Mednax, Pediatrix Hit with Class Action Over June 2020 Data Breach Affecting Nearly 1.3M Patients [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

Mednax, Inc. and Pediatrix Medical Group face a proposed class action over a June 2020 data breach that reportedly affected nearly 1.3 million patients, many of them babies and young children.

According to the lawsuit, the “massive and preventable” breach and resulting harm suffered by those affected stemmed from the defendants’ failure to properly safeguard patients’ information, detect the breach, and timely notify those whose information was compromised. Per the suit, the incident has placed patients at risk of identity theft and fraud for years to come.

“Due to Defendants’ negligence and failures, cyber criminals obtained and now possess everything they need to commit personal and medical identity theft and wreak havoc on the financial and personal lives of nearly 1.3 million individuals, many of which are babies and young children, for decades to come,” the complaint scathes.

Founded in 1979, Sunrise, Florida-headquartered Mednax and Pediatrix, a Mednax company, are physician-led healthcare organizations that partner with hospitals and healthcare facilities to offer “clinical services spanning the continuum of care, as well as revenue cycle management, patient engagement and perioperative improvement consulting solutions,” the lawsuit, filed in California’s Southern District Court, explains.

Per the case, the defendants discovered in late June 2020 that unauthorized parties had gained access to certain of their Microsoft Office 365-hosted business email accounts through a phishing attack and uncovered the unencrypted private and medical information of 1,290,670 individuals, many of whom are babies and young children. The compromised information, according to the suit, included patients’ names, dates of birth, health insurance information, medical and/or treatment details, and billing and claims information.

After investigating the breach, the defendants learned that patients’ information had been exposed between June 17 and June 22, 2020 and again between July 2 and July 3, 2020 in a second breach, the case relays.

Despite being aware that over one million patients were affected by the breach, the defendants “did nothing” to warn them of the incident for six months—“an unreasonable amount of time under any objective standard,” according to the suit.

“Apparently, Defendants chose to complete their investigation and develop a list of talking points before giving Plaintiffs and Class members the information they needed to protect themselves against fraud and identity theft,” the lawsuit reads, noting that the plaintiffs were sent data breach notices from Mednax in December 2020.

The complaint alleges the defendants failed to spend sufficient resources monitoring incoming emails and training employees to identify and defend against security threats, and then offered those whose information was compromised “very little” assistance to mitigate the effects of the breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.