At the beginning of November 2023, Mulkay Cardiology Consultants based in New Jersey reported a ransomware attack that resulted in unauthorized access to around 79,582 individuals’ protected health information (PHI). Breach victims took legal action against Mulkay Cardiology Consultants which ended in a settlement to conclude the litigation.
Based on forensic investigation, a threat actor acquired access to its system between September 1 and September 5, 2023, and stole files that contained patient records. The stolen information included names, Social Security numbers, addresses, birth dates, state IDs or driver’s license numbers, medical treatment data, and medical insurance data. The NoEscape ransomware group professed to have conducted the attack and began exposing the stolen information on its dark web data breach website, though the listing was eventually taken out.
The data breach prompted the filing of the lawsuit Wilkins, et al. v. Mulkay Cardiology Consultants at Holy Name Medical Center PC, et al, which was combined into one lawsuit from multiple class action lawsuits. On February 16, 2024, this lawsuit was registered in the New Jersey Superior Court of Bergen County. The lawsuit stated several claims, which include negligence for failing to use reasonable and proper safety measures to secure sensitive personal and protected health information (PHI) kept on its system, a potential HIPAA violation. Mulkay Cardiology Consultants rejected all allegations; nevertheless, it decided to resolve the lawsuit without admitting wrongdoing or liability to steer clear of the expenditures and risks related to the ongoing litigation.
As per the terms of the settlement, class members could file claims for a refund of ordinary expenditures sustained because of the data breach. Each class member can claim as much as $500 maximum, including documented communication costs, credit-related expenditures, around 3 hours of lost time valued at $25 per hour, and unreimbursed bank fees. Claims for extraordinary deficits because of identity theft and fraud can be filed for as much as $5,000 per class member. Class members may opt for a $48 cash payment and not file a claim. All class members are also entitled to get free credit monitoring services for two years. The court has given preliminary approval of the settlement, and claims should be obtained by February 22, 2024. The schedule of the final fairness hearing is on April 11, 2025.