Orthopedic and Prosthetics Provider Agrees to $2.9 Million Settlement for Data Breach

Michigan-based Wright & Filippis, specializing in prosthetics, orthopedics, and accessibility solutions, proposed a settlement of $2.9 million in response to allegations that they inadequately safeguarded the personal data of 877,584 individuals. This information was jeopardized during a ransomware attack that occurred between January 26 and January 28. The attack was first identified by the company’s endpoint security solution, but by then, it proved too late to stop the attack. Outside security experts were quickly brought in to investigate. A report outlining the findings was compiled approximately two months later. The investigation showed that the files containing the protected health information of patients, employees and former job applicants may have been accessed and exfiltrated from its network. The investigators also confirmed that the company’s billing system and health records were never compromised. Possibly compromised patient information included names, birth dates, patient numbers, Social Security numbers (SSN), financial account numbers and insurance information. Information related to employees and applicants also included driver’s license numbers and/or state IDs. The company issued a data breach notification on May 18.

A class action suit was filed against Wright & Filippis on December 1, 2022. The Plaintiff claims that the Defendant failed to properly secure, and safeguard protected health information, as defined by the Health Insurance Information. The suit further asserts that Wright & Filippis overlooked fundamental measures to secure the health information of the affected parties from possible disclosure. In addition, the company failed to notify any of the affected parties until November 18, despite detecting the attack at its outset nine months prior. The plaintiff, a former client of Wright & Filippis, contends he must devote extra time to monitor his credit histories, financial transactions, and health records to detect any potential fraud or identity misappropriation, given the possible exposure of his Social Security number. The legal claim emphasizes that due to the data breach, the accuser and all individuals represented in the lawsuit are now more susceptible to identity theft, phishing endeavors, and related cyber threats.

A settlement of $2.9 million was negotiated in October 2023 to address administrative costs, notifications, fees, and service rewards. According to the settlement’s conditions, members of the class can file a claim for a maximum of $5,000 to compensate for verified losses, and they can also claim credit monitoring services. Alternatively, members have the option to opt for a cash settlement. This cash amount will be derived from the remaining funds after deducting class benefits, administration charges of the settlement, legal fees, other costs, and service rewards. The primary plaintiffs are set to receive a service bonus of $1,500.

Even though the attack was promptly detected by the company’s endpoint security solution, it failed to stop the attack. This is one example of why a defense in depth or multi-layer security strategy is critical. Instead of relying solely on endpoint security, which only protects devices from direct threats, defense in depth integrates firewalls, intrusion detection systems, access controls, and user training. This comprehensive approach addresses multiple potential vulnerabilities, making it far more effective at thwarting cyberattacks than an endpoint-only solution.

Many organizations opt to implement a Security Information and Event Management (SIEM) system to aggregate and analyze the logs and events from these multiple security layers. Such layers include firewalls, intrusion detection systems, and endpoint protections. By consolidating this data, SIEM provides security personnel with a centralized view of their organization’s security posture. This allows for real-time monitoring, correlation of events across systems, and the ability to quickly detect and respond to threats. Thus, SIEM ensures that security teams are continuously informed about the activities and potential vulnerabilities across all security layers. For those organizations that lack the personnel and resources to maintain and leverage a SIEM, a third-party security operations center (SOC) can be a good option. A third-party SOC can provide external expertise, 24/7 monitoring, and specialized resources, bolstering a company’s defense against cyberattacks without the need for in-house infrastructure.