The dermatology practice, Forefront Dermatology, based in Wisconsin has decided to settle a class action lawsuit filed on behalf of patients who had their protected health information (PHI) compromised in a ransomware attack in late May 2021.
Forefront Dermatology has associate practices in 21 states and Washington D.C. In May 2021, the Cuba ransomware group targeted the practice and obtained access to its network, and exfiltrated files from the system before encrypting data. The gang then uploaded several of the stolen records on its dark web data leak site to compel the practice into paying the ransom. Based on the data breach notice of Forefront Dermatology, it discovered the attack on June 4. It was confirmed by the forensic investigation that the attackers probably viewed and stole files including the PHI of around 2.4 million staff members and patients. That information included names, account numbers, dates of birth, health insurance data, Social Security numbers, medical and treatment details, medical record numbers, and other sensitive information.
A class action lawsuit was registered in the U.S. District Court for the Eastern District of Wisconsin soon after patients were informed concerning the breach, which claimed that Forefront Dermatology didn’t utilize sufficient data security standards, which include permitting the usage of unbelievably simplistic passwords, and had kept patient records in a sloppy manner. The lawsuit stated that the ransomware attack and data breach happened as a result of those security issues and that Forefront Dermatology knew about the possibility of a data breach and had the means to employ proper data security steps however did not do so.
The lawsuit complained about the month-long delay in providing breach notification letters, and the inconsistent statements presented to patients and also the Maine attorney general. The latter was told that Social Security numbers were stolen but patients were advised that data including financial account/payment card details, driver’s license numbers, and Social Security numbers were not accessed or stolen.
The lawsuit states the plaintiffs, Lynn Anderson, Judith Leitermann, and Milan E. Kunzelmann, and equally affected persons were exposed to an increased and upcoming threat of fraud and identity theft, and that their PHI is right now in the control of bad guys. Because of the alleged failure of Forefront Dermatology, the plaintiffs and class members need to tightly keep an eye on their financial accounts to shield against identity theft and have and will keep on to get out-of-pocket expenses for protective actions to dissuade and determine identity theft.
Forefront Dermatology hasn’t acknowledged any wrongdoing and agrees to no liability for the information breach, yet decided to resolve the lawsuit to avoid more legal charges and to stay clear of the uncertainty of trial. The practice negotiated a $3.75 million settlement to pay for all claims connected to the data breach.
As per the provisions of the settlement, class members are eligible to claim approximately $10,000 for reported losses from identity theft, credit-linked fees, bank fees, communication fees, and fraudulent costs, and even claim around five hours of lost time at $25 by the hour, and may likewise register for one year of free credit monitoring services. Class members could opt out of receiving expense repayment and credit monitoring services and will rather obtain a cash fund payment, the price of which is determined by the number of partaking class members.
Class members could reject or exclude themselves from the settlement until January 24, 2023, and can submit a claim until February 8, 2023. The final approval hearing will be on March 1, 2023