EHR vendor hit with lawsuit following data breach
Photo: Sora Shimazaki/Pexels
An electronic health record vendor was sued this past week after a cyberattack led to the exposure of the data of 319,778 people.
In October, the Tennessee-based QRS, which provides EHR and practice-management software, began notifying individuals of the incident.
"QRS failed to reasonably secure, monitor, and maintain the protected health information and personally identified information stored on its patient portal," said plaintiff Matthew Tincher in the class action complaint filed in U.S. district court this past Monday.
"As a result, plaintiff and approximately 319,000 current and former patients of healthcare providers that utilized QRS' services suffered present injury and damages in the form of identity theft, loss of value of their Sensitive Information, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the unauthorized access, exfiltration, and subsequent criminal misuse of their sensitive and highly personal information," according to the report.
Calls to QRS for comment were not returned by press time.
WHY IT MATTERS
As outlined in the complaint, QRS discovered on August 26, 2021 that an unauthorized actor had accessed a patient portal server – and, by extension, the personal information stored on that server – starting three days prior.
"Between August 23 and August 26, 2021, the attacker accessed, and likely acquired, files on the server containing sensitive information, including names, addresses, dates of birth, Social Security numbers, patient identification numbers, health portal usernames, and medical treatment or diagnosis information," read the complaint.
Tincher believes that his information and that of class members was subsequently sold on the dark web, given known practices of other cyber criminals.
"Social Security numbers … are among the worst kind of PII to have stolen because they may be put to a variety of fraudulent uses and are difficult for an individual to change," said the complaint.
Shortly after the data breach, Tincher says he experienced identity theft, including more than ten unauthorized charges on his bank account and credit card.
He accused QRS of failing to adequately implement measures recommended by threat intelligence experts and federal agencies to prevent and detect cyberattacks.
Tincher is seeking damages and a prohibition on QRS maintaining his information and that of the other class members on a cloud-based database, among other requested judgments.
"As a result of the data breach, plaintiff is at a present risk and will continue to be at increased risk of identity theft and fraud for years to come," read the complaint.
THE LARGER TREND
QRS isn't alone. Several healthcare organizations and affiliates have faced legal action following cyberattacks.
This past year Scripps Health was hit with a handful of complaints after a ransomware attack took down its network for weeks.
The potential consequences of ransomware extend beyond data exposure, however. A lawsuit filed in October 2021 alleges that such an incident led to the death of an infant, which would make it the first fatality of its kind in the United States.
ON THE RECORD
"Plaintiff brings this action on behalf of himself and class members for the relief requested above and for the public benefit in order to promote the public interests in the provision of truthful, fair information to allow consumers to make informed purchasing decisions and to protect plaintiff, class members and the public from QRS' unfair, deceptive and unlawful practices," according to the complaint.
"QRS' wrongful conduct as alleged in this complaint has had widespread impact on the public at large," it continued.
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.