HIPAA Breach Lawsuits

Almost as surely as summer follows spring, lawsuits follow breaches of protected health information. Here’s a roundup of recent HIPAA breach lawsuits and settlements.

Lawsuits Increasing Following HIPAA Breaches – Facts and Figures

The law firm BakerHostetler published its annual Data Security Incident Response Report based on findings from 1,270 data security incidents managed by the firm in 2021. 

Highlights included:

  • 23% of all incidents affected healthcare organizations – the most targeted sector of the economy
  • 35% of healthcare breaches involved ransomware attacks, vs. 20% in 2020
  • The average ransomware payment for healthcare was $875,784, about one-third less than the 2020 payment
  • 82% of ransomware attacks claimed to have removed data before encryption
  • The average number of patient notifications was 81,679

The firm also noted a trend of increased lawsuit filings and increased numbers of filings within the same jurisdictional areas, such as federal or state. From the pool of 1,270 incidents, 58 data breach lawsuits were filed related to 23 incidents, including three involving breaches of 8,000 or less. Healthcare organizations were targeted in 43 of the lawsuits.

Partnership Health Plan (California) 

Partnership Health Plan in Northern California was the victim of a cyberattack by the Hive ransomware group. The cybercriminals stole more than 400GB of data before encrypting the organization’s files on March 19, 2022.

A pair of California law firms have filed a class-action lawsuit on behalf of an anonymous plaintiff “John Doe” and others affected by the breach. The lawsuit alleges the healthcare organization was negligent for failing to implement and maintain appropriate cybersecurity measures to prevent ransomware attacks and data breaches. The lawsuit further states that warnings had been issued to the healthcare sector about the threat of Hive ransomware attacks as early as June 2021.

The breach impacts the protected health information (PHI) of as many as 850,000 individuals. More plaintiffs are expected to join the suit following Partnership’s issuance of breach notification letters. No damages have been claimed, but the lawsuit requests a jury trial.

Let’s Simplify Compliance

HIPAA and cybersecurity go hand-in-hand. Protect your business, become compliant today!

Learn More!
HIPAA Seal of Compliance

Oregon Anesthesiology Group

Oregon Anesthesiology Group in Portland, OR, faces a class-action lawsuit after a data breach affected the protected health information of more than 750,000 patients. On July 3, 2021, the organization was victimized by a cyberattack from the HelloKitty ransomware group based in Ukraine. Affected persons received notification letters in December 2021.

On April 7, 2022, attorneys filed a lawsuit on behalf of an individual claiming to have identified suspicious activity in his bank account. The suit seeks class-action status and claims that OAG was negligent for failing to protect the sensitive data of at least 750,000 individuals and claims the delay of five months in issuing notification letters violated Oregon laws, which require notification letters to be issued within 60 days of the discovery of the breach.

HIPAA regulations also require notification of affected individuals within 60 days of its discovery if the breach affects more than 500 individuals. Exceptions to the rule may be allowed if notification was delayed at the direction of authorized law enforcement