Octapharma Plasma agrees to $2.55M settlement after ransomware attack

A class action lawsuit over the April 2024 data breach at Octapharma Plasma is heading toward resolution following a multi-million-dollar settlement agreement.

What happened

Octapharma Plasma, which operates more than 190 plasma donation centers across 35 US states, has agreed to a $2.55 million settlement following a ransomware attack in April 2024 that exposed sensitive personal information. On April 17, 2024, the company detected unauthorized activity on its network, which was later confirmed to be the work of the BlackSuit ransomware group.

The breach led to the theft of names, Social Security numbers, dates of birth, medical information, and donor eligibility data, as well as employee records. Operations were severely disrupted, prompting the temporary closure of donation centers. A class action lawsuit filed shortly afterward alleged that Octapharma failed to secure personal data adequately.

Going deeper

The lawsuits, eventually consolidated into Woodall v. Octapharma Plasma Inc., alleged negligence, unjust enrichment, breach of confidence, and violations of various state privacy and consumer protection laws. Octapharma has denied wrongdoing but cited the cost and uncertainty of a trial as factors behind the decision to settle.

What was said

Octapharma stated it had taken steps to strengthen its security controls and notified affected individuals in September 2024. The breach was also reported to the FBI. Power was restored to donation centers, but questions remain about the scale of the data exposure. Company representatives have not commented further on the ransomware group's demands or the specific vulnerabilities exploited.

The big picture

According to Paubox report data, ransomware “is commonly distributed through email attachments or links,” proving how easily healthcare organizations can be compromised through routine communication channels. The Office for Civil Rights (OCR) cautions that “the failure to conduct a thorough risk analysis leaves entities exposed to future ransomware attacks.” The Octapharma incident, which disrupted operations and exposed sensitive donor and employee data, reflects what Paubox describes as an escalating trend of cyberattacks that “poses a direct and significant threat to patient safety.”

FAQs

What is the difference between preliminary and final settlement approval?

Preliminary approval allows the settlement process to begin, including notifications and claims. Final approval confirms the court's acceptance after reviewing any objections or exclusions.

Who is the BlackSuit ransomware group, and why are they relevant?

BlackSuit is a ransomware group known for targeting various sectors, including healthcare. They use double extortion tactics, stealing data before encryption, and were identified as the group behind the Octapharma breach.