Class Action Lawsuits Filed Against ESO Solutions Over Data Breach
Class action lawsuits have started to be filed against ESO Solutions over its recently disclosed cyberattack and data breach that affected almost 2.7 million individuals. The data breach involved sensitive information such as names, contact information, and Social Security numbers and affected many of the company’s healthcare clients.
Two lawsuits – Claybo v. ESO Solutions Inc. and Essie Jones f/k/a Essie McVay v. ESO Solutions Inc. – were filed in the U.S. District Court for the Western District of Texas Austin Division, that allege ESO Solutions failed to implement reasonable and appropriate industry-standard security measures to ensure the privacy and confidentiality of patient data. The lawsuits also allege ESO Solutions did not properly train staff members on data security protocols, failed to detect a breach of its systems and the theft of data in a timely manner, and then failed to issue timely notifications to the affected individuals. The lawsuits also allege that the data security failures violate the Health Insurance Portability and Accountability Act (HIPAA).
As a direct result of those failures, hackers gained access to the plaintiffs’ and class members’ sensitive data and the plaintiffs and class members now face an imminent and ongoing risk of identity theft and fraud and have suffered other injuries as a result of the breach and have incurred out-of-pocket expenses. The lawsuits seek a jury trial, class action certification, an award of damages, injunctive relief, and attorneys’ fees. The plaintiffs and class members are represented by Joe Kendall of Kendall Law Group PLLC, Bryan L. Bleichner and Philip J. Krzeski of Chestnut Cambronne PA, Alexandra M. Honeycutt of Milberg Coleman Bryson Phillips Grossman LLC.
December 21, 2023: ESO Solutions Data Breach: 2.7 Million Individuals Affected
ESO Solutions, a provider of software solutions for hospitals, health systems, EMS agencies, and fire departments, has confirmed that it fell victim to a ransomware attack in September 2023 that resulted in file encryption. ESO Solutions identified suspicious activity within its network on September 28, 2023, and took immediate action to isolate its systems and prevent further unauthorized access to its network.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Third-party digital forensics experts were engaged to investigate the attack and determine the extent of the unauthorized activity. The forensics team confirmed on October 23, 2023, that the attackers had access to parts of its network containing the personal and protected health information of 2.7 million individuals. The information compromised in the incident included names, dates of birth, injury type, injury date, treatment date, treatment type, and, in some cases, Social Security numbers. The attack was reported to the Federal Bureau of Investigation and ESO Systems has worked cooperatively with the FBI during its investigation. A ransom demand was issued by the attackers; however, ESO Systems was able to recover the encrypted files from backups.
ESO Systems notified its affected customers and has been in frequent contact with them to assist them with their response efforts and offered to issue notifications to patients of its customers. ESO Systems started mailing notification letters on December 12, 2023. Affected individuals have been offered complimentary credit monitoring and identity theft protection services through Kroll.
The following healthcare organizations are known to have been affected:
- Ascension – Ascension Providence Hospital in Waco
- Baptist Memorial Health Care System – Mississippi Baptist Medical Center
- CaroMont Health
- Community Health Systems – Merit Health Biloxi & Merit Health River Oaks
- ESO EMS Agency
- Forrest Health – Forrest General Hospital
- HCA Healthcare – Alaska Regional Hospital
- Memorial Hospital at Gulfport Health System – Memorial Hospital at Gulfport
- Providence St Joseph Health (AKA Providence) – Providence Kodiak Island Medical Center & Providence Alaska Medical Center
- Tallahassee Memorial HealthCare – Tallahassee Memorial
- Universal Health Services (UHS) – Manatee Memorial Hospital & Desert View Hospital
- Valley Health System – Centennial Hills Hospital, Desert Springs Hospital, Spring Valley Hospital, Summerlin Hospital, and Valley Hospital
“Given that patient safety and personal information is at risk, organizations cannot afford to put off strengthening their cybersecurity postures. On an average day, more than 55,000 physical and virtual assets are connected to organizational networks; yet an astounding 40% of these assets are left unmonitored – leaving critical, exploitable gaps. Attackers are taking advantage of these gaps; this attack proves that improper access to one machine can mean chaos for an organization,” said Mohammad Waqas, CTO, Healthcare, of the asset intelligence cybersecurity company, Armis. “This attack also highlights the importance of educating organizations that assets incorporate more than simply hardware or medical devices. Other assets that can come under attack include virtual assets, data artifacts, personal health information, user access, among others. It’s critical for healthcare organizations to not only look at cyber risk from a vulnerability perspective, but also factor in assets supporting clinical workflows or storing patient information. By having a comprehensive view of assets, organizations can prioritize compensating controls and risk reduction tactics to help contain and mitigate cyber-attacks. Being able to monitor all assets for anomalous behaviors, connection attempts, and analyze other aspects of attempted access provides the level of visibility needed to help establish preventative policies.”
The HIPAA Journal asked Waqas about the other steps that hospitals can take to improve their defenses against ransomware attacks. “Healthcare organizations of all types must prioritize cyber exposure management to mitigate all cyber asset risks, remediate vulnerabilities, block threats and protect the entire attack surface. Security and IT pros must also consider incorporating critical strategies into their cybersecurity programs, like network segmentation, to increase healthcare cybersecurity. Segmenting a network is a massive project that can span many years, however, it is the project that will accomplish the greatest risk reduction in a healthcare environment,” explained Waqas.
“What’s key for these projects is the proper planning and understanding that a segmentation project will have multiple phases – discovery and inventory, behavioral and communication mapping, policy creation, prioritization, testing, implementation and automation. One growing trend is a risk-based prioritization approach wherein instead of a traditional method of segment lists created by manufacturer or type, organizations can achieve a much faster ROI by identifying and prioritizing the segmentation of critical vulnerable devices first to achieve maximum risk reduction upfront. Cybersecurity pros at healthcare organizations should incorporate these types of solutions and methods right away to help in preventing these types of attacks from impacting their organizations directly, and for protecting them and their patients in the wake of an attack against one of their third-party suppliers.”
