Multiple lawsuits have been filed against Massachusetts-based Shields Health Care Group, which suffered one of the largest healthcare data breaches of the year, affecting almost 2 million individuals. The lawsuits have recently been consolidated into a single lawsuit – Biscan v. Shields Health Care Group Inc – that was filed in a Massachusetts federal court this week.
Shields Health Care Group provides MRI, PET/CT, radiation oncology, and surgical services to healthcare practices, around 60 of which were affected by the breach. Hackers gained access to its network and stole the protected health information of patients over a two-week period in March 2022. The stolen data included names, contact information Social Security numbers, insurance information, billing information, and clinical information such as diagnoses and treatment information. Affected individuals were offered a 2-year membership to a credit monitoring service.
The plaintiffs allege Shields Health Care Group failed to implement appropriate safeguards to prevent unauthorized access to highly sensitive patient data and then failed to issue timely notifications to patients to inform them that their data was in the hands of cybercriminals and that the notification letters did not provide adequate information to allow the affected individuals to take appropriate action to assess and mitigate risk.
The lawsuit alleges Shields Health Care Group was fully aware of the risk of hacking and ransomware attacks on healthcare organizations given the multiple security alerts issued by the FBI, CISA, and the HHS, yet failed to implement adequate measures to reduce risk, which was in violation of its obligations under the HIPAA Security Rule.
Shields Health Care Group said a security alert was triggered on March 18, 2022, which was investigated but no breach was detected, then suspicious activity was identified within its network on March 28, 2022. The investigation confirmed patient data had been compromised notifications were issued to affected individuals on June 7, 2022, outside the reporting time frame of the HIPAA Breach Notification Rule.
The lawsuit claims that the notifications were untimely, and deficient in information, failing to even provide basic information about the breach, such as whether patient data on the servers were accessed. The lawsuit also alleges the credit monitoring services offered were inadequate given that affected individuals face many years of ongoing identity theft.
While many lawsuits are filed based on future risk of harm, the plaintiffs claim to have suffered financial losses as a result of the breach and have had to spend a significant amount of time monitoring their financial accounts. One plaintiff said suspicious activity was identified in his email account and he had thousands of dollars of fraudulent charges to his Bank of America account, and another plaintiff claims to have been targeted by scammers over the phone since the data breach.
The consolidated lawsuit alleges negligence, breach of contract, invasion of privacy by intrusion, and breach of fiduciary duty, and seeks class action status, damages, and injunctive relief.
The post Consolidated Class Action Lawsuit Filed Against Shields Health Care Group Sued Over 1.9 Million-Record Data Breach appeared first on HIPAA Journal.