web analytics

To Avoid Bankruptcy, EMR Firm Settles Lawsuit for $4M – Source: www.databreachtoday.com

to-avoid-bankruptcy,-emr-firm-settles-lawsuit-for-$4m-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Healthcare
,
Industry Specific
,
Legislation & Litigation

Pediatric Tech Vendor Hit by 2022 Data Breach Affecting 3 Million – Mostly Children

Marianne Kolbasuk McGee (HealthInfoSec) •
February 15, 2024    

To Avoid Bankruptcy, EMR Firm Settles Lawsuit for $4M
Connexin Software, which operates as Office Practicum, has agreed to settle a breach lawsuit for $4 million. (Image: Connexin Software)

An electronic health record and practice management software firm said the only way to avoid bankruptcy from the consolidation of nine proposed class action lawsuits filed in the wake of a 2022 data breach is to settle the case for $4 million.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

The data breach affected 3 million people – mostly children – who were patients of pediatricians. According to a preliminary settlement document, Connexin Software, which operates as Office Practicum, told the judge it would have to “seek bankruptcy protection had the case proceeded substantially further, much less to judgment.”

Under the preliminary settlement filed in a Pennsylvania federal court on Wednesday, Connexin Software agreed to spend up to $1.5 million on business changes to improve its data security practices.

The court also dealt the plaintiffs’ case a blow with a previous order that dismissed several of the consolidated case’s claims.

“The parties were well-aware of each other’s strengths and weaknesses by virtue of the court’s ruling on Connexin’s partial motion to dismiss, their exchange of thousands of pages of documents, nearly a dozen depositions, and mediation-related discovery and analysis directed at Connexin’s finances,” the settlement document says.

“Rather than prolonging the litigation, plaintiffs have reached a settlement that will immediately provide them and class members with significant benefits for their injuries arising from the data security incident,” it says.

Under the proposed agreement, Fort Washington, Pennsylvania-based Connexin Software will offer each plaintiff and class member three settlement options: identity theft monitoring for three years, plus up to $1 million in insurance; reimbursement for out-of-pocket losses or time spent as a result of the data security incident up $7,500; or a flat fee cash payment, the amount of which depends on the number of valid claims submitted for that option.

The attorneys are seeking about one-third of the settlement fund, or about $1.3 million, in fees. Connexin is in the process of obtaining funding for the settlement, court documents said.

As of Thursday, the court had not yet set a date for a hearing on the preliminary settlement.

Case Focuses on Impact on Children

According to its website, Connexin makes software “designed by pediatricians for pediatricians with pediatric-specific workflows, templates, and vaccine management functionality.”

An amended complaint filed against Connexin in April 2023 accuses the company of failing to maintain adequate security measures, and it focuses on the impact of the breach on children as well as their parents, guardians and insurance policyholders.

The breach of personal records could saddle these young patients and others with risks of “fraud, identity theft, medical identity theft, misappropriation of health insurance benefits, intrusion of their health privacy” and other types of crimes, the plaintiffs argued.

“The consequences of Connexin’s misconduct and violations of law have had and will continue to have serious consequences for large numbers of young people across the nation,” the amended lawsuit alleges.

Connexin said in a breach notice that on Aug. 26, 2022, it had detected “a data anomaly” on its internal network. Its investigation determined that an unauthorized party had been able to access an offline set of patient data used for data conversion and troubleshooting. Some of that data was removed by the unauthorized party (see: Pediatric EMR Vendor Hack Affects 2.2 Million).

The breach affected a wide range of patient information such as patient name, guarantor name, parent/guardian name, address, email address and birthdate, Social Security numbers, health insurance information, medical and treatment information, and billing and claims data.

Attorneys representing the plaintiffs and class members in the lawsuit did not immediately respond to Information Security Media Group’s request for comment.

Neither an attorney representing Connexin nor the company immediately responded to ISMG’s requests for comment and additional details, including how the case affected the company financially.

Settlement Considerations

The financial condition of Connexin and the possibility that the firm would declare bankruptcy was a legitimate factor in the settlement amount and timing, said regulatory attorney Rachel Rose, who is not involved in the case.

