QRS, a healthcare technology services firm and EHR vendor in Tennessee, is confronted with a class-action lawsuit related to a cyberattack in August 2021 that led to the compromise and potential theft of the protected health information (PHI) of around 320,000 individuals.
The data breach investigation affirmed that a threat actor had obtained access to one dedicated patient website server from August 23 to August 26, 2021, and looked at and probably acquired files made up of patients’ PHI. Sensitive files saved on the server had patients’ names, dates of birth, addresses, usernames, health data, and Social Security numbers. QRS began delivering notification letters to impacted persons at the end of October and gave identity theft protection services to persons who got their Social Security number exposed.
Matthew Tincher, a local in Frankfurt, KY, sent in a class-action lawsuit in the U.S. District Court for the Eastern District of Tennessee against QRS on January 3, 2022. Purportedly, QRS was responsible for screwing up to sensibly protect, check, and manage the PHI and personally identifiable information (PII) kept on its patient site.
Because of those problems, the lawsuit states Tincher and class members
- have endured actual, concrete, and certain harm, such as present injury and damages due to identity theft, loss or reduced value of their PII and PHI
- have suffered out-of-pocket costs from seeking to remedy the compromise of their sensitive data
- needed to spend time dealing with the consequences of the unauthorized information access
- they furthermore face a continued and higher threat to their PHI and PII, which were unencrypted and continue to be available to unauthorized entities to access and abuse.
The legal action additionally complain about the quickness at which QRS distributed notification letters, which were released nearly 2 months after the breach discovery. Through those two months, the plaintiffs and class embers did not know they were put at considerable threat of identity theft, scam, and financial, personal, and social hurt.
The lawsuit claims QRS was responsible to make certain the PHI and PII inside its patient portal were suitably secured, and the breach of its obligations to safeguard that information equates to negligence and/or recklessness, which is a breach of federal and state laws. The lawsuit states QRS entered into business associate agreements (BAAs) with its medical care provider customers, thus was aware or should have known its obligations to make sure PHI was safeguarded against cyberattacks. The lawsuit likewise details cybersecurity measures advised by the Cybersecurity and Infrastructure Security Agency (CISA) which must be executed in that regard and says that QRS should have noticed the great risk of being attacked as a result of the big number of healthcare data breaches that were documented lately.
Lawsuits are typically filed versus healthcare companies due to data breaches that compromised sensitive data. Whether the legal cases succeed generally relies on if the plaintiffs can prove they have experienced actual damage as a direct effect of the data breach. Tincher states to have been alerted concerning the breach on October 22, 2021, and in 3 days was the prey of real identity theft, and that it is more often than not that his sensitive details were copied from the QRS patient website at the time of the data breach.
The lawsuit states the total damages sustained by the plaintiff and class members went beyond the $5 million jurisdictional amount demanded by the Court. The Court has power over the defendant given that QRS operates and is contained in the district. The plaintiff and class members want unspecified damages, a jury trial, and equitable and injunctive relief.