Dec 23, 2024

Forefront Dermatology to Pay Nearly $4 Million Following 2021 Data Breach

by Nadia El-Yaouti | Nov 28, 2022
A dermatologist examining a patient's hand with a medical light. Photo Source: Adobe Stock Image

Wisconsin-based healthcare operator Forefront Dermatology has agreed to a $3.75 million settlement to end a class action lawsuit over a 2021 data breach. The organization operates a number of dermatology offices across the U.S.

In 2021 a known ransomware group was able to exploit vulnerabilities within Forefront Dermatology’s network and gain unauthorized access to sensitive files. As a result, the personal information of over two million individuals was compromised. The compromised sensitive data included names, social security numbers, dates of birth, patient account numbers, medical record numbers, health insurance member ID numbers, patient addresses, and other sensitive information.

According to the data security group, DataBreaches.Net, the hacker group Cuba Ransomware was behind the attack. Files associated with Forefront Dermatology have been found on the dark web, published by Cuba Ransomware.

The group touts itself as having a site that has information about companies that do not want to cooperate with the group. “Part of the information is for sale, part is freely available. Have fun,” the group's landing page reads.

Forefront Dermatology announced that it had identified the breach on June 4th and took immediate action by taking certain parts of the network offline to secure against further intrusions. Despite being discovered on June 4th, the attack may have occurred as early as May 28th, investigators shared.

Notwithstanding Forefront Dermatology maintaining that there was no evidence that sensitive information such as social security numbers, driver's license numbers, and financial account numbers was compromised, a breach notification that was provided to the Maine attorney general indicated that such sensitive data may have been on the compromised files.

During the litigation of the class action lawsuit, plaintiffs argued that Forefront Dermatology failed to implement security safeguards that would have protected against the breach. The lawsuit also challenged giving prompt notice to impacted customers. The plaintiffs argued that under the Health Insurance Portability and Accountability Act, the organization was obligated to meet industry standards in protecting the data of employees and patients. However, the lawsuit claims that the company “failed to spend sufficient resources on data privacy risk management.”

The lawsuit explained that impacted patients and employees “were harmed in the form of the loss of the benefit of their bargain, out-of-pocket expenses, loss of privacy, and loss of the value of their time reasonably incurred to remedy or to mitigate the effects of the attack.”

As part of the settlement, Forefront Dermatology will take the necessary steps to improve its overall data security. Class members will have the ability to file a claim for two years of credit monitoring and up to $10,000 of reimbursement for document losses. Additionally, class members will also be eligible to submit claims for lost time of up to five hours at a rate of $25 an hour.

As part of the settlement, Forefront Dermatology has not agreed to any wrongdoing. Despite the settlement, files detailing sensitive information belonging to Forefront Dermatology remain on the dark web and in the possession of Cuba Ransomware. Following the settlement, Forefront Dermatology has not disclosed whether it paid a ransom after discovering the breach.

Share This Article

If you found this article insightful, consider sharing it with your network.

Nadia El-Yaouti
Nadia El-Yaouti
Nadia El-Yaouti is a postgraduate from James Madison University, where she studied English and Education. Residing in Central Virginia with her husband and two young daughters, she balances her workaholic tendencies with a passion for travel, exploring the world with her family.

Related Articles

Hands typing on a backlit keyboard, representing cybersecurity and potential data breach scenarios.
CareSource Faces Multiple Lawsuits After Cybersecurity Data Breach

A data breach that targeted an Ohio-based insurance company has prompted multiple lawsuits including a class action lawsuit filed by victims who lost sensitive personal information following the data breach. One class action suit is seeking more than $9.9 million in damages. CareSource, the administrator of one of the nation’s... Read More »

A hand wearing a black glove on a laptop keyboard, with a screen displaying the word "RANSOMWARE" in bold letters against a red background.
Morley Companies Inc. Agrees to $4.3M Class Action Settlement

Morley Companies Inc. has agreed to a $4.3 million payment to settle a class-action lawsuit following a data breach that compromised sensitive information from its clients and customers. The Michigan-based company operates by providing business process outsourcing to its contracted companies. Many industries including the health sector receive services... Read More »