Med-Data, Inc. faces a proposed class action over a data breach that reportedly compromised the sensitive personal information of its clients’ patients.
According to the 15-page complaint, Med-Data failed to adequately protect the personal information with which it was entrusted and then, despite its duty to protect proposed class members from “reasonably foreseeable harm,” failed to timely notify affected patients of the breach. The lawsuit argues that those whose information was compromised in the incident, which supposedly occurred over a span of 10 months, now face a heightened risk of identity theft and fraud.
The lawsuit says an independent journalist informed Med-Data, which provides revenue cycle services to healthcare providers, in December 2020 that some of its data had been uploaded to a public-facing website. A subsequent investigation revealed that a Med-Data employee, while working for the company, had saved business files on the site between December 2018 and September 2019, according to the suit. Med-Data claims to have removed the files from the website on December 17, 2020, the lawsuit says.
According to the case, the information compromised in the breach includes patients’ names, physical addresses, dates of birth, health conditions, diagnoses, claims information, dates of service and subscriber identification, which may include Social Security numbers.
The plaintiff, a Montana resident, says she was informed that her information had been compromised in a “data security incident” in a letter from Med-Data on March 31, 2021. Although Med-Data did not disclose in the letter the name of the website on which proposed class members’ information was shared, the plaintiff believes her data was posted to GitHub Arctic Code Vault, an open-source, public data repository, according to the suit.
The complaint notes that even though Med-Data had been provided in early February 2021 with a list of individuals impacted by the incident, the defendant failed to provide notice to proposed class members and the Department of Public Health & Human Services until March 31.
“It is unknown why Med-Data did not immediately contact Plaintiff and others similarly situated to advise them of the data breach,” the complaint states.
Per the suit, the consequences of Med-Data’s apparent failure to safeguard proposed class members’ private information are “long lasting and severe.” Given fraudulent use of the information may “continue for years,” Med-Data’s offer of 12 months of identity theft protection services is “inadequate” to protect those whose information was compromised, the lawsuit contends.
The case, which was recently removed from King County, Washington Superior Court to the state’s Western District Court, looks to represent anyone whose personal information was compromised as a result of the breach of Med-Data’s electronic information systems.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.