Apria Healthcare Faces Data Breach Lawsuit and Tennessee Orthopaedic Clinics Lawsuit Settled

Apria Healthcare Faces Lawsuit for HIPAA Violations

Apria Healthcare is facing a lawsuit filed by Indiana Attorney General Todd Rokita for alleged violations of state legislation and the Health Insurance Portability and Accountability Act (HIPAA) in association with a cyberattack and data breach that impacted 1,869,598 people, which include 42,000 Hoosiers.

Apria Healthcare based in Indianapolis, IA is a home medical equipment and related services provider. The Federal Bureau of Investigation (FBI) notified Apria Healthcare on September 1, 2021 concerning unauthorized access to its internal network. The investigation revealed that from April 5, 2019 to May 7, 2019, and from August 27, 2021, to October 10, 2021, an unauthorized third party accessed its internal systems, including a few email accounts of employees. The compromised electronic protected health information (ePHI) contained names, financial data, birth certificates, medical backgrounds, medical data, and Social Security numbers. Apria Healthcare established that the cause of the attack was to get money from Apria Healthcare instead of patient information. Notifications were sent by mail to the impacted persons in May 2023, over 20 months after it received breach notification from the FBI.

Attorney General Rokita claimed that Apria Healthcare intentionally covered up the data breach by not issuing breach notifications for 629 days. That delay was a violation of the HIPAA Breach Notification Rule, which calls for the issuance of individual notifications to the impacted persons within 60 days of discovering a data security breach. The late notification violated the Disclosure of a Security Breach Act of Indiana, which demands sending notifications without unnecessary delay and not over 45 days after discovering a data security breach. Owens and Minor bought Apria Healthcare in March 2022. Allegedly, Owens and Minor knew about the data breaches but did not send prompt breach notifications.

Attorney General Rokita additionally alleged there are violations of the HIPAA Privacy and Security Regulations because of

  • not implementing proper technical safety measures to ensure the confidentiality, availability, and integrity of ePHI
  • impermissible disclosure of the ePHI of over 1.8 million people
  • violating the Indiana Deceptive Consumer Sales Act

Patients must have confidence in their healthcare providers all the time, as mentioned by Attorney General Rokita. All Hoosier patients have the right to privacy, particularly concerning health care. Whenever personal data is accessible or exposed to an unknown person, that person is predisposed to life-changing threats, for example, identity theft and financial wreck. The Attorney General’s office has adamantly battled against sloppy companies that ignore big cybersecurity threats.

Tennessee Orthopaedic Clinics Resolves Class Action Data Breach Lawsuit

Tennessee Orthopaedic Clinics located in Knoxville, TN has consented to negotiate a class action lawsuit related to a March 2023 attack and data breach that affected 46,679 persons. The breached data involved names, contact data, birth dates, diagnosis and treatment details, names of providers, cost of services, dates of service, prescription details, and/or medical insurance data.

The impacted people were informed regarding the breach at the beginning of May, and a class action lawsuit was immediately submitted that reported Tennessee Orthopaedic Clinics was at fault for not using reasonable and proper cybersecurity steps. As per the lawsuit, it was possible to avoid the data breach if those procedures were enforced. Tennessee Orthopaedic Clinics opted to negotiate the lawsuit without acknowledging wrongdoing to avoid more legal fees and the uncertainty of trial. Based on the conditions of the negotiation, persons who received a notice concerning the data breach may claim for standard charges for example communication expenses, credit costs, bank charges, and lost time (maximum 3 hours at $20 for each hour) up to $1,500.

Claims of about $4,000 may as well be filed for recorded extraordinary costs like losses because of fraud or identity theft from March 20, 2023 to April 8, 2024, given the claimant attempted to steer clear of those losses and those losses are yet to be reimbursed. All class members are offered single bureau credit monitoring and identity theft protection services for 24 months. The due date for exclusion or opposition to the settlement has transpired, and the final approval hearing was booked for March 14, 2024. Class members hoping to file claims should do it by April 8, 2024.