If you are in a hurry -> Recommendations for CISOs

Introduction

(Cybersecurity Best Practices | Cybersecurity and Infrastructure Security Agency CISA) In March 2023, the Retina Group of Washington (RGW) – an ophthalmology clinic chain in Maryland and Virginia – suffered a ransomware attack that exposed patient data.

Hackers encrypted RGW’s files and stole sensitive information for roughly 450,000 patients.

The compromised records included full names, addresses, dates of birth, Social Security and driver’s license numbers, medical record numbers, and health insurance details.

Affected patients quickly filed suit in federal court (consolidated under McCormick v. The Retina Group of Washington, PLLC, No. 8:24-cv-00004-LWW), alleging RGW failed to safeguard this data (Retina Group of Washington Data Breach Settlement Website).

RGW has agreed to a $3.6 million class-action settlement to resolve those claims, while denying any admission of wrongdoing.

Breach Details and Class Action

RGW discovered the breach on March 26, 2023, when employees reported access issues.

Notifications later revealed that attackers had deployed ransomware (encrypting files) and exfiltrated data from RGW’s networks.

In total, about 456,000 current and former patients were notified that their personal and health information may have been accessed.

The consolidated class action (filed in the U.S. District Court for Maryland) represents all U.S. residents who received notice of the breach (Retina Group of Washington Data Breach Settlement Website).

Plaintiffs’ attorneys include Ben Barnow (Barnow & Assoc.), Tyler J. Bean (Siri & Glimstad LLP), and Gary K. Klinger (Milberg Coleman), among others.

Alleged Claims and Plaintiffs

The lawsuit accuses RGW of negligence and other legal violations.

In the Consolidated Complaint, plaintiffs (individual patients) assert causes of action including negligence, intrusion upon seclusion (a Maryland privacy tort), breach of fiduciary duty, breach of implied contract, and unjust enrichment (Retina Group of Washington Data Breach Settlement Website).

They also invoke Maryland’s Consumer Protection Act and Personal Information Protection Act, arguing RGW violated state law by failing to secure patient data (Retina Group of Washington Data Breach Settlement Website).

For example, the complaint emphasizes that RGW “failed to implement adequate cybersecurity protocols and properly encrypt” patient records.

As the case notes, “Had the information been properly encrypted, the data thieves would have exfiltrated only unintelligible data”.

Plaintiffs contend that RGW – given the prevalence of healthcare cyberattacks – should have foreseen these threats and taken stronger steps to protect confidential health and identity information.

(The suit names multiple patient-plaintiffs consolidated into one case, filed January 2024 (Retina Group of Washington Data Breach Settlement Website).)

Settlement Highlights

Under the $3.6M settlement, eligible class members may receive compensation for losses.

Those with documented out-of-pocket costs (e.g. fees, travel, phone charges) can claim up to $300.

Up to four hours of time spent handling the breach can be reimbursed at $25/hour (max $100).

Victims of identity theft or fraud directly caused by the breach can claim up to $5,000 in additional losses.

Alternatively, class members may forgo those claims and instead receive an estimated $100 cash payment (exact amount pro-rated).

Anyone who submits a valid claim (for losses or the cash option) can also enroll in 24 months of free credit monitoring and identity-theft protection (three-bureau monitoring with $1M insurance coverage).

Claim forms must be filed by June 23, 2025. RGW has consented to fund these benefits and to implement enhanced security measures as part of the settlement ($3.6M Retina Group of Washington data breach class action settlement).

The court gave preliminary approval in Feb 2025, with a final fairness hearing set for June 9, 2025 ($3.6M Retina Group Settlement Ends Data Breach Lawsuit Over March 2023 Cyberattack).

Notably, RGW’s written settlement agreement requires the company to establish a formal information security policy, conduct regular cybersecurity training for staff, enforce a written password policy, and adopt other data-protection practices going forward ($3.6M Retina Group of Washington data breach class action settlement).

Security Shortcomings Identified

The RGW case illustrates key security failures that triggered legal liability.

Plaintiffs allege RGW did not encrypt patient data, so the attackers obtained intelligible sensitive files.

The breach (via encrypted ransomware files) suggests inadequate endpoint and network protection.

According to the notice letter, exposed data included almost every identifier a criminal could misuse.

In effect, RGW’s defenses were insufficient to prevent unauthorized access.

The complaint highlights that, given the industry context, RGW “should have been aware of the risk” of cyberattack and “taken appropriate action” to prevent unauthorized disclosure.

In short, alleged technical lapses (weak encryption, access controls, patching, etc.) and gaps in administrative safeguards provided grounds for the negligence and statutory claims.

Interestingly, even though RGW “denies all charges of wrongdoing” (Retina Group of Washington Data Breach Settlement Website), the settlement obligates it to make broad security enhancements – implicitly acknowledging the need to shore up controls.

Recommendations for CISOs

Cybersecurity leaders can draw several lessons from the RGW settlement.

In addition to maintaining cyber insurance and incident response plans, CISOs should ensure robust preventive measures, such as:

• Data Encryption: Encrypt all sensitive data at rest and in transit. As the RGW case shows, unencrypted PHI/PII is a liability – had the files been encrypted, the stolen records would have been useless (OCR Issues Notice of Proposed Rulemaking to Modernize the HIPAA Security Rule and Strengthen Protections for Health Information | Crowell & Moring LLP). New HIPAA proposals explicitly call for encryption of ePHI, with limited exceptions (OCR Issues Notice of Proposed Rulemaking to Modernize the HIPAA Security Rule and Strengthen Protections for Health Information | Crowell & Moring LLP).

