The consolidated class action lawsuit against Shields Healthcare Group filed more than 1.9 million data breach records

Multiple lawsuits have been filed against the Massachusetts-based Shields Health Care Group, which suffered one of the largest healthcare data breaches of the year, affecting nearly 2 million individuals. The lawsuits have recently been combined into one lawsuit – Pescan vs. Shields Healthcare Group Inc – was filed in a Massachusetts federal court this week.

Shields Healthcare Group provides MRI, PET/CT, radiation oncology and surgical services to healthcare practices, about 60% of which were affected by the breach. The hackers gained access to her network and stole patients’ protected health information over a two-week period in March 2022. The stolen data included names, contact information, Social Security numbers, insurance information, billing information, and clinical information such as diagnosis and treatment information. Affected individuals were offered a two-year membership to the credit monitoring service.

The plaintiffs allege that Shields Health Care Group failed to implement appropriate safeguards to prevent unauthorized access to highly sensitive patient data, then failed to issue timely notices to patients informing them that their data was in the hands of cybercriminals and that notification messages did not provide sufficient information to allow affected individuals Take appropriate measures to assess and mitigate risks.

The lawsuit alleges that Shields Health Care Group was fully aware of the risks of hacking and ransomware attacks on healthcare organizations given multiple security alerts issued by the FBI, CISA, and HHS, yet failed to implement appropriate risk mitigation measures, which was in breach of its obligations. Under HIPAA security law.

Get HIPAA
Compliance checklist

Free and instant download

Delivered via email, so please make sure you entered your email address correctly.

Respect your privacy

HIPAA Journal Privacy Policy

Shields Healthcare Group said a security alert was triggered on March 18, 2022, which was investigated but no breach was detected, then suspicious activity was identified within its network on March 28, 2022. An investigation confirmed that patient data breach notifications had been issued. to affected individuals on June 7, 2022, outside the reporting timeframe of the HIPAA breach notification rule.

The lawsuit alleges that the notifications were early, short on information, and failed to provide even basic information about the breach, such as whether patient data on the servers was accessed. The lawsuit also alleges that the credit monitoring services provided were inadequate given that the affected individuals faced many years of continuous identity theft.

While many lawsuits are filed based on risks of future harm, the plaintiffs allege that they suffered financial losses as a result of the breach and had to spend a great deal of time monitoring their financial accounts. One plaintiff said suspicious activity was identified in his email account and he had thousands of dollars in fraudulent charges in his Bank of America account, and another plaintiff claims he has been targeted by phone scammers since the data breach.

The consolidated suit alleges negligence, breach of contract, invasion of privacy by intrusion, breach of fiduciary duty, and is seeking class action status, damages, and injunctive damages.

Leave a Reply

Your email address will not be published. Required fields are marked *