QRS, a healthcare technology firm, that offers EHR services, is now facing a class-action lawsuit over a data breach that reportedly exposed the health and private details of 319,778 current and former patients last summer.
The lawsuit was filed by plaintiff, Kentucky resident Matthew Tincher in the U.S. Eastern District Court of Tennessee on Jan. 3, who was one of the victims of a data breach. In a complaint, he alleged that the data exfiltration could have been mitigated if QRS had adequately guarded the patient's health information in its possession. Additionally, the firm took two months to notify affected individuals of the data exposure.
Last year in November, QRS reported that an unauthorized third party accessed one QRS dedicated patient portal server for three days in August, and potentially secured critical data, including Social Security numbers, patient identification numbers, portal usernames, names, addresses, birth dates, and medical treatment information. The lawsuit shows the client was Lexington Heart Specialists in Kentucky.
According to the Health Insurance Portability and Accountability Act breach notification on the EHR vendor’s website, QRS instantly took the server offline, notified law enforcement, and conducted an investigation.
“Upon information and belief, based on the criminal hacking activity that targeted Plaintiff’s and Class Members’ Sensitive Information, the time frame of the breach over three days, and Plaintiff Tincher’s experience of actual identity theft shortly after the breach, it is more likely than not that his Sensitive Information was exfiltrated and stolen during the Data Breach,” the lawsuit claimed.
The suit argues that QRS should have prevented the data breach by implementing cybersecurity measures recommended by the U.S. government, including a training program for workers; strong spam filters; firewall configurations that block access to known malicious IP addresses; patches for operating systems, software, and firmware; regular automatic scans with anti-virus and anti-malware programs; and properly configured access controls.
The healthcare firm is accused of negligence and/or recklessness, as well as violating federal and state regulations, as well as HIPAA. The lawsuit argues the two-month wait to inform patients placed them at a greater risk of identity theft; but it should be plainly noted that HIPAA requires covered entities and business associates to report breaches within 60 days of discovery, for which QRS complied.
Lastly, the lawsuit raises concerns with the health data left under QRS possession, as it “remains unencrypted and available for unauthorized third parties to access and abuse.” As long as QRS “fails to undertake appropriate and adequate measures to protect” the data remains at risk.
As a result, the victims are seeking injunctive relief, including a court order requiring QRS to implement and maintain "a comprehensive information security program designed to safeguard the confidentiality and integrity of the PII and PHI of plaintiff and class members."