• Strong Access Controls and MFA: Enforce unique user IDs and multi-factor authentication (MFA) for all system access. CISA emphasizes that strong passwords, up-to-date software, and MFA are cyber “hygiene” basics that drastically improve safety (Cybersecurity Best Practices | Cybersecurity and Infrastructure Security Agency CISA). HIPAA OCR has signaled that MFA will be required under the Security Rule (OCR Issues Notice of Proposed Rulemaking to Modernize the HIPAA Security Rule and Strengthen Protections for Health Information | Crowell & Moring LLP). These steps help prevent unauthorized logins even if credentials are compromised.

• Patch Management and Network Segmentation: Apply security patches promptly (e.g. critical fixes within days) and segment your network to isolate sensitive systems. The proposed OCR rule would require timely patching and network segmentation (OCR Issues Notice of Proposed Rulemaking to Modernize the HIPAA Security Rule and Strengthen Protections for Health Information | Crowell & Moring LLP). A segmented network limits attackers’ lateral movement and reduces the scope of a breach.

• Malware Defenses: Deploy and maintain antivirus/anti-malware solutions, and remove or disable unnecessary software. Modern ransomware strains exploit unpatched software and open ports; a hardened environment (fewer attack vectors) is far more resilient (OCR Issues Notice of Proposed Rulemaking to Modernize the HIPAA Security Rule and Strengthen Protections for Health Information | Crowell & Moring LLP).

• Employee Training and Policies: Provide ongoing cybersecurity training (phishing prevention, data handling) and enforce clear security policies (password rules, device usage). The RGW settlement explicitly requires RGW to conduct regular training and maintain written policies ($3.6M Retina Group of Washington data breach class action settlement). Well-informed staff are a critical line of defense.

• Risk Assessments and Audits: Conduct annual HIPAA risk analyses and third-party audits. OCR expects covered entities to regularly review security controls. For example, HHS’s proposed regulations would mandate yearly testing of security controls and penetration testing. Regular audits help identify weaknesses before adversaries do.

• Incident Response Planning: Maintain and periodically test an incident response plan (IRP). Quick detection and containment of an intrusion can significantly reduce damage. The breach notice implies that RGW did not detect the attack until after significant data exfiltration; an IRP with 24×7 monitoring could help avoid that scenario.

• Business Associate Management: Ensure all vendors with PHI implement adequate security (and report breaches promptly). OCR would require annual verification of vendor safeguards. A breach often stems from a partner’s lapse, so enforce strong contractual security requirements and perform due diligence.

• Credit Monitoring and Remediation: While a reactive measure, proactively offering identity protection minimizes harm to victims – as the RGW settlement does. However, the goal is to avoid needing remediation by preventing breaches in the first place.

  
  

In summary, implementing a holistic security program that aligns with HIPAA and NIST guidelines can prevent the very failures at issue in RGW’s case.

CISOs should treat recommendations (encryption, MFA, patching, etc.) not just as best practices but as essential compliance requirements.

As CISA notes, basic “cyber hygiene” measures (strong credentials, updated software, multi-factor authentication) are foundational to any defense (Cybersecurity Best Practices | Cybersecurity and Infrastructure Security Agency CISA).

The RGW settlement underscores that failure in these areas invites legal and regulatory consequences.

Conclusion

The Retina Group of Washington’s $3.6M breach settlement is a stark reminder that healthcare providers must proactively secure patient data.

Negligence in implementing basic safeguards – encryption, multi-factor login, timely patching, clear policies and training – can lead not only to HIPAA scrutiny but also to expensive class-action claims.

CISOs should leverage this case as a catalyst: ensure that privacy laws (HIPAA, state breach notification laws, consumer protection statutes) and technical standards (NIST CSF, HIPAA Security Rule) are rigorously applied.

By doing so, organizations can protect patients’ privacy, maintain trust, and significantly reduce the risk of costly litigation ($3.6M Retina Group of Washington data breach class action settlement).

References:

• Retina Group of Washington Settlement FAQ, RetinaGroupDataSettlement.com (case name 8:24-cv-00004-LWW) (Retina Group of Washington Data Breach Settlement Website) (Retina Group of Washington Data Breach Settlement Website).

• TopClassActions, “$3.6M Retina Group of Washington Data Breach Class Action Settlement,” Apr. 15, 2025 ($3.6M Retina Group of Washington data breach class action settlement).

• ClassAction.org Newswire, K. McCroskey, “$3.6M Retina Group Settlement Ends Data Breach Lawsuit” (Apr. 24, 2025).

• HIPAA Journal (via HealthcareComplianceBrief), S. Alder, “Retina Group of Washington Agrees to $3.6 Million Settlement…” Apr. 16, 2025.

• CalHIPAA, C. Garcia, “Retina Group of Washington Resolves Data Breach Lawsuit for $3.6 Million,” Apr. 25, 2025.

• Retina Group Settlement Official Site, Long-Form Notice and FAQs (Jan. 2025) (Retina Group of Washington Data Breach Settlement Website) (Retina Group of Washington Data Breach Settlement Website).

• CISA Cybersecurity Best Practices (Dept. of Homeland Security) (Cybersecurity Best Practices | Cybersecurity and Infrastructure Security Agency CISA).

• Crowell & Moring LLP, “OCR Proposed HIPAA Security Rule: Encrypt ePHI and MFA” (Feb. 2024) (OCR Issues Notice of Proposed Rulemaking to Modernize the HIPAA Security Rule and Strengthen Protections for Health Information | Crowell & Moring LLP) (OCR Issues Notice of Proposed Rulemaking to Modernize the HIPAA Security Rule and Strengthen Protections for Health Information | Crowell & Moring LLP).

• ClaimDepot, W.C. Gendron, “Retina Group of Washington $3.6M Data Settlement,” Updated Apr. 25, 2025.