The Wisconsin-based dermatology practice, Forefront Dermatology, has agreed to settle a class action lawsuit filed on behalf of patients whose protected health information (PHI) was compromised in a ransomware attack in late May 2021.
Forefront Dermatology has affiliated practices in 21 states and Washington D.C. In May 2021, the practice was targeted by the Cuba ransomware gang, which gained access to its network and exfiltrated files from the network before encrypting data. The gang then dumped some of the stolen data on its dark web data leak site to pressure the practice into paying the ransom. According to Forefront Dermatology’s data breach notice, the attack was detected on June 4. The forensic investigation confirmed the attackers potentially accessed and stole files containing the PHI of up to 2.4 million employees and patients. That information included names, dates of birth, account numbers, health insurance information, Social Security numbers, medical record numbers, medical and treatment information, and other sensitive data.
A class action lawsuit was filed in the U.S. District Court for the Eastern District of Wisconsin shortly after patients were notified about the breach, which alleged Forefront Dermatology had failed to implement adequate data security protocols, including permitting the use of “incredibly simplistic passwords,” and had maintained patient data “in a reckless manner”. The lawsuit alleged the ransomware attack and data breach was made possible due to those security failures, and that Forefront Dermatology was aware of the risk of a data breach and had the resources to implement appropriate data security measures but failed to do so.
The lawsuit takes issue with the month-long delay in issuing breach notification letters, and the conflicting statements provided to patients and the Maine attorney general, with the latter informed that Social Security numbers had been stolen when patients were told that information such as Social Security numbers, driver’s license numbers, and financial account/payment card information was not accessed or stolen.
The lawsuit alleges the plaintiffs – Judith Leitermann, Lynn Anderson, And Milan E. Kunzelmann – and similarly affected individuals have been exposed to a heightened and imminent risk of fraud and identity theft, and that their PHI is now in the hands of criminals. AS a result of the alleged negligence of Forefront Dermatology, the plaintiffs and class members must closely monitor their financial accounts to guard against identity theft and have and will continue to incur out-of-pocket costs for protective measures to deter and detect identity theft.
Forefront Dermatology has not admitted any wrongdoing and accepts no liability for the data breach, but chose to settle the lawsuit to prevent further legal costs and to avoid the uncertainty of trial. Forefront Dermatology proposed a $3.75 million settlement to resolve all claims related to the data breach.
Under the terms of the settlement, class members are entitled to claim up to $10,000 for documented losses from identity theft, credit-related costs, bank fees, communication charges, and fraudulent charges, as well as claim up to five hours of lost time at $25 per hour, and may also sign up for one year of free credit monitoring services. Class members may opt out of receiving expense reimbursement and credit monitoring services and will instead receive a cash fund payment, the value of which will depend on the number of participating class members.
Class members have until January 24, 2023, to object to or exclude themselves from the settlement, and until February 8, 2023, to submit a claim. The final approval hearing has been scheduled for March 1, 2023
The post Forefront Dermatology Proposes $3.75 Million Settlement to Resolve Ransomware Lawsuit appeared first on HIPAA Journal.