"Here's your reminder that if federal regulators like HHS OCR don't investigate and penalize you after a data breach involving patient data, state attorneys general may, and class-action lawyers may also come after you in federal or state courts. In some cases, like this one, federal, state, and class-action lawyers may all come after you - for money and for corrective action plans."
"In May 2022, ambulance billing service Comstar, LLC announced it was notifying patients whose personal and protected health information (PHI) had been encrypted in a ransomware attack in March. On April 21, Comstar discovered that PHI was involved, and on May 25, 2022, they notified HHS that 68,957 patients had been affected. Many of their 70 affected clients may have done their own notification, however, because when HHS OCR investigated, they learned that a total of approximately 585,621 patients had been affected."
Federal, state, and class-action lawyers can pursue healthcare entities after patient-data breaches when regulators do not investigate or penalize. Ransomware gangs commonly demand large sums for decryption keys or to purportedly delete exfiltrated data. In the Comstar incident, PHI encrypted in a March ransomware attack prompted Comstar to notify patients in May 2022 after discovering PHI involvement on April 21. Comstar initially reported 68,957 affected patients to HHS, but HHS OCR identified approximately 585,621 affected patients overall. The breach spanned a ten-year period, impacted municipal and private EMS providers, and included some organizations that were no longer clients at the time.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]