Ransomware, Incident Response

Forefront Dermatology settles lawsuit from 2021 breach for $3.75 million

A sheet of $1 bills is ready for inspection at the Bureau of Engraving and Printing on March 24, 2015, in Washington. (Photo by Mark Wilson/Getty Images)
A sheet of $1 bills is ready for inspection at the Bureau of Engraving and Printing on March 24, 2015, in Washington. (Photo by Mark Wilson/Getty Images)

Forefront Dermatology reached a $3.75 million settlement with the 2.41 million patients and employees whose data was accessed and stolen by the Cuba hacking group during an IT systems hack in May and June of 2021.

Under the proposed settlement, Forefront Dermatology also agreed to adopt and maintain a host of data security measures for its 195 care sites across 22 states “for a period of no less than two years.”

The lawsuit stemmed from the provider’s June 2021 breach notice, which reported that a security incident was found and remediated on June 4. But ahead of its report, the Cuba group posted data allegedly stolen from Forefront well before the patient notifications. The dark web post claimed the group first gained access to the provider network on May 28.

Screenshots shared with SC Media at the time showed data proofs containing a host of sensitive patient information, although the breach notice said the incident only caused “unauthorized access to certain files.” The data included contact details, dates of birth, a host of identifiers, dates of service, medical data, and clinical treatment information.

The incident became the fifth largest healthcare data breach reported last year.

The reports were followed by three separate patient-led lawsuits, later consolidated into one class-action. The lawsuit shows Forefront’s data may still be freely available on the dark web, including over 130 files of back details “and all logins to health insurance portals.”

The lawsuit revealed a host of allegations centered on claims that it was Forefront’s “own negligence” that allowed “the breach to happen in the first place.” For example, Cuba dumped password files allegedly taken from the provider’s network, which listed over 100 login sets, rife with “significant reuse.”

What’s more, the lawsuit purported that “Forefront attempted to minimize the breadth and severity of the data breach” in its public statements. Namely, its report to the Maine Attorney General reduced the breach numbers to just thousands and minimized the privacy impact as “data access,” despite another state report showing personal identifiers were indeed acquired. 

Forefront has “not publicly acknowledged” that Social Security numbers may have been involved, although the dark web posting claimed to have SSNs. Those discrepancies were at the heart of the lawsuit, as patients were left unaware of “precisely what specific type of information was accessed.”

The lawsuit also argued that Forefront maintained its data in a reckless manner and was aware of the vulnerable condition of its network, which enabled the Cuba group to access both the network and sensitive information. Forefront was also accused of failing to properly monitor its systems, which would have prevented the intrusion or revealed the hack sooner.

Lastly, the lawsuit claimed Forefront failed to comply with industry standards for cybersecurity and Federal Trade Commission guidelines on implementing reasonable security practices.

The breach victims claimed they “were harmed in the form of the loss of the benefit of their bargain, out-of-pocket expenses, loss of privacy, and loss of the value of their time reasonably incurred to remedy or to mitigate the effects of the attack.” It should be noted that the three named patients did not provide evidence of specific harm brought on by the incident.

Forefront Dermatology has denied all allegations.

If approved, the proposed settlement will provide impacted individuals with up to $10,000 reimbursement for any documented expenses tied to the breach, such as identity theft, bank fees, fraudulent charges, and credit-related costs, among other claims. Victims will also receive up to an additional $25 per hour for up to five hours of lost time.

Forefront is also providing one year or credit monitoring services, including up to $1 million in identity theft insurance.

As for its security program requirements, Forefront must implement two-factor authentication across its network, “where reasonably appropriate and practicable,” contract with a third party on its information and data security business practices and for “real-time support” of those programs, and implement immutable storage to prevent tampering or deletion of any backups.

Forefront is also required to implement a single sign-on, lifecycle management, and adaptive multi-factor authentication services where available, while improving its endpoint management and security on all computers and implementing best practices for active directories, servers, and workstations “where reasonably appropriate and practicable.”

The proposal is subjected to a final hearing, which will take place on March 1, 2023.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.