Behavioral Health Group Facing Class Action Over December 2021 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Behavioral Health Group has been hit with a proposed class action over a December 2021 data breach during which the personally identifiable and protected health information of nearly 200,000 individuals was reportedly compromised.

Per the 27-page case, BHG Holdings and subsidiary BHG XXXIV have failed to implement adequate cybersecurity protocols to protect the sensitive data with which they were entrusted by employees and patients. The lawsuit argues that the information compromised in the December 5 data breach is “especially sensitive” given Behavioral Health Group is in the business of providing rehabilitation and other services to individuals dealing with substance abuse.

According to the suit, the data exposed in the incident included roughly 197,507 consumers’ full names; Social Security, driver’s license or state identification numbers; financial account and payment card information; passport, biometrics, health insurance or medical information, such as medical diagnosis, treatment and medication details; and medical record numbers.

The case says that data breach victims “must now live with the knowledge” that their personal and health information “is forever in cyberspace” and may be used “for any number of improper purposes and scams.”

Even though Behavioral Health Group learned as early as last December that unauthorized actors had gained access to its system, the defendants waited more than seven months, until late July 2022, to publicly acknowledge the breach and send notice to those who were affected.

The lawsuit argues that Behavioral Health Group “knew, or should have known,” that the information it stored on its system was “a target for malicious actors,” especially in light of a recent spike in data breaches across a number of industries. The healthcare provider nevertheless failed to implement cybersecurity protocols in line with industry standards and thereby allowed unauthorized actors to breach its system, according to the suit.

“Given the nature of BHG’s business, the sensitivity and value of the [personally identifiable information/protected health information] it maintains, and the resources at its disposal, BHG should have identified the vulnerabilities to their systems and prevented the Data Breach from occurring,” the complaint contends.

The lawsuit looks to represent anyone whose personally identifiable or protected health information was disclosed to unauthorized persons in the Behavioral Health Group data breach, including those who were sent notice of the breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.