Connexin Data Breach of Pediatric Practice Information Class Action

Connexin Software, Inc., which does business as Office Practicum, describes itself as offering “pediatric-specific health information technology solutions for independent pediatric practices.” Unfortunately, the complaint for this class action alleges that Connexin did not follow basic security procedures, and it suffered a data breach, exposing the personally identifiable information (PII) and protected health information (PHI) it had in its systems.

The class for this action is all persons in the US whose PII or PHI was exposed by the data breach that was disclosed by Connexin on or about November 14, 2022.

On that date, in a notice letter to the Montana Attorney General, Connexin reported, “On September 13, 2022, we learned that an unauthorized party was able to access an offline set of patient data used for data conversion and troubleshooting. Some of that data was removed by the unauthorized party.” The complaint alleges that the word “removed” is unclear, because it does not state whether the unauthorized party simply copied the data or erased it.

A November 11, 2022 notice letter to the Department of Health and Human Services Office for Civil Rights (OCR) said the data breach affected more than 2,200,000 individuals. The complaint alleges, “As a result of Connexin’s failure to implement and follow basic security procedures, Plaintiff’s and Class Members’ PHI and PII is not in the hands of criminals.”

The data breach is particularly concerning, the complaint alleges, because it involves the theft of information of children, which can be more expensive and damaging than theft of information of an adult.

The complaint quotes an article at the HIPAA E-Tool as saying, “Minors’ personal information is the very most valuable because it provides a clean slate for criminals to start fresh and obtain credit or commit insurance fraud, then escape before being discovered. The crime remains underground until the minor turns 18 and starts to apply for credit, or later applies for a mortgage, only to learn their credit was ruined long before they were old enough to use it themselves.”

The information stolen may have included names, dates of birth, Social Security numbers, health insurance information, medical or treatment information, and billing or claims information.

The complaint alleges that Connexin’s notices did not provide complete information, such as “the deficiencies in the security systems that permitted unauthorized access, whether the data was encrypted or otherwise protected” as well as “the actual data accessed and compromised, and what measures, if any, Connexin has taken to secure the PII and PHI still in its possession.”

The complaint alleges that Connexin “was on notice” that healthcare entities are frequent and vulnerable targets of data breaches. It refers to a 2018 report from the Identity Theft Resource Center, claiming, “At the end of 2018, the healthcare sector ranked second in the number of data breaches among measured sectors, and had the highest rate of exposure for each breach.”

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy