Healthcare Business Associate Faces Lawsuit Over March Cyberattack

June 22, 2023 - Pennsylvania-based Onix Group, a healthcare business associate that operates commercial real estate and provides management and consulting services, is now facing a lawsuit over a March 2023 data breach.

As previously reported, Onix Group discovered that it had been impacted by a ransomware attack on March 27 and immediately took action to secure its systems. Further investigation determined that a threat actor had been present on the network for seven days, removing files and corrupting systems in the process.

The breach impacted 319,500 individuals in total. Onix group notified the impacted individuals on behalf of its affiliates, Addiction Recovery Systems, Cadia Healthcare, Physician's Mobile X-Ray, and Onix Hospitality Group.

The impacted files included names and Social Security numbers, as well as scheduling, billing, and clinical information regarding care at one of the previously mentioned healthcare facilities. The files also contained information that the company maintained for human resources purposes, such as names, Social Security numbers, health plan enrollment information, and direct deposit information.

A class action complaint filed in the United States District Court for the Eastern District of Pennsylvania alleged that Onix group failed to safeguard class members’ information.

“Defendant maintained the Private Information in a reckless and negligent manner. In particular, the Private Information was maintained on Defendant’s computer system and network in a condition vulnerable to cyberattack,” the filing stated.

“Upon information and belief, the mechanism of the Data Breach and potential for improper disclosure of Plaintiff’s and Class Members’ Personal and Medical Information was a known risk to the Defendant and thus the Defendant was on notice that failing to take steps necessary to secure the Personal and Medical Information from those risks left that information in a dangerous condition.”

The plaintiffs alleged that they suffered losses in terms of out-of-pocket expenses and time used to mitigate the effects of the breach.

“This Private Information was compromised due to Defendant’s negligent and/or careless acts and omissions and the failure to protect the Private Information of Plaintiff and Class Members,” the lawsuit continued. “In addition to Defendant’s failure to prevent the Data Breach, after discovering the breach, Defendant waited several months to report it to government agencies and affected individuals.”

Despite these claims, Onix Group reported the breach to HHS on May 26, which appears to be within the required 60-day time frame of when it discovered the breach in late March.

“As a result of this delayed response, Plaintiff and Class Members had no idea their Private Information had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm. The risk will remain for their respective lifetimes,” the lawsuit stated.

As previously reported, it is not uncommon for healthcare ransomware attacks to attract legal interest, necessitating healthcare organizations and their business associates to reevaluate privacy and security practices.