Oregon Anesthesiology Group Suffers Cyberattack

Date15 Dec 2021

Comment0

Company’s Data Breach Potentially Impacted 750,000 Patients And 522 Current/Former Oregon Anesthesiology Group Employees

In a December 6, 2021 Notice of Data Breach, Oregon Anesthesiology Group, P.C. (“OAG”) stated that OAG “. . . experienced a cyberattack on July 11, [2021] after which [OAG was] briefly locked out of [its] servers.”

The data breach notice stated that

[o]n October 21, the FBI notified OAG that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files. The FBI believes HelloKitty exploited a vulnerability in [OAG’s] third-party firewall, enabling the hackers to gain entry to the network. According to the cyber forensics report obtained by OAG in late November, the cybercriminals, once inside, were able to data-mine the administrator’s credentials and access OAG’s encrypted data.

Patient information potentially involved in this incident included names, addresses, date(s) of service, diagnosis and procedure codes with descriptions, medical record numbers, insurance provider names, and insurance ID numbers. OAG does not store patients’ full medical records or their Social Security or credit card numbers, and these data were not involved. The cybercriminals also potentially accessed current and former OAG employee data, including names, addresses, Social Security numbers and other details from W-2 forms on file.

OAG also stated in its data breach notice that “[t]he data breach potentially impacted about 750,000 patients and 522 current and former OAG employees.” [All emphasis added.]

Have You Been Impacted By A Data Breach?

If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected], for a free, no-obligation evaluation of potential legal claims.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.