CarePartners agrees to settle proposed cyberattack class action for up to $3.4 million, but don’t party just yet
Bernise Carolino reports that there is a settlement in a lawsuit against CarePartners in Canada. The proposed class-action lawsuit stemmed from a breach in 2018 that DataBreaches.net investigated and covered on this site.
The firms of Howie, Sacks & Henry LLP (HSH), Waddell Phillips PC and Schneider Law Firm represented the plaintiffs, Arthur Redublo and Donna Moher. On their website, HSH summarizes the settlement this way (emphasis added by DataBreaches.net):
CarePartners has agreed to pay up to $3.44 million to fully and finally settle the action, all inclusive. The Class will provide CarePartners with a full and final release in return.
The total amount paid by CarePartners will be based on the total number of people whose data was taken from CarePartners’ computer systems and then provided to the CBC by the hackers. The CBC has reported that it may have received the data of up to 80,000 individuals. If the data released to the CBC pertains to fewer than 45,000 individuals, then the settlement total will be reduced to $2.44 million.
The amount paid to each qualifying class member will depend on the total number of affected class members, and how many people make a claim. We estimate the payment will be at least $25 per person.
The CBC has not released any of the data produced by the hackers (although CBC reporters did review the data), and has kept the information in a secure, off-line location.
Based on that description, there is a lot that seems inadequate — or more precisely, missing — from the settlement. While many would consider it a Good Thing that the case didn’t just get dismissed and that there will be some benefit to class members, this settlement does not require improvements in CarePartner’s security and/or yearly security audits by a third party, it doesn’t cover everyone who was likely impacted by the breach, and the coverage it does provide is minimal at best, in this blogger’s opinion.
To understand why this settlement is inadequate from an incident response mitigation perspective, let’s start with the chronology of the case.
Chronology of the Breach and Incident Response
The CarePartners breach was first disclosed by CarePartners in June 2018. In communications with this site, the threat actor(s) called themselves “Team Orangeworm,” but they appeared to be the same threat actors who had previously contacted this site using a different alias. FireEye refers to these threat actors as FIN10.
In July 2018, CBC News reported that they had been contacted by the hackers who provided them with data allegedly from the breach. They reported that they had an estimated 80,000 patient records. CarePartners claimed (at that time) to be unable to confirm the accuracy of CBC’s reporting.
Fast forward to February 2019: the hackers contacted DataBreaches.net again and provided links to two data dumps. One dump contained financial and employee data. The other was an encrypted archive that allegedly contained patient data where the decryption key could be purchased for 5 BTC (worth about USD 17,250 at the time). DataBreaches.net contacted CarePartners about the data dumps, but as it had done previously, CarePartners did not answer this site’s questions and did not provide any comment. Nor did they include that critical development in their February 4, 2019 update or any update thereafter.
In April 2019, DataBreaches.net reported on some of the contents of the patient files that had been dumped. CarePartners continued to decline to answer even basic questions about the incident, even after this site assisted them by providing them some data from the hackers.
Although they would not provide any answers or information about the breach to DataBreaches.net, CarePartners made requests of this site and then had their external counsel contact this site. If you haven’t read Zack Whittaker’s recent article on legal demands and press freedoms, do read it. CarePartners claimed that because the data was stolen, DataBreaches.net should provide a copy of the data to CarePartners and then delete this site’s files — even though the data were already publicly available on the internet. DataBreaches.net declined to comply and explained to them that when a firm is not transparent in disclosing a breach and does not answer any questions about it, this site’s policy is to hang on to any data so that the accuracy of this site’s reporting can be demonstrated should it ever be challenged by those trying to chill speech and journalism.
Do Patients and Employees Know Where Their Data Is?
To date, DataBreaches.net has not seen any transparent disclosure or notification from CarePartners. As noted above, the settlement only seems to provide benefit to people who had data in the records given to CBC News. What about everyone else whose data was dumped but not given to CBC News? Don’t they matter?
If CarePartners patients and employees read the amended statement of claims, they may wonder about the data given to a “well-known data breach blogger.”
51. In February 2019, the hackers notified a well-known data breach blogger that they would be posting the Breach data online because CarePartners refused to pay their ransom demands. The hackers released links to two “dumps” of the Breach data: a 2.2 GB archive containing 12,971 files of CarePartners financial data, including sensitive employee financial information; and a 7 GB archive containing tens of thousands of patient files, as well patient database/tables listing Personal Information of tens of thousands of patients.
52. To date, CarePartners has not acknowledged publicly that Breach data was provided to the blogger. CarePartners also has not provided any additional information regarding how the Breach occurred, the scope of the Breach, the nature of the data involved in the Breach, the amount of the ransom demand, or what the hackers promised in return for the payment of the ransom.
The breach blogger is yours truly. Those claims appear true as far as they go, but they do not go far enough. DataBreaches.net is still in possession of the data provided to it by the hackers — data that goes beyond what CBC was given. The settlement doesn’t seem to address that.
It also appears that CarePartners never really disclosed that data was actually dumped on the internet in February 2019 by the hackers for anyone and everyone to download and that the data was also offered on a popular clearnet forum where stolen and leaked data are traded or sold. The forum listing appeared in February 2020.
Do patients and employees know any of this? If they read DataBreaches.net, they will have seen previous coverage, but if they relied on CarePartners to inform them, they probably don’t know.
A Settlement of Convenience
Are one year of credit monitoring or identity theft restoration and $25 per eligible class member adequate when data were circulating on the internet and presumably being downloaded by those who are likely to misuse personal information?
DataBreaches.net can understand how convenient it is to hook the settlement to data that CBC has in its possession. CBC will provide the data for independent review, and CBC would comply with any court orders as the court would have jurisdiction over CBC. A Canadian court has no personal jurisdiction over this blogger, and perhaps it is convenient to forget or ignore the fact that this site has more data than what CBC was given, and the data have been dumped publicly by others.
So should patients and employees be happy with this settlement? DataBreaches.net wouldn’t be and would be pushing for at least a few years of credit monitoring and identity theft restoration services. And as an important part of the settlement, CarePartners should be required to provide a transparent disclosure about this breach that includes when it occurred, and how many unique individuals had personal or protected health information in each of the two data dumps provided by hackers. Finally, any settlement should include a commitment by CarePartners to improving their infosecurity and arranging for yearly data security audits by a third party.
If that sounds somewhat demanding, keep in mind that the data is still in criminals’ hands and might be shared or sold at any moment to those who might try to use it for identity theft or social engineering for other purposes.
Notice for Hearing and Certification
Information on the next steps and the hearing on February 9 can be found here. Read the notice so that you will know your rights and what you need to do if after reading the settlement, you have concerns or objections.
This post reflects the opinion of the blogger and is not legal advice. For that, you need a lawyer and one who knows Canadian law.