There’s an update to the Netgain ransomware attack incident that was first reported in 2020 and thereafter.
CPT Group, Inc., announces a proposed class action settlement in In re Netgain Technology, LLC, Consumer Data Breach Litigation, Case No. 21-cv-1210 (SRN/LIB), United States District Court District of Minnesota.
What is this about? Plaintiffs allege that the data incident occurred between September 2020 and November 2020 when an unauthorized individual accessed Netgain Technology, LLC’s (“Netgain”) computer systems and accessed certain personal or health-related information, which Netgain stored on behalf of other businesses, including healthcare providers and accounting firms.
Who is affected? The Settlement Class consists of all individuals who reside in the United States and who potentially had their personal or health-related information disclosed to an unauthorized third party between September 2020 and November 2020 in the course of a databreach experienced by Netgain.
What does the Settlement provide? Netgain has agreed to pay $1,900,000.00 (the “Settlement Fund”) to settle the class action. Class Members who submit a valid claim may receive either: (a) payment for documented out of pocket losses of up to $5000, and/or payment of up to $75.00 for three hours of attested time spent attributable to the data breach subject to the maximum cap of $5,000 or (b) a flat cash payment equal to a pro rata share of all funds left in the Settlement Fund after the payment of notice and administration, documented loss claims, attorneys’ fees and expenses, and class representative service awards.
How do I file a claim? You must complete and submit a Claim Form, either online or via U.S. Mail by September 17, 2025. Claim Forms are available for download and online submission at www.NetgainClassActionSettlement.com.
Read more of the press release. According to the complaint, at the time the complaint was filed, the known clients of Netgain included:
(1) Ramsey County, Minnesota, (2) Woodcreek Provider Services and MultiCare Health System, (3) Sandhill Medical Foundation, (4) Apply Valley Clinic/ Alina Health, (5) Neighborhood Healthcare, (6) San Diego Family Care, and its associate, Health Center Partners of Southern California, (7) Jackson Thornton, (8) SouthCare Carolina, (9) Crystal Practice Management, (10) SAC Health Systems, (11) LifeLong Medical Care, (12) Perkins & Co; (13) Barrett Business Services; (14) Nevada Orthopedic & Spine Center; and (15) Minnesota Community Care.
An entire section of the settlement agreement addresses security improvements Netgain commits to making:
2. SECURITY COMMITMENTS.
2.1 Netgain agrees to adopt, continue, and/or implement the following data security measures for a period of no less than 3 years from the Effective Date of this Agreement:
(a) Upgrade Edge firewalls to protect the environment from external sources and limiting traffic to only allowed ports and services. Enable Geo-blocking for Azure clients. Require external access to hosted environment to go through secure gateways.
(b) Ensure the underlying network is configured in a secure, scaleable manner with dedicated subnets, VLANs and VRF’s per client. Deploy core firewall technology in a blocklist methodology blocking undesired traffic. Ensure that DNS filtering and monitoring is deployed across the hosted environment.
(c) Deploy SentinelOne or similar platform across Netgain’s entire data environment along with 24/7 monitoring service.
(d) Ensure that discrete domains and administrative accounts are across client environments. Confirm that Multi-factor Authentication (MFA) is utilized in all hosting environments and monitoring and notification for all suspicious application activity.
(e) Backup services to offer data protection in the event of system corruption with Azure Site Recovery to leverage disaster recovery. Replicate data backups to multiple sites.
2.2 For a period of three (3) years, Netgain shall provide Class Counsel with an annual report attesting to Netgain’s compliance with the injunctive relief set forth above.
Class Counsel will be permitted to share the unredacted report, on a confidential basis, with a third-party expert of Class Counsel’s choosing (subject to approval by Netgain, which will not be unreasonably withheld), at Class Counsel’s expense, to verify Netgain’s compliance with the terms in this Section 2.
2.3 In the event that Class Counsel determines that Netgain is not in compliance with its obligations in Section 2.1, it shall provide Netgain with notice of the same.
Netgain will have 60 days from the date of that notice to cure any non-compliance. In the event that Class Counsel determines that Netgain remains not in compliance for more than 60 days following notice under this Section 2, Plaintiffs or Class Counsel shall have the right to bring a motion to enforce the Settlement Agreement in the Action or in a new, separate action and the prevailing party shall be entitled
to its attorneys’ fees and costs expended in relation to the claimed non-compliance and enforcement actions.