Adaptive Health Integrations Failure to Safeguard PII Class Action

Companies associated with healthcare have become prime targets for hackers bent on stealing private information, including personally identifiable information (PII). The complaint for this class action alleges that Medscan Laboratory, Inc., which does business as Adaptive Health Integrations (AHI), is responsible for the exposure of the PII stored in its systems because, it says, it “was maintained on AHI’s computer system and network in a condition vulnerable to cyberattack.”

The class for this action is all persons whose private information was maintained on AHI’s system that was compromised in the data breach and who were sent a notice of the data breach.

AHI offers software, billing, and revenue services for various healthcare businesses and doctors’ offices. It therefore obtains information from healthcare entities about their patients or customers.

The complaint describes the company’s online persona as somewhat slapdash: “[AHI’s] website has no privacy policy, is maintained on a WordPress blog, and misspells the name of the company (Adaptive is spelled as ‘Adapative’) at the top of the website. There is no way for consumers to know what information is being collected about them, if that information is being kept secure, and if [AHI] is who [it says it is], given the name on the website is misspelled. Little information is publicly available on [AHI].”

Hackers appear to have gained access to AHI’s systems on October 17, 2021. The information exposed, the complaint alleges, includes names, dates of birth, addresses, telephone numbers, and Social Security numbers.

The complaint calls AHI’s Data Security Incident Notice “woefully insufficient.” While it does say that AHI undertook an investigation of an incident, it appears that the investigation did not conclude for nearly six months, on February 23, 2022, during which time the complaint claims the company did not notify the victims whose information was stolen.

The Notice was inadequate in other ways as well, the complaint claims: “[I]t lacks critical information, including when [AHI] was first aware of the existence of the Data Breach. The Notice did not explain what type of cyberattack had occurred, what parts of [AHI’s] computer systems were affected, what type of information had been affected, or any of the other facts and circumstances surrounding the Data Breach.”

The complaint speculates, “Upon information and belief, … the Private Information contained in the files accessed by the hackers was not encrypted.”

The complaint faults AHI for maintaining the private information in its systems “in a reckless manner” and for not providing timely notice of the data breach. It claims that AHI did not comply with Federal Trade Commission Guidelines or with industry standards for protecting private information.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy