Kentucky Counseling Center, LLC (KCC) is facing a proposed class action lawsuit over its alleged failure to protect patient information from a data breach.
Kentucky Counseling Center provides counseling, psychiatric, and case management services to children and adults at 10 locations throughout the state and retains a great deal of personal information and health records, the lawsuit says. According to the case, one of the defendant’s employees exfiltrated a list containing patients’ private information from KCC’s computers in December 2018 and uploaded it to the Internet anonymously. This list contained patients’ personally identifiable information (PII), such as names, addresses, Social Security numbers, medical insurance information and medical records, the suit says. The complaint states that the defendant discovered the breach on January 4, 2019 yet failed to alert the approximately 16,000 affected patients until February 8.
The lawsuit argues that KCC was negligent in preventing the breach because it failed to take adequate steps to secure patients’ confidential information and alert affected parties in a timely manner. Cited in the case are recommendations from the Federal Trade Commission (FTC) on what companies can do to beef up their cyber security practices:
“The FTC recommends that companies not maintain PII longer than is needed for authorization of a transaction; limit access to sensitive data; require complex passwords to be used on networks; use industry-tested methods for security; monitor suspicious activity on the network; and verify that third party-service providers have implemented reasonable security measures.”
The case claims that the defendant failed to follow these and other FTC guidelines. About a month after patients’ data was accessed, the case claims, the defendant sent out a letter in which it informed affected patients of the breach and promised to implement additional security measures. The complaint states that these measures included:
Implementing additional technical safeguards;
Providing additional staff training on identifying unauthorized access; and
Securing a specialized cybersecurity firm to further assist in staff training on identifying unauthorized access.
All of these practices are industry standard and should have been in place before the breach, the lawsuit says. If the defendant had taken the proper security measures, the case claims, the breach could have been prevented altogether.
As a result of the defendant’s alleged negligence, the suit states, patients whose information was compromised will have to face a lifetime of problems related to the breach. From the complaint:
“As a result of Defendant’s failure to implement and follow basic security procedures, patient PII is now in the hands of thieves. Plaintiff and Class Members have had to spend, and will continue to spend, significant amounts of time and money in an effort to protect themselves from the adverse ramifications of the Data Breach and will forever be at a heightened risk of identity theft and fraud.”
Research cited in the complaint claims that solving a case of identity theft costs consumers on average $20,000. Moreover, the suit states that those affected by data breaches must monitor their accounts for years. Kentucky Counseling Center allegedly offered those affected by the breach a year of free credit monitoring, but the case claims this is insufficient to rectify the damages suffered by the proposed class.
The suit seeks to represent a class of all people in the United States whose personal information was exposed during the data breach, with a subclass for Kentucky residents.