A proposed class action lawsuit filed in New York claims that Nuvance Health and Health Quest Systems, Inc. failed to take adequate steps to prevent or respond to a 2018 data breach.
In July 2018, the case claims, the defendants learned of a “phishing” attack against their systems, in which an unauthorized third party deceived employees into disclosing their email account credentials. The complaint contends that the result of this breach was the exposure of patients’ private information, including Social Security numbers, financial account information and treatment information.
According to the case, the defendants launched an investigation into the incident and determined that nearly 29,000 patients had been affected. Although the investigation was completed in April 2019, the lawsuit contends that the defendants did not promptly disclose their findings and failed to notify affected patients of the breach until May or June 2019.
The defendants subsequently conducted a second investigation into the breach, which concluded in November 2019, and found that more patients had been affected than previously estimated and that more of their data had been compromised, according to the complaint. Once again, the defendants delayed in alerting affected patients, the lawsuit says, as the plaintiff claims she was not informed she was potentially affected by the breach until January 3, 2020.
According to the complaint, the defendants failed to implement industry standard security measures to prevent the breach and failed to monitor their security systems. Had the defendants adequately monitored their systems, the case claims, the breach could have been discovered sooner.
As a result of the defendants’ failure to prevent, detect or timely notify patients of the breach, the case claims patients have been put at risk of identity fraud and theft and face expenses related to the correction and prevention of fraudulent activity. The complaint therefore argues the defendants were negligent in their duty to safeguard patients’ sensitive medical information and violated New York’s General Business Law.
The suit looks to represent a class comprising everyone who submitted their private information to the defendants and had their information compromised as a result of the July 2018 data breach. The lawsuit requests the defendants be required to strengthen its data security systems, submit to future annual audits of its systems and monitoring procedures, and provide free credit monitoring to all class members.