Ambry Genetics Corp. has been named in a proposed class action lawsuit filed over a data breach that reportedly affected upward of 230,000 patients.
The lawsuit alleges the genetic testing provider, which offers more than 300 genetic tests for the screening and diagnosis of diseases and medical issues, announced on April 15, 2020 that a security incident had compromised the personally identifiable and protected health information of thousands of patients. According to the case, the exposed data included patients’ names, dates of birth, health insurance and medical information, and in some cases, Social Security numbers and other sensitive data.
The case argues that the data breach was a “direct result” of Ambry’s failure to implement “adequate and reasonable” cybersecurity protocols. Due to its position in the healthcare industry and the sensitive nature of the private medical information collected from patients, Ambry was aware of its legal obligation to protect such data, the suit says. Nevertheless, the company allegedly neglected to implement even “basic security practices” despite the availability of industry standards and guidance.
“Had Defendant remedied the deficiencies in its data security systems and adopted security measures recommended by experts in the field, it would have prevented the intrusions into its systems and, ultimately, the theft of Sensitive Information,” the suit alleges.
The case further claims that although the security breach occurred between January 22 and 24, 2020 and was reported to government authorities by Ambry in March, the company waited three months before notifying affected patients. According to the case, the delay caused Ambry’s patients additional harm in that they were deprived of the opportunity to address and mitigate the effects of the breach, driving the risk of fraud “even higher.”
Finally, the case criticizes Ambry’s “ambiguous and vague offer” of identity monitoring, noting that affected patients were given no information regarding the terms, length, and benefits of the service. According to the case, the “hollow gesture” is “wholly inadequate” to compensate victims for their damages given data breaches can expose consumers to a heightened risk of identity theft and fraud for years.
The lawsuit looks to cover anyone whose sensitive information was compromised in the data breach announced by Ambry around April 15, 2020, with a proposed subclass of California residents.