A proposed class action lawsuit claims inadequate security protocols on the part of Sincera Reproductive Medicine led to a data breach that left those affected at a heightened risk of identity theft and fraud.
According to the lawsuit out of the Philadelphia County Court of Common Pleas, Sincera, formerly known as Abington Reproductive Medicine, not only failed to protect patients’ personally identifiable and protected health information but took more than eight months to notify those who were affected by the breach—well over the 60-day statutory notice limit, the suit says.
The case says patients’ names, Social Security numbers, dates of birth, medical records, patient account numbers, health insurance information, diagnoses, medications, providers, types of treatment and treatment locations were exposed to unauthorized parties between August 10 and September 13, 2020. The suit claims Sincera’s failure to handle patients’ information “with reasonable care” has allowed “an untold number of unauthorized individuals” to access the data, exposing patients to privacy risks “for the rest of their lives.”
Per the lawsuit, Sincera identified on September 11 “suspicious activity” on its internal network server, after which the fertility center commenced an investigation that was completed in April 2021. According to the suit, the investigation revealed that a hacker had gained “unlimited access” to patient data on Sincera’s network for nearly five weeks between August and September of last year before the defendant could contain the breach.
The case says a dark web ransomware site known as Maze listed the defendant’s former name, “Abington Reproductive Medicine,” as a recent cyberattack victim in November 2020.
Despite learning of the breach in September, Sincera, the suit says, waited until May 2021 to notify the more than 37,000 patients whose information was reportedly compromised in the incident.
The case pins the breach on Sincera’s apparent failure to implement “basic security procedures” and follow its own policies with regard to protecting patients’ sensitive information. The defendant, the lawsuit alleges, should have been well aware of the risks of storing patients’ valuable and private personal and health information, especially in light of high-profile data breaches that have occurred in recent years.
According to the suit, those whose information was compromised in the breach must now devote time, energy and money to monitoring their financial accounts, medical statements, bills and records, among other preventative measures, for years to come.
“Once [personally identifiable information] or [protected health information] is exposed, there is virtually no way to ensure that the exposed information has been fully recovered or contained against future misuse,” the complaint scathes. “For this reason, Plaintiffs and Class Members will need to maintain these heightened measures for years, and possibly their entire lives, as a result of Sincera’s conduct.”
The lawsuit looks to represent anyone in the U.S. whose personally identifiable information or protected health information was compromised in the Sincera data breach that occurred beginning in August 2020.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.