A proposed class action has been filed against Healthgrades Operating Company, Inc. (HOC) over an October 2020 data breach that reportedly compromised the private personal and medical information of thousands of its clients’ patients.
The defendant, a Denver-based health technology company that provides information to consumers about physicians, hospitals and healthcare providers, maintained “in a reckless manner” the sensitive data it received through its contractual relationships with healthcare providers, including Wake Forest Baptist Health’s Lexington Medical Center (LMC), a hospital in Lexington, North Carolina, the 42-page lawsuit alleges.
As a result of HOC’s failure to implement “adequate and reasonable cyber-security procedures and protocols,” proposed class members’ data—including their names, addresses, demographic information, contact specifics, Social Security numbers, dates of birth, medical record numbers, dates of service, patient types, physician names, physician specialties, guarantor names, insurance types, insurance providers and cost of treatment information—is “now in the hands of data thieves,” the lawsuit says.
“HOC breached its obligations to Plaintiff and Class Members and/or was otherwise negligent and reckless because it failed to properly maintain and safeguard its computer systems and data,” the complaint charges, asserting that those whose information was compromised now face a heightened risk of identity theft and fraud.
According to the suit, HOC in January 2021 notified LMC that an unauthorized individual had gained access to one of the defendant’s archived servers in a targeted data breach between October 16 and 28, 2020. Per the suit, the private patient information contained in emails was not encrypted and has likely been sold on the dark web.
The complaint alleges HOC has failed to meet Federal Trade Commission guidelines and industry standards and has violated the Health Insurance Portability and Accountability Act (HIPAA), which requires covered entities to “protect against reasonably anticipated threats to the security of sensitive patient health information.”
The lawsuit alleges that HOC, despite learning of the breach in January 2021, has yet to notify affected patients and has done “absolutely nothing” to provide relief for their supposed damages. Denying patients even the 12 months of complimentary fraud and identity monitoring services normally offered in the wake of a data breach is “utterly unacceptable as it leaves numerous victims of the breach vulnerable to all sorts of fraud and identity theft,” the case contends.
The lawsuit looks to cover anyone who utilized LMC and whose private information was maintained on HOC’s computer systems that were compromised in the data breach and who was sent notice of the breach by LMC.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.