The Indiana-based behavioral health clinic has agreed to pay a $2.1 million settlement.
The Breach
Back in August of 2023, Cummins Behavioral Health Systems (BHS), Inc. filed a notice of data breach with the Attorney General of Maine. Since then, Cummins BHS has been engaged in a class action lawsuit. Recently, the healthcare organization agreed to a $2.1 million settlement.
Cummins BHS is a community behavioral health center based out of Avon, Indiana. The company provides therapy, psychiatric services, and substance use treatment across the central and western parts of the state.
According to the report issued to the Maine Attorney General, the breach occurred on February 2nd, 2023, but wasn’t discovered until March 9th of the same year. Consumers began being notified on August 11th of 2023.
Cummins BHS cited the attack as ransomware; the company said they discovered the breach when they found “a ransom note within its environment, placed by an unauthorized individual.”
The health system noted that typically, in a ransom attack, files are encrypted by the bad actors, which prevents them from being used as ordinary. Attackers generally demand a ransom to decrypt the data, and since healthcare companies are often so reliant on their data, they may do whatever they can to get it back. Surprisingly, in this case, no data was encrypted.
In response to the incident, Cummins BHS launched an investigation alongside a cybersecurity firm. Their report stated, “Unfortunately, these types of incidents are becoming increasingly common and even organizations with some of the most sophisticated IT infrastructure available are affected.”
Accessed data included names, addresses, dates of birth, Social Security numbers, health insurance information, and payment card information.
Cummins BHS reported the breach to the HHS Office for Civil Rights in April of 2024, but did not provide the number of impacted individuals. In their report to the Maine Attorney General, Cummins BHS said 157,688 individuals were impacted.
The Lawsuit
Soon after the breach, Cummins BHS faced a class action lawsuit from impacted individuals. The suit alleged that Cummins BHS could have prevented the breach, but failed to, and that the breach ultimately caused harm to many different people.
In October, a motion was filed to dismiss the lawsuit for failing to provide evidence of a direct injury; the plaintiffs could only allege an imminent and elevated future risk of fraud. The motion to dismiss the case was ultimately unsuccessful.
Instead, both parties agreed to a settlement. Under the settlement, Cummins BHS maintains they committed no wrongdoing, but agreed that taking the case to court would be costly.
Under the terms of the settlement, individuals impacted by the data breach may select one of the following benefits:
- Up to $500 for documented ordinary losses. These may include out-of-pocket expenses, credit monitoring services, and fees from credit reports.
- Up to $75 (3 hours at $25 per hour) for lost time spent dealing with the data breach. This time must be supported by an attestation.
- Up to $5,000 as reimbursement for documented losses. These losses must be extraordinary, like identity theft or fraud.
- A cash payment of $65.
- A free trauma screening from the defendant.
In total, the lawsuit is worth $2.1 million. Claims must be submitted before November 20th, 2024.
What’s Next
As Cummins BHS noted, data breaches like these are becoming increasingly prevalent, especially in the healthcare sector. According to a recent report from Sophos on the State of Ransomware in Healthcare 2024, 67% of healthcare organizations in the survey had fallen victim to an attack within the last 12 months. The year before, only 60% of surveyed organizations had been victimized by ransomware.
These numbers, already high, are seeing a steady increase. The healthcare industry is now the second most attacked; attacks against the government are only slightly higher, impacting 68% of surveyed organizations.
Ransomware attacks can be devastating in healthcare; they can lead to delayed treatment, healthcare devices being inoperable, insurance delays, and more. Furthermore, it’s never advised for organizations to pay ransoms, as paying can increase the chances of being re-victimized. Victimized organizations are often forced to try retrieving their data with the help of forensics teams.
For patients, data breaches can have numerous consequences, including resulting in fraud and theft. These impacts can be challenging to quantify; someone who has had data stolen months may not feel any effect for months or years–until suddenly they do. Criminals often aggregate stolen data, which means any time an individual is involved in a breach, more data is collected and the chance for fraud or theft increases.
For Cummins BHS, the incident likely serves as an unwelcome reminder to improve cybersecurity. Although the company alluded to having strong security practices, there were likely areas that could have been more protected.
Even though breaches are increasing, organizations don’t have to become victims. With the right tools and practices, the vast majority of breaches can be prevented.
How Cloudticity Can Help
Data breaches remain a huge issue for healthcare, with incidents impacting patients in the millions. Healthcare organizations need a new strategy to protect themselves.
Despite the looming threat, a shortage of cybersecurity experts means many organizations are ill-prepared for attack, using old software or procedures unfit for today’s challenges.
As a HITRUST certified organization with over 10 years as a leader in managed security for healthcare, we’ve never suffered a data breach. Despite an ever-evolving threat landscape with sophisticated and persistant actors, we’ve kept every single organization we work with secure.
Using a proven security tech stack with the best experts, we keep data safe and ensure vulnerabilities are promptly resolved.
Attacks and their associated costs are rising from legal fees, system upgrade costs, and penalties. Cloudticity helps organizations focus their resources on serving patients instead of security concerns.
If you want to learn more about how we can help protect your organization from network attacks, reach out for a free consultation today.
