Communications Litigation Today was a Warren News publication.
'Disregarded' Patients' Rights

Mobile Health Services Provider 'Negligent' in Data Breach, Says Class Action

Healthcare institutions are “particularly vulnerable" to cyberattacks because of the value of the private information they collect and maintain, but defendant DocGo failed to follow cybersecurity best practices, allowing cuber thieves to gain access to current and former patients’ protected health information (PHI) and personally identifiable information (PII), alleged a negligence class action Thursday (docket 1:24-cv-03594) in U.S. District Court for Southern New York.

DocGo is a provider of mobile health, ambulance and remote monitoring services. It touts more than 7 million patient interactions.

DocGo disclosed in a May 7 SEC filing that an unauthorized third party “accessed and acquired data, including certain PHI, from a limited number” of healthcare records within its U.S.-based ambulance transportation business, exposing the private information of “thousands, perhaps millions, of individuals,” said the complaint.

The defendant “failed to even encrypt or redact” plaintiff David Manuel's or class members’ highly sensitive information, which was compromised due to its negligent and careless acts and omissions and its “utter failure to protect its patients’ sensitive data,” alleged the complaint. Hackers targeted and obtained their private information because of its value in exploiting and stealing their identities, it said.

Lake in the Hills, Illinois, resident Manuel and class members are at risk of a thief using their names or health insurance numbers “to see a doctor, get prescription drugs, file claims with your insurance provider, or get other care,” said the complaint. “If the thief’s health information is mixed with yours, your treatment, insurance and payment records, and credit report may be affected,” said the complaint, citing an eFraudPrevention article on medical I.D. theft.

DocGo “disregarded the rights” of Manuel and class members by “intentionally, willfully, recklessly, or negligently failing to implement and maintain adequate and reasonable measures” to protect the private information they were required to provide to receive its health services, the complaint alleged. The defendant failed to follow “applicable, required, and appropriate protocols, policies, and procedures regarding the encryption of data, even for internal use,” it said. As a result, their PHI and PII were “compromised through disclosure to an unknown and unauthorized third party,” it said.

Manuel and his class members have suffered injury, including invasion of privacy, lost or diminished value of their private information, lost time and opportunity costs when dealing with the consequences of the breach, an increase in spam calls and email, plus the “continued and certainly increased risk” to their PHI and PII, said the complaint. That personal information remains “unencrypted and available for unauthorized third parties to access and abuse” and backed up in DocGo’s possession, it said, leaving Manual and class members at “a heightened risk of identity theft for years to come,” it said.

DocGo failed to comply with the FTC Act and Health Insurance Portability and Accountability Act (HIPPA) guidelines for data security practices, said the complaint. The FTC views a company’s failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information as an “unfair practice” in violation of the FTC Act, it said.

Among HIPPA’s requirements are that defendants ensure the confidentiality, integrity and availability "of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits and to protect against any reasonably anticipated threats or hazards to the security or integrity of such information,” said the complaint.

Manuel asserts claims of negligence, breach of implied contract, breach of fiduciary duty and unjust enrichment. He requests actual, consequential, punitive and nominal damages; pre-and post-judgment interest; attorneys’ fees and costs; and orders requiring DocGo to encrypt all data collected through the course of business, to delete and purge the PII of plaintiff and class members and to implement a comprehensive information security program.