Communications Litigation Today was a service of Warren Communications News.
‘Imminent Risk of Future Harm’

Onix Won't Say Whether It Paid Ransomware Demand in Recent Breach: Class Action

June 20, 2023 by Paul Gluckman|Top News

Plaintiffs Donald Owens and Aida Albino Wimbush and members of their proposed class suffered “ascertainable losses” from Onix Group’s failure to secure and safeguard the private information of 319,500 patients in a recent data breach and ransomware attack, alleged their class action Thursday (docket 2:23-cv-02301) in U.S. District Court for Eastern Pennsylvania in Philadelphia. Onix’s negligence cost the plaintiffs and class members out-of-pocket expenses and lost time trying to remedy or mitigate the effects of the attack, including the “imminent risk of future harm caused by the compromise of their sensitive personal information,” it said.

As a condition of receiving medical services and rehabilitation treatment, Onix’s patients are required to share their sensitive and private information, and it’s that data that was exposed in the March 20-27 data breach, said the complaint. Criminal actors gained access to patients’ names, social security numbers, birthdates and unspecified “clinical information,” it said. The compromised files also contained information maintained for “human resources purposes,” including direct deposit and health plan enrollment information, it said.

Onix informed its patients of the data breach in a March 27 “notification letter” on its website, but it hasn’t publicly disclosed whether a ransomware demand “was made and/or paid,” said the complaint. Onix thus offered “no assurance” the stolen private information was “recovered or destroyed,” it said.

The data breach was a direct result of Onix’s failure to implement the “cybersecurity procedures and protocols necessary” to protect individuals’ private information from the “foreseeable threat of a cyberattack,” said the complaint. By taking possession and control of the private information for its own “pecuniary benefit,” Onix “assumed a duty” to implement and maintain reasonable and adequate security measures to secure, protect and safeguard the private information against “unauthorized access and disclosure,” it said. Onix also had a duty to adequately safeguard the private information under “industry standards and duties imposed by statutes,” including the Health Insurance Portability and Accountability Act and Section 5 of the FTC Act, it said.

The exposure of a person’s private information through a data breach “ensures that such person will be at a substantially increased and certainly impending risk of identity theft crimes compared to the rest of the population, potentially for the rest of their lives,” said the complaint. Onix data breach victims “are at imminent and substantial risk of experiencing various types of misuse” of their private information for years to come, including unauthorized access to their email accounts, tax fraud and medical identity theft, it said.

Mitigating that risk, to the extent it’s even possible to do so, “requires individuals to devote significant time and money to closely monitor their credit, financial accounts, health records, and email accounts, and take several additional prophylactic measures,” said the complaint. The plaintiffs and potential class members “seek to hold Onix responsible for the harms resulting from the massive and preventable disclosure of such sensitive and personal information,” it said.

The plaintiffs seek compensatory, treble and punitive damages, plus reimbursement of their out-of-pocket costs, said the complaint. Other “declaratory and injunctive relief” they seek includes improvements to Onix’s data security systems, plus “future annual audits” of those systems, it said. They also want Onix to pay the costs of “adequate credit monitoring services,” it said. Onix didn't comment Friday.