Tech Company Agrees to $4M Settlement After Hackers Stole Kids’ Medical Data

Tech company Connexin has agreed to pay $4 million to end class action claims that it was responsible for a data breach that exposed millions of children’s private medical records to a hacker group in 2022.

The news comes after parents sued the company last year, alleging Connexin’s negligence allowed a group named “TommyLeaks” to target and steal the data of about three million young Americans.

Connexin provides recordkeeping services to pediatric officers around the country. The data stolen by the hackers included names, addresses, medical history, social security numbers and billing information, the settlement states, the plaintiffs alleged. Connexin filed the settlement agreement on Feb. 14 in a Pennsylvania federal court.  

How did so many children’s medical records get hacked?

Connexin provides recordkeeping services to over 9,000 pediatricians across 49 states, according to a class action lawsuit filed against the company in Jan. 2023. 

That meant that when one of the company’s servers was hit by the hacking group “TommyLeaks” in August 2022, the hackers had access to the personal data of about three million people – many of them children – the settlement says.

The company started notifying victims of the hack or their parents in December, 2022. However, parents who sued the company alleged the damage was already done. 

In the class action lawsuit filed against Connexin by Sandra Rodriguez, the Texas mom-of-two argued that her children’s private information was “now in the hands of criminals.”

Who is eligible for the settlement?

Rodriguez alleged that Connexin was negligent in its data security practices, and could have prevented the hack. Her children were patients at Northeast Pediatric Night Clinic in El Paso, she said, and both had their private data leaked.

She said her kids now face a substantial increased risk of identity theft, and that the harm is amplified when it comes to child victims. 

“Children are not even participating in the economy and by the time they grow up, join the workforce and get health insurance, their identity may belong to someone else,” she stated.

The settlement will apply to anyone whose data was compromised in the 2022 Connexin hack, the agreement states. Lawyers for the plaintiffs will seek one-third of the settlement fund. 

Hackers targeting healthcare

The cyberattack is one of a growing number of cyber threats impacting hospitals and health care centers across the United States, potentially opening up patients' private data to cybercriminals and interrupting people’s quality of medical care. 

Just two weeks ago, a cyberattack paralyzed the largest U.S. billing and payment system in the country, the New York Times reported. The attack forced the shutdown of parts of the electronic system operated by Change Healthcare, of UnitedHealth Group, leaving hundreds of providers without the ability to obtain insurance approval for health services. 

In December, a group of New York hospitals and health care centers were targeted in a cyberattack that for two months allowed hackers to access patients' private information, CBS reported.

According to the FBI, there were at least 249 ransomware attacks against health care and public health organizations in the United States in 2023.