July 3, 2023
Onix Group, a real estate development firm providing management and consulting services, faces a lawsuit filed by Eric Meyers after being sued due to a ransomware attack that affected 320,000 individuals.
The investigation identified malware on their network, which corrupted confidential files for at least seven days. After the incident, the Pennsylvania-based firm notified the affected individuals through its affiliates, such as Addiction Recovery Systems, Cadia Healthcare, Physician’s Mobile X-Ray, and Onix Hospitality Group. According to the lawsuit, Onix Group must be legally responsible for implementing appropriate database security measures to ensure the integrity and privacy of their stored data.
Table of Contents
Onix Group Ransomware Attack Exposes Vulnerabilities in Corporate Cyber Defenses
On March 27, the real estate development company detected a ransomware attack wherein hackers allegedly accessed its internal network. The affected files included:
- Names
- Dates of birth
- Clinical information
- Social Security numbers
- Health plan enrollments
- Employee direct deposit information
The majority of the affected individuals were patients of Onix Group’s affiliated healthcare institutions, such as Addiction Recovery Systems, Cadia Healthcare, and Physicians Mobile X-Ray.
In response, the business management service provider secured its systems and launched an investigation into the incident with the help of outside cybersecurity professionals. Following a thorough security analysis, the company found that hackers removed some confidential consumer information stored on its network.
Breach of Confidential Data: Exposing 320K Individuals’ Protected Health Information
On May 26, a “Notice of Data Security Incident” was released after the recent Onix Group ransomware attack. The data breach incident occurred when an unauthorized third-party accessed a massive volume of patient-related data stored in the company’s network.
After detecting the cyberattack, Onix Group went offline to prevent further unauthorized access. However, the hackers still managed to access and encrypt files within their systems. According to a forensic investigation, it was only seven days before the deployment of the ransomware. During that week, the attackers successfully pulled out files containing sensitive data.
According to the report, the stolen files vary from individual to individual. Aside from getting unauthorized access to protected health information (PHI), the cyberattack also infiltrated several important documents for HR purposes.
Lawsuit Filed Against Onix Group for Negligence
Following the complaint, the Eric Meyers v. Onix Group LLC lawsuit was filed in the U.S. District Court for the Eastern District of Pennsylvania on June 15, 2023. Eric Meyers sued the real estate development firm for alleged negligence, breach of contract, fiduciary duty, and unjust enrichment. As stated in the letter of complaint, the data breach on Onix Group suggests its inability to implement adequate safeguards to ensure the data protection of PHI.
As highlighted in the lawsuit, the company is strictly prohibited from engaging in unlawful acts and must implement robust cybersecurity measures. These include a successful implementation and maintenance of a comprehensive information security program. Onix Group should also conduct third-party security audits, penetration tests, and data encryption to protect their patient’s PHI.
Furthermore, all employees must undergo comprehensive training to test their security knowledge and awareness of the policies and procedures. Onix Group is also prohibited from storing confidential patient-related data in unsecured cloud databases. Aside from the court order banning the firm from doing wrongful acts, the lawsuit also seeks class-action status, a jury trial, damages, and injunctive relief.
Inadequate Response: Delayed Notifications and Insufficient Offer of Credit Monitoring
Aside from the data breach, Onix Group sent delayed notifications to affected individuals. It took them two months to send the breach notice. Despite providing 12 months of complimentary credit monitoring and identity theft protection services, the Pennsylvania-based firm needs to step up, given that the plaintiff and its class members continue to face the risks of identity theft and financial harm.
Additional Information Regarding The Onix Group
Established in 1987, Onix Group is a real estate company headquartered in Kennett Square, Pennsylvania. The management consulting company operates eight hotels under franchise agreements such as Hilton, Marriott, IHG, Hyatt, and Choice. It also owns several healthcare-related businesses, including an addiction treatment center, a sub-acute care center, medical office space, mobile X-ray units, and more. With roughly 501-1,000 employees, the multi-faceted company produces approximately $40 million in annual revenue.
Regarding the lawsuit against Onix Group, the firm sincerely regrets the inconvenience the incident may have caused their healthcare affiliates and patients. The company also swore to prevent something like this from happening again. Their staff has already taken necessary security measures to enhance its protocols and protect confidential data from unauthorized access.
You can reach Onix Group via a toll-free call center at (866) 547-0496 for more questions.