20/20 Eye Care Network, Inc. and iCare Health Solutions, LLC face a proposed class action over a data breach that earlier this year reportedly compromised the personal and protected health information of nearly 3.3 million consumers.
The 30-page case alleges the breach, which reportedly occurred in January 2021 and was disclosed to patients in late May, was the result of the defendants’ failure to implement “reasonably adequate cyber-security measures” to protect consumers’ information.
“The deficiencies in Defendants [sic] cyber-security measures allowed the hackers to access patient data, which included the ability to view and edit the data,” the complaint relays.
According to the suit out of Florida federal court, the data compromised in the breach included patients’ names, dates of birth, Social Security numbers, member identification numbers and health insurance information. The case says that those affected by the breach now face a “substantial increased risk of identity theft” and fraud due to the defendants’ apparent failure to implement adequate security systems, disclose to patients that they had inadequate security to protect sensitive data, take available steps to prevent the breach and provide timely notice of the incident.
The lawsuit states that 20/20 Eye Care Network and parent company iCare Health Solutions provide eye and hearing care services and administration to millions of consumers and, in the process, collect the individuals’ personally identifiable and protected health information. Per the case, the defendants reported to the Maine Attorney General that “insider wrongdoing” had exposed to unauthorized parties the information of almost 3.3 million patients, data that was “accessed or downloaded prior to deletion,” the suit relays.
Despite discovering the breach in February, the defendants waited until late May to send notice of the incident to those affected, the complaint says.
According to the case, 20/20 and iCare failed to comply with HIPAA and industry standards for cybersecurity. As a result, the unauthorized individuals who accessed the defendants’ data were provided with “the tools to perform the most thorough identity theft,” the suit says.
“The personal data of Plaintiff and members of the Class stolen in the Data Breach constitutes a dream for hackers and a nightmare for Plaintiff and the Class,” the complaint relays. “Stolen personal data of Plaintiff and members of the Class represents essentially one-stop shopping for identity thieves.”
The plaintiff, who received medical services from the defendants and was notified by the companies that her information had been compromised in the breach, says that shortly after the incident and on several occasions in April, “unknown third parties” used her credit card to make unauthorized purchases over the internet. The woman also noticed a “significant increase” in the amount of phishing telephone calls she received after the breach occurred, the suit says. Additionally, an unknown third party arranged for the plaintiff’s mail to be diverted from her home address beginning in March, according to the case.
The plaintiff looks to require the defendants to disclose the nature of the information stolen by unauthorized parties and adopt sufficient cybersecurity measures to prevent future data breaches.
The case seeks to represent anyone in the U.S. whose personally identifiable and protected health information was compromised in the data breach announced around May 28, 2021, as well as a state-specific “subclass” of Florida residents.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Camp Lejeune residents now have the opportunity to claim compensation for harm suffered from contaminated water.