HIPAA Cases Against Doctors’ Management Services and Wright & Filippis Resolved

Doctors’ Management Services Resolves OCR HIPAA Case for $100,000

The HHS’ Office for Civil (OCR) has consented to resolve an investigation of a ransomware attack and data breach that revealed several potential HIPAA Security Rule violations of Doctors’ Management Services (DMS) for $100,000.

The medical management company, Doctors’ Management Services based in Massachusettes provides medical billing and payor credentialing services. DMS discovered an attack on December 24, 2018 upon noticing that GandCrab ransomware encrypted files on its system. The forensic investigation revealed the attackers initially acquired access to its system on April 1, 2017.

As per DMS, the threat actor accessed its system through Remote Desktop Protocol (RDP) on one of its workstations and likely acquired names, addresses, birth dates, Social Security numbers, insurance data, driver’s license numbers, Medicare/Medicaid ID numbers, and diagnostic data. The breach report was submitted to OCR on April 22, 2019 indicating that up to 206,695 persons were affected.

OCR investigated the breach to find out if DMS had adhered to the HIPAA Rules and found several potential HIPAA Rules violations. Aside from the impermissible disclosure of 206,695 persons’ protected health information (PHI), OCR learned that DMS was unable to perform an accurate and detailed risk analysis to determine physical, technical, and environmental risks and vulnerabilities related to the management of ePHI.

DMS was likewise found to have been unable to follow procedures to constantly check records of data system activity, including access reports, audit logs, and security incident tracking reports. OCR likewise found out that DMS did not implement proper guidelines and procedures to adhere to the standards, implementation requirements, or other Security Rule requirements.

DMS consented to resolve the investigation without admitting liability. Based on the settlement terms, DMS will pay $100,000 as a financial penalty and employ a corrective action plan (CAP) to settle the potential HIPAA violations found by OCR. The CAP requires updates on its risk analysis, risk management plan, HIPAA Privacy and Security Rule guidelines and procedures, and employee HIPAA training. OCR likewise recommended some cybersecurity procedures that all HIPAA-regulated entities ought to implement to avoid and mitigate cyber threats.

$2.9 Million Class Action Data Breach Settlement Proposed by Wright & Filippis

Wright & Filippis based in  Michigan, an orthopedics,  prosthetics, and accessibility solutions provider, has offered a $2.9 million settlement to take care of claims of its failure to secure the personal data of 877,584 persons.

In January 2022, Wright & Filippis suffered a ransomware attack. Its security program discovered the attack but failed to stop file encryption. The forensic investigation revealed the attackers accessed parts of its system that contain the PHI of over 877,500 persons, which include names, birth dates, financial account numbers, Social Security numbers, and medical insurance data.

Wright & Filippis detected on or about May 2, 2023 the exposure of PHI, and sent notifications to the impacted persons. After sending the notification, 8 putative class action lawsuits had been filed, but were later combined into one lawsuit. The In Re Wright & Filippis, LLC Data Security Breach Litigation hearing was under the U.S. District Court for the Eastern District of Michigan, Southern Division.

The plaintiffs claimed that Wright & Filippis was negligent because of its failure to apply appropriate security procedures to secure patients’ sensitive information, and then unnecessarily delayed sending breach notifications. Wright & Filippis did not accept the allegations. The plaintiffs claimed they had sustained an injury because of Wright & Filippis’s negligent acts, which included data theft, identity theft, imminent injury from fraudulence,  damages due to delayed notifications, lost time mitigating the consequences of the data breach, out-of-pocket costs, and increased expenses associated with reductions in their credit scores, which include higher costs for insurance and borrowing.

The defendant’s legal counsel sought to dismiss the case, and after the plaintiffs’ response, all parties consented to mediate the case for a possible early resolution. A $2.9 million settlement amount was proposed to pay for administrative expenditures, notice, costs, and fee and service awards. As per the conditions of the settlement, class members can file a claim for about $5,000 to pay for documented losses and credit monitoring services.  Class members could also opt to get a cash payment from what is remaining of the settlement fund after paying settlement administration fees, class benefits, attorneys’ fees and costs, and service awards. Lead plaintiffs will get a $1,500 service award.

The settlement is still waiting for the court’s preliminary approval. A final fairness hearing date has been requested. The lawyers of the plaintiffs were from the Miller Law Firm, Shub & Johns LLC, Migliaccio & Rathod LLP,  Milberg Coleman Bryson Sommers Schwartz, PC, Lynch Carpenter LLP, Phillips Grossman PLLC, Adam Taub Assoc. Consumer Law Group, Mason LLP, Wilshire Law Firm PLC, Aronowitz Law Firm PLLC, The Johnson Firm, and Zimmerman Reed LLP.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.