Class Action Lawsuit Against EHR Vendor Over 320,000-Record Data Breach

QRS, a healthcare technology services company and EHR vendor based in Tennessee, is facing a class-action lawsuit because of a cyberattack in August 2021 that resulted in the exposure and potential theft of the protected health information (PHI) of about 320,000 patients.

The data breach investigation confirmed that a hacker had acquired access to one dedicated patient portal server between August 23 and August 26, 2021, and read and likely took files that contain patients’ PHI. Sensitive information kept on the server contained patients’ names, birth dates, addresses, usernames, medical data, and Social Security numbers. QRS started mailing notification letters to affected people in late October and provided identity theft protection services to those who had their Social Security number compromised.

Matthew Tincher, a resident in Frankfurt, KY, filed a class action complaint in the U.S. District Court for the Eastern District of Tennessee against QRS on January 3, 2022. Allegedly, QRS was at fault for not being able to reasonably secure, keep track of, and preserve the PHI and personally identifiable information (PII) saved on its patient website.

Due to those failures, the lawsuit claims Tincher and class members

  • have sustained actual, concrete, and impending injury, which include present injury and damages associated with identity theft, loss or diminished value of their PHI and PII
  • have suffered out-of-pocket expenditures from trying to remedy the breach of their sensitive information
  • had to spend time taking care of the outcomes of the unauthorized data access
  • they additionally face a continued and greater risk to their PHI and PII, which were unencrypted and stay available to unauthorized parties to access and abuse.

The lawsuit additionally takes issue with the speed at which QRS released breach notification letters, which were given about 2 months after discovering the breach. In those two months, the plaintiffs and class embers were not aware they were placed at substantial risk of identity theft, fraudulence, and personal, financial, and social harm.

The lawsuit states QRS had an obligation to make sure the PHI and PII in its patient website were properly protected, and the breach of its responsibilities to secure that data amounts to negligence and/or recklessness, which is a violation of federal and state legislation. The lawsuit alleges QRS signed business associate agreements (BAAs) with its healthcare provider clients, therefore was informed or should have been advised of its duties to ensure PHI was secured against cyberattacks. The lawsuit likewise lists cybersecurity measures proposed by the Cybersecurity and Infrastructure Security Agency (CISA) which should be enforced in that regard and states that QRS should have known the substantial risk of being attacked because of the large number of healthcare data breaches that were reported recently.

Lawsuits are usually filed versus healthcare providers because of data breaches that exposed sensitive information. Whether the legal action succeeds usually is determined by whether the plaintiffs could show they have endured an actual injury as a direct result of the data breach. Tincher says to have been informed regarding the breach on October 22, 2021, and within 3 days was the victim of real identity theft, and that it is very likely than not that his sensitive details were exfiltrated from the QRS patient portal during the data breach.

The lawsuit claims the total damages sustained by the plaintiff and class members go over the minimum $5 million jurisdictional sum mandated by the Court. The Court has control over the defendant since QRS operates and is integrated with the district. The plaintiff and class members desire unspecified damages, a jury trial, and injunctive and equitable relief.