Comprehensive Health Services Facing Class Action Over September 2020 Data Breach
by Erin Shaak
Salas v. Acuity-CHS, LLC
Filed: March 11, 2022 ◆§ 1:22-cv-00317
Comprehensive Health Services, faces a proposed class action over a September 2020 data breach that reportedly affected at least 106,752 individuals.
Acuity-CHS, LLC, who does business as Comprehensive Health Services (CHS), faces a proposed class action over a September 2020 data breach that reportedly affected at least 106,752 individuals.
The 79-page lawsuit alleges CHS—a medical management solutions provider who, among other services, offers employment-based medical exams for the U.S. Department of Homeland Security—failed to implement adequate cybersecurity measures to safeguard patients’ data. Per the case, patients’ names, dates of birth and Social Security numbers were among the information exposed in the incident.
The suit claims that as a result of CHS’s “security failures,” patients whose information was exposed now face a “slew of harms,” including fraudulent charges, unauthorized access to their email accounts, medical procedures ordered in their names without permission and targeted advertising without consent.
The lawsuit alleges CHS has violated its own privacy policies, the Health Insurance Portability and Accountability Act (HIPAA) and several California state laws by failing to safeguard its data and putting patients’ information at “serious, immediate, and ongoing risk.”
The plaintiff is a California consumer who claims to have received a “cryptically written notice letter” from the defendant in February 2022, nearly 17 months after her information was supposedly accessed without proper authorization. According to the suit, the notice disclosed that CHS had detected “unusual activity” within its digital environment on September 30, 2020 and, following an investigation, discovered that patients’ personal information “may have been impacted.”
The lawsuit says that CHS has offered no explanation for the delay in sending notice to data breach victims, a delay that the case argues has caused consumers to experience “harm they otherwise could have avoided had a timely disclosure been made.”
Moreover, CHS’s data breach notice was “not just untimely but woefully deficient,” the case alleges, in that it failed to provide “basic details” including how unauthorized parties accessed the company’s network, what information was compromised, whether the data was encrypted or protected in some way, how CHS learned of the breach, whether the breach was system-wide, whether servers storing information were accessed and how many patients were affected.
The lawsuit further claims that CHS’s offer of two years of identity theft monitoring through Equifax is “ineffective” given it requires the disclosure of patients’ personal information and does not account for the fact that there may be a delay before their stolen data is misused.
“While some harm has begun already, the worst may be yet to come,” the complaint stresses. “There may be a time lag between when harm occurs versus when it is discovered, and also between when Private Information is acquired and when it is used.”
According to the case, CHS has failed to take any other steps to assist data breach victims aside from its offer of credit monitoring and some recommendations for how to detect fraud.
“None of these recommendations, however, require Defendant to expend any effort to protect Plaintiff’s and Class members’ Private Information,” the lawsuit contends.
The case looks to cover anyone whose private information was compromised as a result of the CHS data breach discovered in September 2020 and was sent notice of the incident.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.