In 2022, Salud Family Health Inc. discovered several hundred thousand individuals had gained unauthorized access to protected health information. After facing multiple cases, the organization is planning to settle.
What happened
In early September 2022, Salud Family Health Inc., a Colorado-based Federal Qualified Health Center (FQHC), experienced a cyberattack resulting in stolen patient data.
According to a class action suit, the breach resulted in leaked sensitive information, including names, Social Security numbers, driver’s licenses or state identification numbers, financial account numbers, credit card numbers, passport numbers, medical treatment and diagnosis information, and more.
The breach affected approximately 427,546 individuals, who became at risk of fraud after the leak. The Lorenz ransomware group has claimed responsibility for the attack, stating they obtained more than 400,000 individual’s personal information.
Two class action lawsuits were filed in response to this breach and another that occurred on November 14, 2022. One of these class action cases was filed by Mason LLP, which later consolidated with a suit filed by Shub & Johns LLC.
What’s new
Following the consolidation of suits, Salud has agreed to settle the class action case. In the settlement, Salud has proposed to resolve all claims with no admission of liability.
Earlier this week in Colorado, a judge granted preliminary approval of the settlement. The settlement terms allow class members to submit claims for up to $7,500 for reimbursement of documented losses incurred as a result of the data breach. Affected individuals will also be allowed two years of credit monitoring, insurance services, and reimbursement of up to 4 hours of lost time at a rate of $20 per hour.
The settlement will not be final until the approval hearing, scheduled for December 13, 2023.
Why it matters
The Lorenz ransomware group is quickly becoming a major threat to the public and healthcare sectors.
In 2022, the Department of Health and Human Services released a security alert, saying that little is known about Lorenz compared to other ransomware groups. HHS also said the organization specifically targets larger organizations in what is known as “‘big-game hunting’ and publishes data publicly as part of pressuring victims in the extortion process.”
As ransomware organizations continue to evolve, healthcare companies must remain diligent. Even if Salud successfully settles the case without any admission of liability, they may still face steep economic repercussions.
The big picture
Other organizations should pay close attention to the situation with Salud. Many of these cases set a precedent for how future cases may decided.
Furthermore, organizations should closely monitor their software systems to prevent a breach or quickly recover if one occurs.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
