Fraud Management & Cybercrime
,
Healthcare
,
Industry Specific
Nearly 137,000 People Affected in 2023 Ransomware Attack on Maryland-Based Hospital
A ransomware attack against Atlantic General Hospital that affected the personal information of 137,000 individuals in 2023 has led to a $2.25 million preliminary settlement of a consolidated proposed federal class action lawsuit.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
Berlin, Maryland-based not-for-profit Atlantic General Hospital is part of Atlantic General Health System, which also includes 40 family physicians, internists and specialists with offices in 17 locations throughout Maryland, Virginia and Delaware.
The amended consolidated lawsuit complaint filed in a Maryland federal court in August 2023 alleges that the plaintiff and class members face increased risk of identity theft and fraud crimes from the data breach because of Atlantic General’s “negligent, reckless, intentional and/or unconscionable failure to adequately satisfy its contractual, statutory and common-law obligations.”
The lawsuit sought statutory and punitive damages, as well as injunctive relief ordering Atlantic General to improve its data security practices (see: Victim Count in Maryland Ransomware Breach Jumps Fivefold).
Under the proposed settlement, class members may submit valid claims to receive up to $5,000 for reimbursement of documented losses incurred as a result of the data breach.
That includes bank fees, credit report or monitoring fees, long-distance phone charges, cellphone charges if charged by the minute, and miscellaneous qualified expenses subject to explanation, such as postage, notary, fax, copying, mileage and gasoline for local travel.
As an alternative, settlement class members may instead submit a valid claim for a cash award. The amount of that cash award depends on the total of remaining net settlement funds after payments of all other claim types.
Each settlement class member who submits a valid claim also may elect to receive three years of credit and identity monitoring services.
The proposed settlement does not appear to require Atlantic General Hospital to make any specific data security improvements. But the document does state that Atlantic General made – or is making – “changes and improvements … to further protect settlement class members’ private Information.”
Settlement class attorneys are seeking one-third of the settlement fund, or $750,000.
A final fairness court hearing for the proposed settlement is set for Sept. 5. The court granted preliminary approval of the settlement in late April.
As part of the agreement, Atlantic General denies any wrongdoing and “all of the claims and contentions alleged against it in the litigation,” the settlement document says.
Atlantic General Hospital did not immediately respond to Information Security Media Group’s request for comment on the proposed settlement and for additional details about the hacking breach.
The settlement of the Atlantic General Hospital lawsuit “explains the nature of health data breach class actions and their sudden, significant impact on the healthcare industry,” said regulatory attorney Paul Hales of Hales Law Group, which is not involved in the case.
Plaintiff attorneys are arguably “the most fearsome enforcers of health privacy laws,” he said.
“Prosecuting and defending a class action requires substantial legal skill,” according to Hales.
The expenses involved with these legal cases can quickly pile up. But the money involved goes beyond the sums paid to persons harmed by wrongful disclosure of their sensitive personal information, he said. “It is measured by legal and reputational costs saved by defendants and legal fees earned by plaintiffs’ lawyers.”
Breach Details
In its breach notice, Atlantic General said that on Jan. 29 it discovered that files on certain systems had been encrypted.
In the days following that discovery, Atlantic General temporarily closed its outpatient imaging services, walk-in lab services and pharmacy as it recovered from the incident (see: Cyberattack Wave on Healthcare Reaches Florida and Maryland).
Atlantic General said its forensics investigation determined that unauthorized access to certain servers began on Jan. 20, 2023. The healthcare firm said it took steps to secure its systems upon discovery of the intrusion.
On March 24, 2023, Atlantic General sent notification of the data breach to 30,407 individuals. But on May 15, 2023, further investigation determined that the total number of affected individuals was 136,981. Atlantic General subsequently notified the additional individuals about the breach.
Among the information subject to unauthorized access was each individual’s name, Social Security number, driver’s license number, financial account information, birthdate, medical record number, treating/referring physician, health insurance information, subscriber number, medical history information and diagnosis/treatment information, the hospital said.