“One item to consider when a company says, ‘We’ll file for bankruptcy unless you settle,’ is whether it is an illegal use of the Bankruptcy Code. That is a separate issue to be litigated,” she said.

“If a company was genuine about this position, then they would have the financial documentation, including revenues lost since the breach, to substantiate the threat of bankruptcy. Opposing counsel should always drill down before relying on potential for bankruptcy,” Rose said.

Heightened Risks for Minors

In the bigger picture, data security incidents such as the Connexin breach that involve compromises of information pertaining to minors raise other serious concerns, Rose said.

“Pediatric patients are particularly vulnerable because not only can their information be utilized – depending on the brazenness of the cyberattacker, they could sell it to a human trafficking organization, which could lead to more unlawful conduct,” she said.

Federal authorities in the U.S. have taken action in some breach cases involving the compromise of children’s data.

Last year, the Department of Justice hit a now-defunct web hosting firm, Jelly Bean, with a $300,000 settlement in a case involving a breach that exposed the information of hundreds of thousands of minors’ insurance applications for low-cost health and dental plans in Florida (see: Feds Fine Web Hosting Firm in Kids Insurance Site Hack).

“Like psychiatric records, minors absolutely have a heightened sensitivity. It may also be more valuable on the black market, which is why pediatric hospitals have been targeted with increased frequency,” Rose said.

Other Pediatric Hacks

Earlier this month, a ransomware group hit Ann & Robert H. Lurie Children’s Hospital of Chicago with a cyberattack that forced the pediatric medical center to take many of its IT systems – including email, phone and electronic health records – offline.

On Wednesday, in an updated statement about the incident, the hospital said its inbound and outbound email to and from external email addresses has been restored, and so have a majority of its phone lines.

But the hospital’s MyChart patient portal still remains offline. “As an academic medical center, our systems are highly complex, and these incidents can take time to resolve. Our network systems’ restoration is ongoing and progressing,” the hospital said.

While Lurie Children’s has said that the incident involved access “by a known criminal threat actor,” the hospital has not yet publicly commented on whether patient records were stolen in the attack.

Original Post url: https://www.databreachtoday.com/to-avoid-bankruptcy-emr-firm-settles-lawsuit-for-4m-a-24376

Category & Tags: –

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Nathalie Cole
How Much 10 Companies Paid Their Virtual CISO Service in 2022 Benchmark by Nathaniel Cole
How Much 10 Companies Paid...
Tushar Subhra Dutta
Top 10 Cyber Attack Maps to See Digital Threats 2022 by Tushar Subhra Dutta – Cyber Security News.
Top 10 Cyber Attack Maps...
Microsoft
Microsoft Zero Trust Maturity Model
Microsoft Zero Trust Maturity Model
US Deparment of Defense
DevSecOps Fundamentals Guidebook – Tools & Activities by American Deparment of Defense
DevSecOps Fundamentals Guidebook – Tools...
Microsoft
Microsoft 365 and the NIST Cybersecurity Framework
Microsoft 365 and the NIST...
ACSC Australia
Cyber Incident Response Plan Template by ACSC & Australian Goverment
Cyber Incident Response Plan Template...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

CASOS DE USO APLICABLES EN UN SIEM
CASOS DE USO APLICABLES EN...
IGNITE Technologies
Burp Suite for Pentester
Burp Suite for Pentester
The Institute of Internal auditors
Auditing Risk Culture
Auditing Risk Culture
DevSecOps Guide
ATTACKING PHP APPLICATIONS
ATTACKING PHP APPLICATIONS
DevSecOps Guide
ATTACKING KUBERNETES WITH SECURITY BEST PRACTICE
ATTACKING KUBERNETES WITH SECURITY BEST...
CLTC WHITE PAPER SERIES
Guidance for the Development of AI Risk and Impact Assessments
Guidance for the Development of...
Active Directory
Active Directory IT AuditChecklist
Active Directory IT AuditChecklist
A guide to business continuity planning
A guide to business continuity...
LOG RHYTHM
Using MITRE ATT&CK™ in Threat Huntingand Detection
Using MITRE ATT&CK™ in Threat...
Kaspersky
H2 2023 – A brief overviewof main incidentsin industrial cybersecurity
H2 2023 – A brief...
Andrey Prozorov
24 Great Cybersecurity Frameworks
24 Great Cybersecurity Frameworks
ENISA-EUROPA
SEGURIDAD DE TELECOMUNICACIONES
SEGURIDAD DE TELECOMUNICACIONES

