Greater Cincinnati Behavioral Health Services will pay up to $850,000 to settle claims related to a December 2023 ransomware attack that compromised sensitive data, according to an Oct. 23 report from The HIPPA Journal.
The attack was identified Dec. 10, 2023, with initial network access traced to the previous day. The DragonForce ransomware group used compromised employee credentials to access 72 gigabytes of data, including protected health information for up to 50,000 individuals, according to the HHS’ Office for Civil Rights. The breach was also reported to the Maine attorney general and reportedly affected about 62,000 individuals.
GCBHS began notifying affected individuals June 12, 2024. Exposed data included names, dates of birth, Social Security numbers, driver’s license and state ID numbers, health information and health insurance details, according to the report.
Two class-action lawsuits were filed and later consolidated in Ohio’s Hamilton County Court of Common Pleas. The complaint alleged negligence, breach of fiduciary duty and other claims. GCBHS has denied any wrongdoing.
Following mediation and extended negotiations, all parties reached a settlement agreement, which has received preliminary court approval. GCBHS will fund up to $850,000 to cover legal fees, administration costs and payments to class members, who total approximately 61,850, according to the report.
