Real Estate Firm Faces 3 Lawsuits in Addiction Center BreachProposed Class Actions Allege Negligence in Securing Addiction Treatment Data
A ransomware attack in May that and compromised the sensitive information of 319,500 individuals, including addiction treatment center patient data, has so far generated three proposed federal class action lawsuits against the Pennsylvania real estate firm that owns the medical group.
The three lawsuits filed against Onix Group make similar allegations, including that the Kennett Square, Pennsylvania-based company was negligent in failing to safeguard especially sensitive personal information from unauthorized access and exfiltration by cybercriminals.
All three lawsuits were filed in the U.S. District Court for the Eastern District of Pennsylvania. Two were filed on June 15 and the third on Monday. They seek relief including monetary damages and an injunctive order compelling Onix to improve its information security practices to prevent similar incidents in the future.
Onix told federal regulators on May 26 that it had suffered a data breach affecting HIPAA-protected information of hundreds of thousands of individuals, including patients and employees (see: Real Estate Firm Hack Affects 319,500 Patients, Employees).
In addition to 10 Addiction Recovery System centers, Onix's healthcare division operates five Cadia Healthcare centers and a number of Physician's Mobile X-Ray units, which travel to various locations in several mid-Atlantic states.
In its breach notice, Onix, which also operates hotels, medical office buildings and other commercial real estate properties, said a ransomware attack discovered March 27 had "corrupted certain systems" and involved the exfiltration of a "subset of files."
Information contained in the affected files varied by individual, Onix said. For patients, it included names, Social Security numbers, birthdates and scheduling, billing and clinical information pertaining to the patients' medical care at the Onix facilities.
The affected files also contained employee information maintained for human resources purposes, including names, Social Security numbers, direct deposit information and health plan enrollment information, the breach notice says.
The plaintiff and class members affected by the Onix breach "continue to be at significant risk of identity theft and various other forms of personal, social and financial harm. The risk will remain for their respective lifetimes," alleges the lawsuit complaint filed by Ashlea Barnard, a former patient of an Onix-owned and operated Addiction Recovery System center.
Upon receiving Bernard's "highly sensitive" personal information, Addiction Recovery Services entered it into Onix's database, where it was stored and maintained, the lawsuit alleges. "Onix expressly and impliedly promised to safeguard it. However, Onix did not take proper care of plaintiff Bernard's private information, leading to its exposure as a direct result of its inadequate security measures," the lawsuit alleges.
Onix has offered "no assurance" that all compromised personal data or copies of data have been recovered or destroyed or that the company has adequately enhanced its data security practices sufficient to avoid a similar breach of its network in the future, the lawsuit alleges.
In its breach notice, Onix said it is strengthening the security of its systems and continuing to enhance its protocols to safeguard the information in its care to help prevent similar future incidents.
Onix did not immediately respond to Information Security Media Group's request for comment on the lawsuits and for additional details about the ransomware incident and the steps the company is taking to improve its data security.
While Onix appears to be primarily a real estate firm, it would not be unusual for a parent company, through subsidiaries, to engage in activities that include both healthcare and nonhealthcare operations, said regulatory attorney Brad Rostolsky of the law firm Reed Smith, which is not involved in the lawsuits.
That includes operating specialty care facilities, such as addiction treatment centers, he said. "Given the context, I would imagine that associated patient information would be highly sensitive," he said.
Rostolsky said the incident may be regulated by federal 42 CFR Part 2 regulations, which impose more stringent privacy requirements than HIPAA for the handling of records for patients receiving substance disorder treatments from federally assisted programs.
"As with all breaches, there would be the theoretical risk of identity theft, as well as medical identity theft," for individuals affected by the Onix incident, he said.