
They can also claim up to eight hours of lost time at $25 per hour.
The settlement comes as cybercriminals — especially ransomware gangs — step up their attacks against hospitals and healthcare companies, and the attorneys have followed with multiple class-action lawsuits.
Last month, California’s Regal Medical Group sent notification letters to more than three million patients alerting them that crooks may have stolen a ton of their sensitive health and personal information during a ransomware infection in December.
At least four class-action lawsuits have since been filed against that medical conglomerate.
Earlier this week, a cancer patient whose nude medical photos and her personal records were posted online after they were stolen by a ransomware gang, sued her healthcare provider for allowing the “preventable” and “seriously damaging” leak.
The proposed class-action lawsuit stems from a February intrusion during which malware crew BlackCat broke into one of the Lehigh Valley Health Network physician’s networks, stole images of patients undergoing radiation oncology treatment along with other sensitive health records belonging to more than 75,000 people, and then demanded a ransom payment to decrypt the files and prevent it from posting the health data online. ®