Data Privacy
,
Data Security
,
Healthcare
2022 Ransomware Attack, Data Theft Affected 3.4 Million Patients
A group of nine physician practices in California has reached an agreement to settle class action litigation for nearly $50 million due to a December 2022 ransomware attack that compromised data for over 3.4 million patients. The plaintiffs claimed that their personal information was exposed on the dark web.
See Also: Built for Healthcare Compliance: Identity Strategies That Reduce Cyber Risk
This settlement involves practices affiliated with the Heritage Provider Network, a major physician-owned healthcare entity based in Marina Del Rey, California. The practices implicated in this incident include Regal Medical Group, Lakeside Medical Organization, and others.
As part of the $49.9 million settlement, class members will have access to three years of free identity and theft monitoring services. Additionally, eligible members who submit a claim may receive cash payments of up to $10,000 for documented fraud and losses related to the breach, with a capped total of $2 million. Members can also receive up to $210 for their time spent addressing the breach, calculated at $30 per hour for a maximum of seven hours.
Furthermore, seven class representatives will receive awards of $7,500 each for their service in the case. Attorneys representing the class are seeking approximately $16.7 million to cover fees and expenses associated with the litigation.
The settlement fund will also allow for prorated cash payments to class members based on the remaining funds after other disbursements. A final court hearing to approve the settlement is scheduled for January 28, 2026.
Breach Details
This ransomware incident ranks as the 10th largest data breach reported to the U.S. Department of Health and Human Services in 2023. Regal Medical and other involved practices acknowledged the breach in a notice issued in February 2023, indicating they became aware of the issue after experiencing access problems with their servers on December 8, 2022.
The notice confirmed that malware was detected, allowing the attackers to exfiltrate sensitive personal data, which may include names, social security numbers, dates of birth, and other health-related information.
Lawsuit Allegations
The plaintiffs alleged that the defendants failed to implement adequate data protection measures, resulting in harm and increased risks of identity theft. The consolidated litigation encompasses over 25 lawsuits and claims that the compromised information was exposed online, some potentially on the dark web, thereby creating ongoing risks for the affected individuals.
While Regal Medical and its affiliates have denied any wrongdoing in this case, they opted for a settlement. Regal Medical has not provided additional commentary on the settlement or specifics regarding the attack, including whether a ransom was paid to the attackers.
This settlement follows a series of recent class action resolutions related to significant data breaches in the healthcare sector. For instance, Integris Health in Oklahoma agreed to pay $30 million to settle a case involving a 2023 data theft that affected 2.4 million individuals.
As civil litigation following cyber incidents becomes more prevalent, it highlights the need for robust cybersecurity frameworks. Legal experts emphasize that organizations facing data breaches may encounter steep financial liabilities through class action suits, a risk often weighing more heavily than the scrutiny from federal regulatory bodies.
