Communications Litigation Today was a Warren News publication.
'Unfettered Access'

Data Thieves Had 8 Days to Steal PII of Over 4.4M Heathcare Patients: Class Action

Cyber thieves had eight days to exfiltrate confidential personally identifiable information (PII) of more than 4.4 million current and former patients of healthcare provider networks that use HealthEC’s technology services, said a class action Tuesday (docket 2:24-cv-00697) brought by six Tennessee plaintiffs in U.S. District Court for New Jersey in Newark.

Eight days is “an eternity for cybercriminals to have unfettered access to a covered entity’s data systems, as evidenced by the breathtaking scope of the PII that they managed to pilfer,” said the complaint. HealthEC reported to the Maine Attorney General’s Office that it didn’t discover the July data breach until “more than three months later,” Oct. 24, “which explains why HealthEC declined to tell patients when it discovered the breach,” the complaint said. HealthEC notified plaintiffs and class members on Dec. 22 that their PII had been compromised.

Compromised PII included name; address; date of birth; Social Security, taxpayer identification and medical record numbers; medical diagnoses and codes; mental/physical condition, prescription, provider and beneficiary information; Medicaid/Medicare identification; and billing and claims information, the complaint said.

Among the healthcare providers that use HealthEC services are Corewell Health, HonorHealth, the University Medical Center of Princeton Physicians’ Organization, Tennessee’s TennCare, KidneyLink, Alliance for Integrated Care of New York, Long Island Select Healthcare, Mid-Florida Hematology & Oncology Centers, Illinois Health Practice Alliance and East Georgia Healthcare Center, the complaint said.

The breach was “preventable and a direct result of HealthEC’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect patients’ PII,” the complaint said.

As a result of the breach, plaintiff Kendall Hawk, a resident of Springfield, must now monitor her credit reports for suspicious activity “but is powerless to stop identity theft in advance,” said the complaint. Hawk, a professional counselor, had a contract with the state of Tennessee as a provider at the time of the breach, it said.

Plaintiff Lisa Bryson of Pikesville, a patient of the TennCare medical network, subscribed to a paid online credit monitoring service through Google One that provides identity theft protection services following notification of the breach, said the complaint. Though she can monitor her credit reports via the service, she, too, is “powerless to stop identity theft in advance” and the service “does not indemnify her from, or insure her against, the harm caused” by the breach, it said.

Plaintiffs Trinity Whaley of Madison and Katelyn Crowe of Spring City, both TennCare patients, also must monitor their credit reports to determine whether suspicious activity has occurred and are “powerless to stop identity theft in advance,” the complaint said. Plaintiff Abbey Robinson of Carthage, suing on behalf of herself and her minor son, J.R., must monitor her and her son’s credit reports to determine whether suspicious activity has occurred, it said.

Plaintiffs will continue to have to expend time and effort to mitigate harm they have suffered due to the data breach, the complaint said. They have spent “considerable time and effort attempting to contact HealthEC and monitoring their and their children’s identity and credit reports periodically, in addition to gathering documentation,” it said.

Causes of action are negligence, negligence per se, invasion of privacy, breach of confidence, breach of contract, including breach of the covenant of good faith and fair dealing, trespass to chattels, bailment, unjust enrichment and conversion, the complaint said.

Plaintiffs seek mandatory injunctions requiring HealthEC to implement improved security procedures and to notify victims of the “full nature and extent” of the breach. They also seek awards of compensatory, restitutionary, punitive, exemplary, and statutory damages; attorneys’ fees and costs; and pre- and post-judgment interest. HealthEC didn't comment Wednesday.

U.S. Magistrate Judge Edward Kiel for New Jersey in Newark consolidated 15 data breach class actions against HealthEC, said his Monday order (see Ref:2401310049). All 15 cases seek to represent a class of individuals affected by the cybersecurity incident disclosed by HealthEC in December, “with substantially similar questions of fact and law,” said the order.