Apria Healthcare Faces Lawsuit Over HIPAA Violations
Indiana Attorney General Todd Rokita is taking legal action against Apria Healthcare for violating the Health Insurance Portability and Accountability Act (HIPAA) and state legislation after a cyberattack and data security breach that impacted 1,869,598 people, which included 42,000 Hoosiers.
Apria Healthcare based in Indianapolis, IA is a home healthcare equipment and services provider. The Federal Bureau of Investigation (FBI) notified Apria Healthcare on September 1, 2021 concerning unauthorized access to its systems. Based on the investigation, an unauthorized third party accessed its systems, which included a few employee email accounts from April 5, 2019 to May 7, 2019, and from August 27, 2021 to October 10, 2021. The electronic protected health information (ePHI) compromised included names, birth certificates, Social Security numbers, financial data, medical backgrounds, and health data. Apria Healthcare confirmed that the attack was intended to get money from Apria Healthcare instead of patient information. The healthcare provider mailed notifications to the impacted persons in May 2023, over 20 months after receiving notification about the breach from the FBI.
Attorney General Rokita claimed that Apria Healthcare intentionally hid the data breach by not issuing notifications for 629 days. This delay violated the HIPAA Breach Notification Rule, which necessitates the issuance of notifications to the impacted persons within 60 days of discovering a data breach. The late notification violated Indiana’s Disclosure of a Security Breach Act, which demands sending notifications without unnecessary delay within 45 days after discovering a data breach. Owens and Minor got Apria Healthcare in March 2022. Allegedly, Owens and Minor knew about the data breaches but did not send prompt notifications.
Attorney General Rokita additionally claimed HIPAA Privacy and Security Regulations violations. The provider didn’t use proper technical safety measures to assure the integrity, confidentiality, and availability of ePHI, as well as the impermissible disclosure of over 1.8 million people’s ePHI, violating the Indiana Deceptive Consumer Sales Act.
Personal Touch Holding Corp Settled Class Action Data Breach Lawsuit
Personal Touch Holding Corp. has acquired preliminary acceptance for a deal to resolve a class action lawsuit filed after a ransomware attack and data breach in January 2021 that affected 753,107 patients. This home health services provider in Lake Success, NY operates about 30 Personal Touch Home Care establishments in several U.S. states. In January 2021, a ransomware group acquired access to business files stored in the cloud and the information of 29 of its subsidiaries. Initial access was acquired after an employee’s response to a phishing email led to the downloading of malware.
People who had formerly obtained services from Personal Touch or its centers had their names, addresses, telephone numbers, dates of birth, financial data, including check copies, credit card numbers, bank account details, Social Security numbers, medical treatment details, health insurance card, health plan benefit numbers, and medical record numbers exposed in the attack.
The Everetts v. Personal Touch Holding Corp. class action lawsuit was filed in the U.S. District Court for the Eastern District of New York that claimed Personal Touch was unable to use reasonable and proper cybersecurity procedures before the ransomware attack. If those measures were enforced the ransomware attack could have been avoided. Personal Touch opted to settle the lawsuit with no admitting wrongdoing or liability.
Based on the terms of the settlement, class members who received notification about the breach from Personal Touch on or around March 24, 2021, whose personally identifiable information (PII) or protected health information (PHI) was not likely exposed can submit a claim for as much as $125 to cover out-of-pocket costs associated with the data breach, which include communication expenses, credit monitoring fees, and other expenses incurred after January 20, 2021, concerning the breach.
People who received a Personal Touch notification letter on or about March 24, 2021, updating them that their PII or PHI was affected in the data breach can get claims of around $7,500 for compensation of documented out-of-pocket expenditures and damages as a result of identity theft and fraud, including lost time up to three hours at $25 per hour. The settlement includes two years of Identity Defense Total Service for those whose PII and/or PHI were possibly compromised in the data breach.
Claims should be sent in by May 21, 2024, and the last date for objecting to the settlement or requesting to be excluded is May 21, 2024. Persons who did nothing will not be paid and will surrender their rights about the breach. The settlement has gotten the first approval from the court. The schedule of the final settlement hearing is on July 22, 2024.
In October 2023, New York Attorney General Letitia James mentioned the settlement amount worth $350,000 with Personal Touch to settle allegations of HIPAA and state law violations associated with data security. Personal Touch should have been aware of the security vulnerabilities yet failed to handle them promptly, only had an informal security program, and did not provide sufficient HIPAA training to employees.