Imprisoned LockBit Affiliate and Med-Data’s $7 Million Breach Lawsuit Settlement

LockBit Affiliate Faces 4 Years in Prison and Pays $860,000

An affiliate of the LockBit ransomware group was sentenced in Canada to about four years imprisonment and was directed to pay over $860,000 in restitution. Russian-Canadian national Mikhail Vasiliev, 34 years old, was born in Moscow but migrated to Canada over 20 years ago. At the time of the COVID-19 pandemic, Vasiliev signed up to be a LockBit ransomware operation affiliate. About 18 months ago, Vasiliev was caught during a raid of his house in Bradford, Ontario. Searching his property revealed a listing of potential and past victims, directions on how to use LockBit ransomware, the ransomware source code, the control panel employed to install the ransomware and images of chats with a primary LockBit Group member – LockBitSupp – on the Tox communication platform.

Vasiliev confessed his being a LockBit group affiliate from 2021 to 2022. He performed attacks on companies in Montreal, Saskatchewan, and Newfoundland stealing data, encrypting files, and demanding ransom payments. Vasiliev confessed to eight counts, which include mischief, cyber extortion, and weapons charges. Law enforcement in the United States has been investigating Vasiliev for about two years. Last month, Vasiliev was charged by the U.S. Department of Justice with conspiracy to deliberately damage protected computers and to transfer ransom payment demands. Vasiliev has agreed to extradition to the United States but it is pending. If found guilty in the United States, Vasiliev’s maximum sentence is five years in prison. The DOJ also reported charges against four persons allegedly working together with the LockBit group.

In four years, the LockBit group is alleged to have performed more than 2,000 ransomware attacks within the United States and made over $144 million in ransom payments. Several healthcare companies encountered LockBit ransomware attacks such as Saint Anthony Hospital in Chicago, Varian Medical Systems in California, and Capital Health in New Jersey. The group’s infrastructure was taken over in February 2024 as part of a global law enforcement operation. Three suspects involved in the operation were caught in Poland and Ukraine. A couple of days later, the U.S. State Department asked for information concerning the leaders of the ransomware group and any data that could help arrest any person who took part in the LockBit operation in exchange for rewards of up to $15 million. The LockBit group re-established its data leak website in a week after the takedown, created new infrastructure, and began making a list of new victims on its data leak website.

Med-Data Pays $7 Million to Resolve Data Breach Lawsuit

The revenue cycle management firm Med-Data based in Spring, TX agreed to pay $7 million as a settlement of all claims arising from a data breach from 2018 to 2019 that affected the protected health information (PHI) of roughly 136,000 people.

From December 2018 to September 2019, a Med-Data employee uploaded patient information to the public-facing software creation hosting program GitHub. The files were put in personal directories on GitHub Arctic Code Vault and included the PHI of patients of its clients. The exposed information contained names, addresses, birth dates, Social Security numbers, diagnoses, health disorders, subscriber IDs, claims data, dates of service, medical treatment codes, names of providers, and medical insurance policy numbers. Med-Data took the files as soon as it was informed about the data breach and provided the impacted persons with free credit monitoring and identity protection services.

Because of the data breach, a lawsuit was filed alleging that Med-Data did not sufficiently secure the sensitive information it received from its clients and failed to give prompt notifications upon discovery of the breach. Med-Data decided to resolve the lawsuit and the court has given the settlement preliminary approval. The settlement has two tiers. The first tier permits impacted persons to get as much as $5,000 to pay for recorded, unreimbursed losses sustained because of the data breach, which includes out-of-pocket costs like bank charges, credit expenses, and communication costs, around five hours of lost time valued at $25 an hour, and losses caused by identity theft, and medical identity theft.

On the other hand, class members can choose the second tier, which offers up to $500 cash payment to pay for time expended to take care of matters associated with the data breach, which include checking credit reports, registering for credit monitoring services, altering passwords, and other steps. Claims are going to be paid pro rata, according to the number of submitted claims.

Irrespective of the tier selected, class members can access membership to Medical Shield Premium, a health information and fraud monitoring service, for 3 years, with an identity theft insurance policy by Pango valued at $1 million. Class members can object to or exclude themselves from the settlement on or before April 26, 2024. The final approval hearing will be on September 11, 2024.