Another lawsuit has been filed against Connexin Software over its August 2022 ransomware attack and data breach, which affected more than 2.2 million individuals. Connexin Software does business as Office Practicum and is a provider of electronic medical records and practice management software for pediatric practices. On August 26, 2022, Connexin discovered hackers had gained access to its systems and used ransomware to encrypt files. The forensic investigation confirmed the threat actor behind the attack exfiltrated files containing protected health information. Those files contained information such as names, parents’ and guardians’ names, addresses, email addresses, dates of birth, Social Security numbers, health insurance information, medical and/or treatment information, and billing and claims information. Connexin Software reported the data breach to the HHS’ Office for Civil Rights as affecting up to 2,216,365 individuals. 199 healthcare insurance companies and service providers are known to have been affected by the incident.
The lawsuit, Green v. Connexin Software, Inc., was filed in the U.S. District Court of the Eastern District of Pennsylvania on behalf of plaintiff Amiyah Green and similarly situated individuals. The lawsuit alleges that, as a HIPAA-regulated entity, Connexin is required to implement safeguards to ensure the privacy of protected health information and prevent unauthorized access, yet failed to implement reasonable and appropriate cybersecurity measures such as data encryption.
The lawsuit also alleges a violation of the HIPAA Breach Notification Rule, which requires notifications to be issued within 60 days of the discovery of a data breach. The breach was detected on August 26, 2022, yet notifications were not sent to affected individuals until November 2022, which meant the plaintiff and class members did not know that their sensitive information was at risk, so they were unaware that they should take action to mitigate harm. The lawsuit also alleges that insufficient information was included in the notifications, such as the means and mechanism of the breach, and other important information such as how Connexin planned to prevent further incidents of this nature.
Connexin offered affected individuals a 12-month membership to an identity theft protection service; however, the lawsuit claims this is inadequate, as the plaintiff and class members will be required to pay for identity theft protection for years to come to ensure their personal and protected health information is not misused. The lawsuit claims the plaintiff and class members now face a substantial risk of being targeted in future phishing, data intrusion, and other illegal schemes, will incur out-of-pocket expenses protecting themselves against identity theft and fraud, and have or will suffer actual injury as a direct result of the data breach.
The lawsuit alleges negligence, negligence per se, and unjust enrichment, and seeks a jury trial, an award of appropriate monetary relief – including actual damages, statutory damages, punitive damages, restitution, and disgorgement – and equitable, injunctive, and declaratory relief, including the requirement for Connexin to adopt and implement data security best practices to safeguard private information and an extension of the identity theft and credit monitoring services.
The post Another Lawsuit Filed Against Connexin Software Over 2.2 Million-Record Data Breach appeared first on HIPAA Journal.