More Latest Published Posts

SF-ISAC
Digital Operational Resilience Act
Digital Operational Resilience Act
SYNGRESS
DIGITAL FORENSICS WITH Open Source TOOLS
DIGITAL FORENSICS WITH Open Source TOOLS
IT REVOLUTION DEVOPS ENTERPRISE FORUM
DevOps Automated Governance Reference Architecture
DevOps Automated Governance Reference Architecture
SANS GIAC CERTIFICATIONS
Detecting Attacks on Web Applications from Log Files
Detecting Attacks on Web Applications from Log Files
EUROPEAN DATA PROTECTION SUPERVISOR
ANNUAL REPORT 2023
ANNUAL REPORT 2023
TechTarget
IT Disaster Recovery Plan Template
IT Disaster Recovery Plan Template
Opstune
IOC Scan Framework v2.0
IOC Scan Framework v2.0
Federal Office for Information Security
Indirect Prompt Injections
Indirect Prompt Injections
the Department of the Environment Climate and Communications
Guidelines on CyberSecurity Specifications
Guidelines on CyberSecurity Specifications
Edelman
INCIDENT RESPONSE REFERENCE GUIDE
INCIDENT RESPONSE REFERENCE GUIDE
Security METRICS
Security Metrics Guide to PCI DSS Compliance
Security Metrics Guide to PCI DSS Compliance
SOC TIPS Cybersecurity
Guia de Resposta a Incidentes de Segurança para LGPD
Guia de Resposta a Incidentes de Segurança para LGPD
CDCP
FIREWALL Audit CHECKLIST
FIREWALL Audit CHECKLIST
GitGuardian
Secrets Management Maturity Model
Secrets Management Maturity Model
MegaCorp One
Sample Penetration Test Report
Sample Penetration Test Report
FORTINET
Routing in FortiGate
Routing in FortiGate
FUTURE OF PRIVACY FORUM
Risk Framework Body Related Data (PD) Immersive Tech
Risk Framework Body Related Data (PD) Immersive Tech
ENISA
Remote ID Proofing Good Practices
Remote ID Proofing Good Practices
Google
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Red Canary
Threat Detection Report 2024
Threat Detection Report 2024
HADESS
Pwning the Domain Persistence
Pwning the Domain Persistence
Australian Goverment
PROTECTIVE SECURITYPOLICY FRAMEWORKSecuring government business:Protective security guidance for executive
PROTECTIVE SECURITYPOLICY FRAMEWORKSecuring government business:Protective security guidance for executive
CISC (Comité Internacional Sobre Ciberseguridad)
Política Nacional de Ciberseguridad 2023-2028
Política Nacional de Ciberseguridad 2023-2028
Google
Perspectiveson Securityfor the Board
Perspectiveson Securityfor the Board
HADESS
OSINT Method for Map Investigations
OSINT Method for Map Investigations
CCN-CERT
Observatorio Riesgos Ciberseguridad 2024
Observatorio Riesgos Ciberseguridad 2024
CYBERTHEORY
The ISMG Cybersecurity Pulse Report 2024 is a treasure trove of insights from the RSA Conference, revealing the dynamic landscape of cybersecurity. From AI to Zero Trust: A comprosive guide to the key themes and expert opinions from RSA CONFERENCE 2024 – #RSAC2024
The ISMG Cybersecurity Pulse Report 2024 is a treasure trove of insights from the RSA Conference, revealing the dynamic landscape of cybersecurity. From AI to Zero Trust: A comprosive guide to the key themes and expert opinions from RSA CONFERENCE 2024 – #RSAC2024
FORTINET
Bloking Malware Through Antivirus Security Profile in FortiGate
Bloking Malware Through Antivirus Security Profile in FortiGate