$3.5 Million Mindpath Health Data Breach Settlement Gets First Nod
A California Superior Court judge has given preliminary approval to a settlement to resolve litigation against Community Psychiatry Management, LLC, operating as Mindpath Health, to resolve a class action lawsuit stemming from two email data breaches in 2022 that affected 193,947 individuals.
Mindpath Health is a California-based mental health service provider serving patients in seven U.S. states. In March 2022 and again in June 2022, unauthorized individuals gained access to Microsoft Office 365 business accounts that contained the protected health information of Mindpath Health patients and other individuals. The breach was discovered in June during a routine audit of its email environment, which identified suspicious account activity.
The investigation confirmed that two email accounts had been subject to unauthorized access in March and June 2022, exposing names, addresses, Social Security numbers, dates of birth, medical diagnoses, prescriptions, treatment information, and health insurance information. Notification letters were sent to the affected individuals on January 10, 2023, almost seven months after the breach was identified
A class action lawsuit was filed in the Eastern District of California by plaintiff Corina Lowrey on January 30, 2023, followed by two further complaints from other Mindpath Health patients. The lawsuits were consolidated into a single complaint – Lowrey, et. al., v. Commu
Source: https://www.hipaajournal.com/mindpath-health-data-breach-settlement/
Mindpath Health cybersecurity rating report: https://www.rankiteo.com/company/mindpath-health
"id": "MIN1764604608",
"linkid": "mindpath-health",
"type": "Breach",
"date": "6/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 193947,
'industry': 'Mental Health Services',
'location': 'California, USA (serving 7 '
'U.S. states)',
'name': 'Mindpath Health (operated by '
'Community Psychiatry Management, '
'LLC)',
'size': None,
'type': 'Healthcare Provider'}],
'attack_vector': ['Compromised Email Accounts',
'Phishing (likely, though not explicitly '
'stated)'],
'customer_advisories': ['Notification Letters (2023-01-10)'],
'data_breach': {'data_encryption': None,
'data_exfiltration': True,
'file_types_exposed': ['Emails',
'Attachments (likely)'],
'number_of_records_exposed': 193947,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PHI/PII including '
'SSNs and medical '
'records)',
'type_of_data_compromised': ['Protected Health '
'Information (PHI)',
'Personally '
'Identifiable '
'Information (PII)',
'Names',
'Addresses',
'Social Security '
'Numbers (SSNs)',
'Dates of Birth',
'Medical Diagnoses',
'Prescriptions',
'Treatment '
'Information',
'Health Insurance '
'Information']},
'date_detected': '2022-06',
'date_publicly_disclosed': '2023-01-10',
'description': 'Unauthorized individuals gained access to '
'Microsoft Office 365 business accounts of '
'Mindpath Health in March and June 2022, exposing '
'protected health information (PHI) of 193,947 '
'individuals. The breach was discovered in June '
'2022 during a routine audit, with notification '
'letters sent to affected individuals in January '
'2023. A class action lawsuit was filed, leading '
'to a preliminary $3.5 million settlement '
'approval in 2024.',
'impact': {'brand_reputation_impact': True,
'conversion_rate_impact': None,
'customer_complaints': True,
'data_compromised': True,
'downtime': None,
'financial_loss': '$3.5 million (settlement amount)',
'identity_theft_risk': True,
'legal_liabilities': ['Class Action Lawsuit (Lowrey, '
'et al. v. Community Psychiatry '
'Management, LLC)',
'Preliminary Settlement '
'Approval'],
'operational_impact': None,
'payment_information_risk': False,
'revenue_loss': None,
'systems_affected': ['Microsoft Office 365 Email '
'Accounts (2 accounts)']},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': ['Compromised Email '
'Accounts (Microsoft '
'Office 365)'],
'high_value_targets': ['Patient '
'PHI/PII'],
'reconnaissance_period': None},
'investigation_status': 'Completed (breach confirmed in 2022, '
'litigation ongoing as of 2024)',
'motivation': ['Financial Gain (likely, given exposed PII/PHI)',
'Data Theft'],
'post_incident_analysis': {'corrective_actions': None,
'root_causes': ['Inadequate Email '
'Security (e.g., lack '
'of MFA)',
'Delayed Detection '
'(breach occurred in '
'March/June 2022, '
'detected in June '
'2022)',
'Delayed Disclosure '
'(7 months '
'post-detection)']},
'ransomware': {'data_encryption': None,
'data_exfiltration': True,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'California Superior Court '
'(Preliminary Settlement Approval)',
'url': None},
{'date_accessed': None,
'source': 'Class Action Complaint (Lowrey, et '
'al. v. Community Psychiatry '
'Management, LLC)',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': ['Class Action '
'Lawsuit',
'Preliminary '
'Settlement Approval '
'($3.5 million)'],
'regulations_violated': ['HIPAA '
'(likely, '
'given PHI '
'exposure)',
'California '
'Consumer '
'Privacy Act '
'(CCPA) '
'(likely)'],
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': ['Delayed Disclosure (7 '
'months post-breach)'],
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': True,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': ['Notification Letters to '
'Affected Individuals '
'(2023-01-10)'],
'remediation_measures': None,
'third_party_assistance': None},
'threat_actor': 'Unauthorized Individuals (unknown affiliation)',
'title': 'Mindpath Health Email Data Breaches (2022)',
'type': ['Data Breach', 'Unauthorized Access'],
'vulnerability_exploited': ['Weak Email Security Controls',
'Lack of Multi-Factor Authentication '
'(MFA) (inferred)']}