State attorneys general in Ohio and Pennsylvania fined DNA Diagnostics Center (DDC) with $400,000 for violating state legislation on personal data privacy. This U.S. private DNA testing laboratory encountered a breach of the personal data of approximately 46,000 residents in Pennsylvania and Ohio, and around 2.1 million people throughout the U.S.
DDC discovered the data breach on August 6, 2021 upon noticing suspicious activity in its archived databases. The investigation confirmed that unauthorized individuals accessed the databases from May 24 to July 28, 2021. Selected folders and files were extracted. The databases included the sensitive data of 33,300 Pennsylvania residents and 12,600 Ohio residents, who had gotten DNA testing services from 2004 to 2012. The data included sensitive customer data such as names, payment details, and Social Security numbers.
The databases were acquired from a firm named Orchid Cellmark, which DDC obtained in 2012. The archived databases were not utilized for business and, as per DDC, were unintentionally moved as included in the acquisition, without DDC’s knowledge. After nine years, DDC still did not know that the databases remained in its systems. DDC stated it had performed penetration tests and a stock review before the data breach happened, however, those checks and tests simply identified active consumer information and didn’t show the existence of the archived information on its systems.
Before the data breach, DDC hired a third-party company to perform data breach tracking. That company found the data breach and tried to get in touch with DDC on several instances through automated email notifications, however, employees did not answer for two months. Throughout those two months, Cobalt Strike malware had been installed on the system, and information was extracted. The breach investigation affirmed that an unauthorized third party had signed in by using a VPN on May 24, 2021, making use of a DDC user credential. Active Directory information was collected from a Domain Controller that supplied password data for every account in the system. The threat actor used VPN that DDC doesn’t use because DDC had moved to a different VPN. The unauthorized third party employed a trial account having administrative privileges to attain continued access and implement Cobalt Strike inside its system. Five compromised servers that stored backups of 28 directories and a decommissioned server were employed to extract the information. The threat actor then told DDC to pay the ransom in exchange for the restoration and deletion of the stolen information. DDC paid the ransom.
The state attorneys general’s investigation found that DDC was involved in misleading or unjust business by means of material misrepresentations in its client-facing privacy policy relating to the protection of its clients’ personal data. It was additionally supposed that DDC did not take reasonable actions to identify and stop unauthorized access to its computer systems. Therefore, involved unjust and fake cybersecurity strategies which exposed client information to unauthorized access and stealing. The state AGs decided that those problems constituted unjust trading procedures and violated state Consumer Protection Legislation.
DDC opted to resolve the investigations without admitting any wrongdoing. Considering the stipulations of the settlement, DDC decided to pay Pennsylvania and Ohio $200,000 each, carry out and maintain extensive information, and security data, execute detailed threat examination annually, assign risk-appropriate resources to protect the personal information of consumers, and perform an I.T. security program evaluation yearly to analyze the usefulness of the data security plan.
Acting Attorney General Henry states that when criminals get access to more personal data, the person’s data becomes more prone to stealing. Hence, the Attorney General’s Office did something with the help of Attorney General Yost in Ohio. I am proud of the work our agents and attorneys do every day to protect Pennsylvanians’ most sensitive information.
Regal Medical Group Facing Multiple Lawsuits Over 3.3 Million-Record Ransomware Attack
Regal Medical Group and affiliated healthcare providers are facing several class action lawsuits as announced on February 1, 2023. A ransomware attack in December 2022 resulted in the potential theft of the protected health information (PHI) of approximately 3,300,638 people.
The attack impacted the Heritage Provider Network, Regal Medical Group, and a number of affiliated healthcare companies, such as A Medical Group, Inc., Lakeside Medical Organization, ADOC Acquisition Co., Affiliated Doctors of Orange County, and Greater Covina Medical Group Inc. The attack was discovered on December 2, when staff members began having problems accessing information.
The forensic investigation showed the ransomware attack began on or before December 1 and the attackers exfiltrated sensitive data from its servers. The compromised files contained PHI including names, telephone numbers, addresses, birth dates, diagnosis and treatment data, lab test data, prescription information, radiology reports, Social Security numbers, and medical plan member numbers. Impacted persons received a membership to a credit monitoring service for 12 months.
Filing multiple lawsuits is now common following healthcare data breaches. Hence, it is not surprising that a lot of lawsuits were filed following an attack of this size. One of the major issues brought up in the lawsuits was the way the attackers had acquired access to a great deal of information, a lot of which was highly sensitive information and could be misused in a variety of ways. The lawsuits had been filed against Regal Medical Group and the Heritage Provider Network in the California superior state court and federal court. The lawsuits’ claims include unjust enrichment, negligence, negligence per se, unfair business practices, and breach of implied contract. The lawsuits allege violating the following legislation: the California Confidentiality of Medical Information Act, the California Consumer Privacy Act of 2018, the FTC Act, the Health Insurance Portability and Accountability Act, and the Unfair Competition Law.
The lawsuits furthermore raise the issue of the delay in issuing notifications concerning the breach. The data breach happened on December 1, 2022, but notifications were sent starting on February 1, 2022. Although the notifications were sent within the period of time permitted by the HIPAA Breach Notification Rule, that Rule additionally says that notifications must be distributed with no unnecessary delay. One lawsuit additionally disputes the details given in the breach notifications, which did not give complete details about the breach, for instance, the length of time the attackers got access to the stolen information.
The Timothy Head vs. Regal Medical Group Inc, Heritage Provider Network Inc. (Cole & Van Note) lawsuit allege the defendants deliberately, willfully, recklessly, or negligently didn’t take and apply sufficient and reasonable steps to make sure to protect representative plaintiff(s)’ and class members PHI/PII. The lawsuit also alleges the defendants failed to encrypt information.
The same claims are presented in these lawsuits: David Rodriguez v. Regal Medical Group and Sam Abedi And Farnaz Doroodian v. Heritage Provider Network, Inc. and Regal Medical Group, Inc. The defendants knew very well the high incidence of data breaches and acquired the tools to secure information but did not invest enough in data protection, vulnerability remediation, employee training, and testing security settings.
The Lynn Austin vs. Regal Medical Group, Inc. (Parker & Minnie, LLP & Mason LLP) lawsuit alleges the plaintiffs have dealt with actual and tangible harm, which include out-of-pocket expenditures, loss of invaluable rights and protections, increased stress, anxiety, fear, and risk of future violations of privacy, and emotional and mental distress.
The lawsuits want a jury trial, class action certification, injunctive relief, and actual and punitive damages, which include a court order to forbid the defendants from doing unlawful acts and misleading business practices and to make sure that a detailed information security program is applied to safeguard against potential data breaches.