Class action lawsuits had been filed against ESO Solutions because of a recently announced cyberattack and data breach that impacted just about 2.7 million people. The data breach affected sensitive data like names, contact details, and Social Security numbers and impacted many healthcare clients.
Essie Jones f/k/a Essie McVay v. ESO Solutions Inc. and Claybo v. ESO Solutions Inc. are two lawsuits filed in the U.S. District Court for the Western District of Texas Austin Division. Allegedly, ESO Solutions did not apply reasonable and proper industry-standard security procedures to ensure the privacy and confidentiality of patient information. The lawsuits additionally assert that ESO Solutions failed to train employees about data security practices correctly, did not identify its systems breach and the theft of information promptly, and then did not send immediate notifications to the impacted persons. The lawsuits likewise assert that failures in data security violate the HIPAA.
Because of those failures, cyber criminals acquired access to the sensitive information of plaintiffs and class members, who now face an impending risk of identity theft and fraud and have sustained other problems due to the breach, and have dealt with out-of-pocket expenditures. The lawsuit wants class action certification, a jury trial, injunctive relief, an award of damages, and attorney’s costs. The plaintiffs and class members have Joe Kendall of Kendall Law Group PLLC, Alexandra M. Honeycutt of Milberg Coleman Bryson Phillips Grossman LLC, and Bryan L. Bleichner and Philip J. Krzeski of Chestnut Cambronne PA, as legal representatives.
ESO Solutions Data Breach Impacts 2.7 Million People
ESO Solutions, a company offering software solutions for health systems, hospitals, EMS services, and fire departments, has reported that it suffered a ransomware attack and file encryption last September 2023. ESO Solutions discovered suspicious activity in its system on September 28, 2023, and took quick action to segregate its systems and stop unauthorized network access.
Third-party digital forensics specialists investigated the ransomware attack to know the scope of the incident. The forensics specialists stated on October 23, 2023 that the hackers got access to areas of its system that contain the personal data and protected health information (PHI) of 2.7 million people. The data exposed in the attack included names, birth dates, date and type of injury, date and type of treatment, and Social Security numbers for some individuals. The cyberattack report was submitted to the FBI and ESO Solutions is currently working with the FBI’s investigation. The attackers asked for a ransom payment, but ESO Systems opted to retrieve the encrypted files using backups.
ESO Systems informed its impacted clients and extended help to them regarding their response efforts and suggested that it would send notifications to its customers’ patients. ESO Systems began sending notification letters on December 12, 2023. Impacted people were provided free credit monitoring and identity theft protection services via Kroll.
The affected healthcare organizations are listed below:
- Ascension – Ascension Providence Hospital in Waco
- Baptist Memorial Health Care System – Mississippi Baptist Medical Center
- Community Health Systems – Merit Health River Oaks and Merit Health Biloxi
- CaroMont Health
- Forrest Health – Forrest General Hospital
- ESO EMS Agency
- HCA Healthcare – Alaska Regional Hospital
- Memorial Hospital at Gulfport Health System – Memorial Hospital at Gulfport
- Providence St Joseph Health (AKA Providence) – Providence Alaska Medical Center and Providence Kodiak Island Medical Center
- Tallahassee Memorial HealthCare – Tallahassee Memorial
- Universal Health Services (UHS) – Desert View Hospital and Manatee Memorial Hospital
- Valley Health System – Desert Springs Hospital, Centennial Hills Hospital, Spring Valley Hospital, Valley Hospital, and Summerlin Hospital
Considering that patient safety and personal data are in danger, companies cannot afford to defer improving their cybersecurity postures. On a typical day, over 55,000 physical and virtual resources are linked to company networks; however, an astonishing 40% of these resources are not monitored, leaving important, exploitable gaps. Hackers are exploiting these gaps proving that incorrect use of one machine could mean turmoil for a company. This attack likewise shows the value of teaching companies that resources include more than just hardware or healthcare devices. Other assets that may be attacked include data artifacts, virtual assets, personal medical data, user access, etc. It’s important for healthcare companies to not just consider cyber risk from a vulnerability viewpoint. Assets aiding clinical workflows or keeping patient data should be considered. By having an extensive view of resources, companies could choose controls and risk reduction strategies to help manage and mitigate attacks. Monitoring all assets for anomalous actions, and interconnection attempts, and evaluating other facets of attempted access gives the degree of visibility required to set up preventative guidelines.
Hospitals can consider more steps to enhance their protection against ransomware attacks. Prioritize management of cyber exposure to mitigate all cyber asset threats, remediate vulnerabilities, prevent threats, and secure the whole attack surface. Security and IT professionals should consider integrating important strategies into their cybersecurity plans, such as network segmentation, to boost healthcare cybersecurity. Network segmentation is a big project that could cover several years, nevertheless, it is the project that will have the most risk reduction in a healthcare system.
These projects must have proper planning and knowledge that a segmentation project is going to have the following phases: discovery and inventory, behavioral and communication mapping, policy creation, prioritization, testing, implementation, and automation. One trend today is a risk-centered prioritization strategy wherein rather than using the traditional technique of segmenting lists by manufacturer or type, companies can attain a lot quicker ROI by determining and prioritizing the separation of important vulnerable devices first to accomplish maximum risk reduction straight up. Cybersecurity professionals at healthcare companies must include these kinds of solutions and strategies quickly to help in stopping these types of attacks from affecting their companies directly, and for safeguarding them and their patients after an attack against a third-party supplier.