Data Privacy,
Data Security,
Fraud Management & Cybercrime
More Than 918,000 Individuals Impacted by 2024 BianLian Data Theft Incident
A pediatric practice based in New York and its managed services provider have agreed to a $5.15 million settlement in a class action lawsuit tied to a significant data theft incident that affected an estimated 918,000 individuals, allegedly executed by the BianLian cybercrime group.
The preliminary agreement, approved by a New York state supreme court judge, involves ATSG Inc., now operating under the name XTIUM, and their client, Boston Children’s Health Physicians, LLP. While both parties deny any wrongdoing associated with the breach that occurred in September 2024, a final approval hearing is slated for December 10.
Boston Children’s Health Physicians, located in Valhalla, New York, operates with 300 clinicians across 60 offices in New York and Connecticut and is affiliated with Boston Children’s Hospital. ATSG was providing IT managed services to BCHP at the time of the cyberattack.
In a notice, BCHP reported that on September 10, 2024, unauthorized activity was detected in parts of its network. They promptly initiated incident response procedures, shutting down systems as a precautionary measure. Notably, their electronic medical records system, which is isolated on a secure network, was not compromised during the incident.
BCHP’s internal investigation revealed that an unauthorized third party accessed their network on the day of the incident and extracted sensitive files. The breached data reportedly included personal and medical information of employees, patients, and their guardians, encompassing names, Social Security numbers, and health insurance details.
The BianLian group later listed BCHP as a victim on its dark web forum, claiming to possess extensive data from the practice, such as financial records, internal communications, and personally identifiable information (PII) associated with minors.
On October 4, 2024, ATSG reported the incident to the U.S. Department of Health and Human Services as a HIPAA business associate breach, affecting approximately 909,500 individuals. Other than the settlement announcement, specifics regarding the breach’s impact on additional clients remain unclear, as both ATSG and BCHP have not provided further comments.
Settlement Details
The settlement documents indicate that roughly 918,000 patients and employees across 63 jurisdictions were affected. Class members can select between two cash payment options: one allowing claims for documented losses, with payouts up to $5,000, and another offering approximately $100 for undocumented losses. The payout figure may fluctuate based on the number of valid claims submitted.
Class members may also opt for two years of free medical data monitoring services, which include alerts and insurance coverage for medical identity theft. Additionally, the six named plaintiffs will receive service awards of $2,500 each, while the attorneys will be allocated one-third of the settlement fund, approximately $1.71 million.
Although the settlement does not impose specific obligations for BCHP or ATSG to enhance their data security protocols, they are mandated to disclose any security upgrades made post-incident to class counsel before final approval.
Several class action lawsuits have emerged following the data breach, claiming negligence on the part of both BCHP and ATSG for not adequately safeguarding sensitive health information. While previous cases of similar magnitude may experience prolonged legal proceedings, this particular case was settled in under a year, highlighting a trend toward quicker resolutions in such lawsuits.
In view of the growing complexities and costs associated with litigating data breaches, early settlements are becoming more common according to experts in the field. Organizations within the healthcare sector are urged to closely vet their upstream vendors to mitigate potential cybersecurity risks.
Clients are encouraged to meticulously review service agreements, focusing on aspects such as indemnification, incident visibility, and vendor insurance to stave off similar incidents.
