EHR Vendor Breach Lawsuit Seeks Security ImprovementsPatient Portal Hacking Incident Last Summer Affected Nearly 320,000
A proposed federal class action lawsuit has been filed against a vendor of practice management and electronic health records systems in the wake of a 2021 cyberattack that potentially compromised the health information of nearly 320,000 individuals.
Besides seeking damages for the plaintiff and class members affected by the breach, the lawsuit filed on Monday in a Tennessee federal court seeks a long list of security improvements to be implemented by the vendor, QRS Inc., which is based in Knoxville, Tennessee.
QRS, vendor of the Paradigm practice management and EHR systems, on Oct. 22 reported to the Department of Health and Human Services a hacking incident involving a patient portal server affecting nearly 320,000 individuals' protected health information (see: EHR Vendors' Disclosures Are the Latest Security Risk Reminders).
"Despite the prevalence of public announcements of data breach and data security compromises, [QRS] failed to take appropriate steps to protect the personally identifiable information and PHI of Plaintiff and Class Members from being compromised," the complaint says.
In its breach notification statement issued on Oct. 22, QRS says that on Aug. 26, 2021, it discovered that a "cyberattacker" had accessed one QRS dedicated patient portal server.
An investigation into the incident determined that the attacker had accessed the single server over three days, from Aug. 23 to Aug. 26, QRS says.
"During this time, the attacker accessed, and may have acquired, files on the server that contained certain individuals’ personal information. The information may have included, depending on the individual, their name, address, date of birth, Social Security number, patient identification number, portal username, and/or medical treatment or diagnosis information," QRS says in the statement, adding that the incident did not involve any other QRS systems or the systems of any of QRS’s clients.
QRS' breach notification statement does not describe the type of cyberattack involved in the incident, but the lawsuit complaint implies that the incident involved ransomware.
The lawsuit lead plaintiff, Matthew Tincher, a resident of Kentucky who received a breach notification from QRS stating his information had been affected by the incident, alleges that he believes his PII and PHI - and that of class members - was subsequently sold on the dark web following the data breach.
The complaint says that Tincher experienced "actual identity theft" shortly after the QRS breach. "It is more likely than not that his sensitive information was exfiltrated and stolen during the data breach," it says.
Prior to the breach, the complaint says, QRS appears to have failed to implement one or more "government-recommended" security measures, including updating and patching systems, configuring firewalls to block access to known malicious IP addresses, and a variety of access and other controls.
“The occurrence of the data breach indicates that the Defendant failed to adequately implement one or more of [government recommended] measures to prevent ransomware attacks, resulting in the data breach and the exposure of the PII and PHI of an undisclosed amount of current and former patients, including plaintiff and class members," the complaint says.
“As a direct and proximate result of [QRS'] data security failures and the data breach, the PII and PHI of plaintiff and class members was compromised through disclosure to an unknown and unauthorized third party, and plaintiff and class members have suffered actual, concrete and imminent injury," the complaint says.
The alleged injuries to individual breach victims in the QRS incident include invasion of privacy; out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft and fraud; the continued increased risk to their PII and PHI, which "remains unencrypted and available for unauthorized third parties to access and abuse," the complaint says.
Neither QRS nor an attorney representing Tincher immediately responded to Information Security Media Group's request for comments on the case.
Security Improvements Sought
Besides damages, the lawsuit seeks injunctive relief, including a court order requiring QRS to implement and maintain "a comprehensive information security program designed to protect the confidentiality and integrity of the PII and PHI of plaintiff and class members."
That includes a long list of demands, including requiring QRS to engage independent third-party security auditors and penetration testers, as well as internal security personnel, to conduct simulated attacks, penetration tests and audits on QRS' systems on a periodic basis and ordering QRS to "promptly correct" any problems or issues detected by third-party security auditors.
The lawsuit also asks the court to prohibit QRS from maintaining the PII and PHI of the plaintiff and class members on a "cloud-based" database.
Regulatory attorney Paul Hales of the Hales Law Group says that "defending a potentially valid class action lawsuit is a scourge to any organization," and that includes lawsuits involving data breaches.
"The key legal point that gives plaintiffs standing to sue for privacy violations in federal court is not that a defendant violated the law. Plaintiffs must also allege they suffered concrete harm due to the violation," he says.
"The sole plaintiff in this case claims to have suffered specific examples of actual identity theft resulting from the QRS data breach. We have yet to hear from other potential class members."
The U.S. Supreme Court has not addressed the question of whether every class member must demonstrate standing before a district court can certify the class, Hales says.
"Based on the complaint, it seems probable this case will proceed to discovery. As health information cyberattacks increase, the plaintiffs’ bar is increasingly savvy about tactics to represent their clients."