Lawsuits Increasing Following HIPAA Breaches – Facts and Figures
The law firm BakerHostetler published its annual Data Security Incident Response Report based on findings from 1,270 data security incidents managed by the firm in 2021.
- 23% of all incidents affected healthcare organizations – the most targeted sector of the economy
- 35% of healthcare breaches involved ransomware attacks, vs. 20% in 2020
- The average ransomware payment for healthcare was $875,784, about one-third less than the 2020 payment
- 82% of ransomware attacks claimed to have removed data before encryption
- The average number of patient notifications was 81,679
The firm also noted a trend of increased lawsuit filings and increased numbers of filings within the same jurisdictional areas, such as federal or state. From the pool of 1,270 incidents, 58 data breach lawsuits were filed related to 23 incidents, including three involving breaches of 8,000 or less. Healthcare organizations were targeted in 43 of the lawsuits.
Partnership Health Plan (California)
Partnership Health Plan in Northern California was the victim of a cyberattack by the Hive ransomware group. The cybercriminals stole more than 400GB of data before encrypting the organization’s files on March 19, 2022.
A pair of California law firms have filed a class-action lawsuit on behalf of an anonymous plaintiff “John Doe” and others affected by the breach. The lawsuit alleges the healthcare organization was negligent for failing to implement and maintain appropriate cybersecurity measures to prevent ransomware attacks and data breaches. The lawsuit further states that warnings had been issued to the healthcare sector about the threat of Hive ransomware attacks as early as June 2021.
The breach impacts the protected health information (PHI) of as many as 850,000 individuals. More plaintiffs are expected to join the suit following Partnership’s issuance of breach notification letters. No damages have been claimed, but the lawsuit requests a jury trial.