Forefront Dermatology Offers $3.75 Million Settlement to Solve Ransomware Lawsuit

The dermatology practice, Forefront Dermatology, based in Wisconsin has offered to resolve a class action lawsuit filed by patients who had their protected health information (PHI) exposed during a ransomware attack at the end of May 2021.

Forefront Dermatology has partner practices in Washington, D.C. and 21 states. In May 2021, the Cuba ransomware group attacked the practice and acquired access to its system and extracted files from the network prior to encrypting files. The gang then dumped a number of the stolen information on its dark web data leak site to force the practice into giving ransom payments. As per the data breach notice of Forefront Dermatology, it discovered the ransomware attack on June 4. It was confirmed by the forensic investigation that the threat actors possibly viewed and stole records that contain the PHI of about 2.4 million workers and patients. That data included names, account numbers, birth dates, medical insurance details, Social Security numbers, medical and treatment data, medical record numbers, and other sensitive records.

A class action lawsuit was submitted in the U.S. District Court for the Eastern District of Wisconsin immediately after patients were informed regarding the breach, which claimed that Forefront Dermatology had did not use enough data security practices, such as allowing the use of very simplistic passwords, and had managed patient information in a careless manner. The lawsuit stated that the ransomware attack and data breach occurred because of those security problems, and that Forefront Dermatology knew about the risk of a data breach and had the solutions to carry out suitable data security procedures yet was unable to do so.

The lawsuit complained regarding the one-month delay in sending breach notification letters, and the contradictory statements given to patients and also the Maine attorney general. The latter was advised that Social Security numbers were stolen but patients were advised that details like financial account/payment card data, Social Security numbers and driver’s license numbers were not accessed or stolen.

The lawsuit claims the plaintiffs, Lynn Anderson, Milan E. Kunzelmann, and Judith Leitermann, and likewise impacted people were exposed to an intensified and impending danger of fraud and identity theft, and that their PHI is currently in the possession of crooks. Due to the alleged neglect of Forefront Dermatology, the plaintiffs and class members should carefully keep track of their financial accounts to protect against identity theft and have and will carry on to accumulate out-of-pocket expenses for protective steps to prevent and identify identity theft.

Forefront Dermatology hasn’t confessed to any wrongdoing and takes no liability for the information breach, however, opted to take care of the lawsuit to stop additional legal charges and to prevent the uncertainty of trial. The practice offered a $3.75 million settlement to take care of all claims associated with the data breach.

According to the conditions of the settlement, class members can claim as much as $10,000 for recorded losses from identity theft, credit-associated expenses, bank fees, communication fees, and fraudulent costs, and also claim as much as five hours of lost time at $25 hourly, and may additionally subscribe for a year of complimentary credit monitoring services. Class members could opt out of getting expense compensation and credit monitoring services and will alternatively get a cash fund payment, the cost of which depends on the number of contributing class members.

Class members could object to or not include themselves from the negotiation until January 24, 2023, and can file a claim right until February 8, 2023. The final approval hearing is scheduled on March 1, 2023

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at