Wisconsin-based healthcare operator Forefront Dermatology has agreed to a $3.75 million settlement to end a class action lawsuit over a 2021 data breach. The organization operates a number of dermatology offices across the U.S.

In 2021 a known ransomware group was able to exploit vulnerabilities within Forefront Dermatology’s network and gain unauthorized access to sensitive files. As a result, the personal information of over two million individuals was compromised. The compromised sensitive data included names, social security numbers, dates of birth, patient account numbers, medical record numbers, health insurance member ID numbers, patient addresses, and other sensitive information.

According to the data security group, DataBreaches.Net, the hacker group Cuba Ransomware was behind the attack. Files associated with Forefront Dermatology have been found on the dark web, published by Cuba Ransomware.

The group touts itself as having a site that has information about companies that do not want to cooperate with the group. “Part of the information is for sale, part is freely available. Have fun,” the group's landing page reads.

Forefront Dermatology announced that it had identified the breach on June 4th and took immediate action by taking certain parts of the network offline to secure against further intrusions. Despite being discovered on June 4th, the attack may have occurred as early as May 28th, investigators shared.

Notwithstanding Forefront Dermatology maintaining that there was no evidence that sensitive information such as social security numbers, driver's license numbers, and financial account numbers was compromised, a breach notification that was provided to the Maine attorney general indicated that such sensitive data may have been on the compromised files.

During the litigation of the class action lawsuit, plaintiffs argued that Forefront Dermatology failed to implement security safeguards that would have protected against the breach. The lawsuit also challenged giving prompt notice to impacted customers. The plaintiffs argued that under the Health Insurance Portability and Accountability Act, the organization was obligated to meet industry standards in protecting the data of employees and patients. However, the lawsuit claims that the company “failed to spend sufficient resources on data privacy risk management.”

The lawsuit explained that impacted patients and employees “were harmed in the form of the loss of the benefit of their bargain, out-of-pocket expenses, loss of privacy, and loss of the value of their time reasonably incurred to remedy or to mitigate the effects of the attack.”

As part of the settlement, Forefront Dermatology will take the necessary steps to improve its overall data security. Class members will have the ability to file a claim for two years of credit monitoring and up to $10,000 of reimbursement for document losses. Additionally, class members will also be eligible to submit claims for lost time of up to five hours at a rate of $25 an hour.

As part of the settlement, Forefront Dermatology has not agreed to any wrongdoing. Despite the settlement, files detailing sensitive information belonging to Forefront Dermatology remain on the dark web and in the possession of Cuba Ransomware. Following the settlement, Forefront Dermatology has not disclosed whether it paid a ransom after discovering the breach.