At least two proposed class action lawsuits have been filed against ARcare in the wake of a data breach that reportedly affected more than 345,000 current and former patients.
According to the two suits in Arkansas, the data breach, which occurred between January 18 and February 24, 2022, was a direct result of ARcare’s failure to take reasonable steps to safeguard patients’ sensitive information. The data exposed in the breach reportedly included patients’ names; Social Security, driver’s license or state identification numbers; dates of birth; financial account information; medical treatment, prescription, and diagnosis or condition details; and health insurance information.
The lawsuits, filed May 10 and 16, respectively, claim that those whose personal and health information was compromised in the breach now face a heightened risk of identity theft and fraud, not to mention “years of constant surveillance of their financial and personal records, monitoring, and loss of rights.”
The suits relay that ARcare, a healthcare network with over 74 facilities across Arkansas, Kentucky and Mississippi, experienced a “data security incident” on February 24, 2022 that temporarily disrupted its services. After an investigation into the incident, ARcare determined that an unauthorized actor had gained access to its computer systems from January 18 to February 24, the cases state.
According to the lawsuits, ARcare nevertheless waited months before notifying data breach victims, who began receiving letters from the company in late April 2022.
“As a result of this delayed response, Plaintiff and Class Members had no idea their [personally identifiable information] and [protected health information] had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm,” one of the complaints states. “The risk will remain for their respective lifetimes.”
The lawsuits claim that had ARcare implemented adequate cybersecurity procedures and protocols, including “basic encryption techniques freely available to Defendant,” the incident could have been prevented.
Moreover, the suits take issue with ARcare’s offer of 12 months of identity and credit monitoring services, arguing that the services are “inadequate to protect Plaintiff and Class Members from the threats they face for years to come.”
The cases look to represent U.S. residents whose personally identifiable information or protected health information was actually or potentially compromised in the data breach referenced in the notice sent by ARcare to victims in late April 2022.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Camp Lejeune residents may soon have the opportunity to claim compensation for harm suffered from contaminated water.