Centerstone Healthcare Phishing Data Breach Class Action

This class action brings suit against certain Centerstone healthcare facilities, claiming they fell for a phishing scam that may have exposed the information of patients and employees in Indiana and Tennessee. The defendants are Centerstone of America, Inc., Centerstone of Indiana, Inc., and Centerstone of Tennessee, Inc.

The class for this action is all persons named by Centerstone as being affected by the data breach, including all those who were sent a notice of the data breach.

Personal and protected health information were exposed in the breach. The information included names of current and former patients and employees, dates of birth, Social Security numbers, driver’s license or ID card numbers, Medicare/Medicaid and other medical insurance information, and information about medical diagnoses or treatments. Some of this is personally identifiable information (PII) or protected health information (PHI), and other of these items are protected by protected by the Health Insurance Portability and Accountability Act (HIPAA).

How did the breach happen? The defendants in this case share an e-mail system. In August 2020, the company saw suspicious activity related to some employees’ e-mail accounts. An investigation showed that certain accounts had been accessed without proper authorization between December 12 and 16, 2019.

The complaint says that, “[u]pon information and belief,” the accounts had been accessed in a phishing scam. Phishing occurs, the complaint says, “when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.”

The success of the phishing attack, the complaint alleges, enabled the attackers “to gain access to the employees’ email accounts and subsequently forward messages from these accounts to an outside email account without Centerstone’s knowledge.” The information in the e-mails was not encrypted.

The complaint says, “Incredibly, Centerstone does not appear to have discovered the unauthorized intrusion until August of 2020—approximately eight (8) months after” it occurred. According to the complaint, Centerstone did not notify the affected parties until October 2020.

The complaint claims that Centerstone was “inadequately safeguarding” the information and maintained it “in a reckless manner.” Also, the complaint alleges that “Centerstone and its employees failed to properly monitor the computer network and systems that housed the Private Information. Had Centerstone properly monitored its property, it would have discovered the breach sooner.”

It claims that Centerstone does not follow the data security guidelines set forth by the Federal Trade Commission.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Centerstone Healthcare Phishing Data Breach Complaint

November 20, 2020

This class action brings suit against certain Centerstone healthcare facilities, claiming they fell for a phishing scam that may have exposed the information of patients and employees in Indiana and Tennessee. The defendants are Centerstone of America, Inc., Centerstone of Indiana, Inc., and Centerstone of Tennessee, Inc.

Centerstone Healthcare Phishing Data Breach Complaint

Case Event History

Centerstone Healthcare Phishing Data Breach Complaint

November 20, 2020

This class action brings suit against certain Centerstone healthcare facilities, claiming they fell for a phishing scam that may have exposed the information of patients and employees in Indiana and Tennessee. The defendants are Centerstone of America, Inc., Centerstone of Indiana, Inc., and Centerstone of Tennessee, Inc.

Centerstone Healthcare Phishing Data Breach Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy, health