The failure of NEC Networks, LLC, which does business as CaptureRx, and Midtown Health Center, Inc. to properly safeguard patients’ private information is to blame for a February 2021 data breach, a proposed class action says.
Per the case, negligence on the part of Los Angeles-based Midtown Health Center and pharmacy benefits manager CaptureRx allowed patients’ full names, birth dates and prescription information to be accessed by unauthorized parties, exposing those affected by the incident to a heightened risk of identity theft and fraud.
The lawsuit argues that the defendants had a duty to protect patients’ personally identifiable information (PII) and protected health information (PHI) yet failed to take the necessary steps to prevent the breach, the risks of which should have been well-known. The consequences of the defendants’ inadequate data security are “long lasting and severe,” the suit states, stressing that fraudulent activity may not occur for six months to a year and “may continue for years.”
“Defendants knew, or should have known, the importance of safeguarding the PII and PHI entrusted to it and of the foreseeable consequences if its data security systems were breached,” the complaint contends. “This includes the significant costs that would be imposed on Defendants’ clients as a result of a breach. Defendants failed, however, to take adequate cybersecurity measures to prevent the Data Breach.”
According to the lawsuit, Midtown Health Center contracts with CapureRx to process claims related to its pharmacy business. The files shared with and stored by CaptureRx, however, contained non-redacted and non-encrypted personal and health information that revealed not only the pharmaceuticals prescribed to patients but the underlying conditions for which medications were issued, the suit relays.
The case says the defendants announced on May 5, 2021 that “a recent event” at CaptureRx on February 6 had allowed patients’ sensitive information to be accessed by third parties without proper authorization. Although the companies assured patients that they are “working to implement additional safeguards and training to  employees,” they have failed to disclose the root cause of the breach, the vulnerabilities exploited, and the measures being taken to prevent a future cybersecurity incident, the suit charges.
Instead, the defendants, the lawsuit alleges, have “shifted the burden of protecting their sensitive PII and PHI” to patients by warning them to “remain vigilant against incidents of identity theft and fraud, to review your account statements and explanation of benefits forms, and to monitor your free credit reports for suspicious activity and to detect errors.”
The case argues that the defendants could have prevented the data breach by properly securing and encrypting patients’ data or destroying data that was outdated and “no longer useful.” Per the suit, Midtown and CaptureRx have violated Federal Trade Commission regulations and the Health Insurance Portability and Accountability Act (HIPAA).
The case looks to cover anyone in the U.S. whose personally identifiable information and protected health information was stored and/or shared in CaptureRx’s electronic files and exposed to an unauthorized party as a result of the data breach announced on May 5, 2021. The lawsuit also proposes to cover a subclass of California residents who fit the same criteria.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.