Bayhealth Medical Center Agrees to Settle 2024 Data Breach Lawsuit
Bayhealth Medical Center in Dover, Delaware, has agreed to settle a proposed class action lawsuit stemming from a 2024 ransomware attack. The attack was detected on July 31, 2024, when suspicious activity was observed within its computer network. The forensic investigation determined that the threat actor had access to its systems from July 27 to July 31, 2024, and that files were exfiltrated during the attack. The data breach was reported to the HHS’ Office for Civil Rights on October 14, 2024, as involving the electronic protected health information of 497,047 individuals. The stolen files contained patients’ names, medical information, and Social Security numbers. The Rhysida ransomware group claimed responsibility for the attack and uploaded samples of the stolen data to its dark web data leak site, including identification documents, Social Security numbers, contact information, and other sensitive patient data.
Rhysida is a ransomware-as-a-service group that has been in operation since at least 2023. The group engages in double extortion tactics, demanding payment for the decryptor and to prevent the publication or sale of stolen data. Rhysida often states that stolen data will be auctioned to the highest bidder, only leaking the data if a buyer cannot be found. The lawsuit claims that Rhysida demanded a 25 Bitcoin ransom, which at the time was valued at approximately $1.4 million, and gave a payment deadline of August 14, 2024.
Bayhealth was quick to notify patients about the incident, adding a notice to its Facebook page on August 3, 2024. Then, on August 7, 2024, the CEO of Bayhealth confirmed publicly that the company was aware of Rhysida’s claim of data theft and the posting of certain data on the group’s data leak site. Bayhealth patient Sally Cannon Dunlop discovered in August 2024 that some of her ePHI had been published on the dark web, which she believed came from the attack on Bayhealth. Later that month, she filed a lawsuit individually and on behalf of other similarly situated individuals, alleging negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty, seeking compensatory, exemplary, punitive damages, and statutory damages.
Dunlop alleges that Bayhealth failed to implement reasonable and appropriate safeguards to protect patient data, and that the ransomware attack was the latest in a string of hacking-related data breaches that were a result of a failure of Bayhealth to follow FTC guidelines and comply with the HIPAA Rules. Bayhealth denies any wrongdoing; however, last month, following mediation, it agreed to settle the litigation. The details of the settlement are being finalized, and the settlement agreement is due to receive preliminary approval in early October.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
