Esse Health to Pay $2.53 Million for Data Breach Settlement

Event Summary

Esse Health, a prominent healthcare provider based in St. Louis, has agreed to a $2.53 million settlement to resolve a class-action lawsuit filed after a major data breach in August 2022. The incident exposed the personal and health information of approximately 227,341 patients. This agreement is not an admission of wrongdoing by the company but is seen as a step to avoid a prolonged and costly legal battle. The data leak occurred as a result of a successful phishing attack on an employee's email account, which allowed cybercriminals to gain access to sensitive patient data.

The breach was discovered on August 29, 2022. When Esse Health noticed suspicious activity in an employee's email account, it immediately launched an investigation. The forensic analysis revealed that an unauthorized third party had compromised the employee's credentials through a phishing scheme, thereby infiltrating the email account. This access enabled the attackers to reach emails and attachments within the account that contained Protected Health Information (PHI) belonging to a large number of patients. Following the incident, Esse Health was faced with the responsibility of notifying the affected individuals and managing the legal fallout. This settlement aims to provide some compensation to the victims and includes a commitment from the company to strengthen its future cybersecurity measures.

Leaked Data and Scope

The scope of the data breach is extensive and involves highly sensitive information. According to the statement from Esse Health, the data accessed by the attackers includes much more than basic demographic details. The exposed data includes:

• Personal Identifiable Information (PII): Basic identifiers such as full names and dates of birth.
• Health Insurance Information: Policy numbers and details of the insurance provider.
• Medical Record Information: Medical record numbers and patient account numbers.
• Clinical Information: Extremely private and sensitive health data, including diagnoses, treatment information, laboratory results, and prescribed medications.
• Financial Information: For a small subset of the affected patients, Social Security Numbers (SSNs) and financial account information were also among the leaked data.

The compromise of such a combination of data poses serious risks to the victims. These risks include identity theft, medical identity theft (where someone else uses your information to receive healthcare), insurance fraud, and targeted phishing attacks. The exposure of information like diagnoses and treatments could also be used for more severe crimes, such as blackmail. The company confirmed that a total of 227,341 individuals were affected by this breach.

Technical Aspect of the Attack

The cyberattack vector at the core of the Esse Health data breach was a phishing attack, a very common and effective method. Phishing is a social engineering technique where cybercriminals impersonate a legitimate institution or individual to deceive their targets. It is typically carried out via email and is designed to steal sensitive data like usernames, passwords, and credit card details, or to install malware on the victim's system.

In this specific incident, the attackers likely sent an email to an Esse Health employee that appeared to be from a known service provider (e.g., Microsoft 365, Google Workspace). This email may have asked the employee to reset their password, verify their account, or open an important document. Upon clicking a link in the email, the employee was redirected to a fake webpage that closely resembled a legitimate login page. When the employee entered their username and password on this fraudulent page, the credentials were sent directly to the attackers. The attackers then used this information to log into the employee's email account as a legitimate user, gaining unrestricted access to all the data within. This type of attack typically targets the human factor rather than a technical vulnerability, once again highlighting the importance of cybersecurity training.

Who Are the Affected Users

Those directly affected by this data breach are patients who have received or are currently receiving healthcare services from Esse Health. According to the company's official statement, a total of 227,341 patients were impacted. Under the class-action settlement, these individuals are considered "class members." This includes all U.S. residents who were notified by Esse Health on or around August 29, 2022, about the data breach.

Class members are entitled to claim compensation from the settlement fund under certain conditions. The agreement offers victims two different compensation options. The first option is to claim reimbursement of up to $500 for ordinary out-of-pocket expenses incurred due to the breach. These expenses might include costs for checking credit reports, placing fraud alerts, or bank fees. The second option allows for claims of up to $5,000 for extraordinary expenses resulting from documented cases of identity theft or fraud. Furthermore, all class members are eligible for two years of complimentary credit monitoring and identity theft protection services to help safeguard them against identity theft.

What Should You Do

If you believe you were affected by the Esse Health data breach or received a notification, there are several important steps you should take to protect your personal and financial security:

• Take Advantage of the Settlement: If you are a class member, be sure to activate the free credit monitoring services offered. These services will alert you to suspicious activities, such as a new account being opened in your name. Also, exercise your right to file a claim for any expenses you incurred due to the breach.
• Review Your Accounts: Regularly monitor your bank accounts, credit card statements, and Explanation of Benefits (EOB) from your health insurer. Report any unrecognized or suspicious transactions to the respective institution immediately.
• Change Your Passwords: Immediately change the passwords for any online portals related to Esse Health and any other platforms where you use similar passwords. Make sure to use strong, unique passwords.
• Be Wary of Phishing Attempts: Cybercriminals may use your leaked information to send you highly convincing, personalized phishing emails. Avoid clicking on links or downloading attachments from unknown sources.
• Consider a Credit Freeze: For a more proactive measure, you can place a security freeze on your credit reports with the three major credit bureaus (Equifax, Experian, TransUnion). This prevents anyone from opening a new line of credit in your name without your permission.

Company's Statement

In its statements following the data breach and throughout the legal process, Esse Health has emphasized its commitment to cybersecurity. The company stated that immediately after discovering the incident, it took steps to secure the account, determine the scope of the attack, and prevent similar events from happening in the future. These steps included conducting a comprehensive investigation with the help of external cybersecurity experts and reviewing its internal security protocols.

Regarding the class-action settlement, Esse Health has specifically noted that the agreement is not an admission of guilt or negligence. The company stated that it chose this path to resolve a legal dispute and avoid the uncertainties and expenses of a lengthy court process. As part of the settlement, Esse Health has committed to further strengthening its data security practices. These commitments are expected to include enhancing cybersecurity training for employees, improving email security systems, and tightening data access controls. The company has publicly affirmed that protecting the privacy and security of patient data remains one of its highest priorities.

Kaynak

https://www.hipaajournal.com/esse-health-data-breach-settlement/