CSI Financial Services, LLC faces a proposed class action over a “massive and preventable” data breach that reportedly occurred earlier this year.
The defendant, who does business as ClearBalance Holdings, a provider of patient financing programs to hospitals and health systems nationwide, is alleged to have failed to prevent and timely notify patients of an incident in which cybercriminals gained access to the personal and protected health information of 209,719 individuals whose data was stored in its systems.
Per the lawsuit, filed July 27 in California federal court, hackers conducted a successful phishing campaign whereby they infiltrated ClearBalance’s “inadequately protected email accounts” on several occasions between March 8 and April 26, 2021 and accessed patients’ unencrypted information. Data accessed without authorization includes patient names, tax IDs, Social Security numbers, dates of birth, government-issued IDs, phone numbers, healthcare account numbers, balances, dates of service, loan numbers, personal banking information, clinical information, health insurance information, and photographs, the complaint says.
The case claims ClearBalance’s “grossly negligent—indeed, reckless—failure” to have in place adequate data security has exposed patients to a heightened risk of identity theft and fraud, possibly for the rest of their lives:
“Due to Defendant’s negligence and failures, cyber criminals obtained and now possess everything they need to commit personal and medical identity theft and wreak havoc on the financial and personal lives of 209,719 individuals, for decades to come.”
ClearBalance collects myriad personal and health details from the patients of the hospitals and health systems with whom it contracts, the lawsuit says. Although the company has represented that it had industry-standard security measures in place to ensure patients’ data would be protected from unauthorized access, the case alleges this was far from true in this year’s incident. Per the suit, the information accessed by hackers was “unencrypted and unprotected” within the defendant’s business email accounts, presenting a “soft target” for the perpetrators.
The filing alleges ClearBalance, despite its obligations under industry standards, common law, statutory law and its own representations to protect patients’ data, has failed to spend sufficient resources to prevent breaches of its systems, detect any unauthorized access and train employees on how to identify and defend against potential threats.
Moreover, the lawsuit claims ClearBalance, after discovering the breach, failed to provide timely notice of the incident to those affected and waited instead until July 9, 2021 to begin notifying patients.
The lawsuit looks to cover anyone in the U.S. whose personal information was compromised as a result of the ClearBalance data breach that occurred in March and April 2021. A state-specific subclass has also been proposed for North Carolina residents who meet the same criteria.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.