Connexin Software Pediatric Practices Data Breach Class Action

A vendor that provides services for pediatric medical practices of necessity keeps on file—and must protect—a great deal of personally identifiable information (PII) and protected health information (PHI). The complaint for this class action alleges that Connexin Software, Inc. (CSI), which does business as Office Practicum, failed in its duty to protect the pediatric and other information it kept on file from a data breach.

The class for this action is all persons in the US and its territories whose private information was compromised in the data breach found by CSI on or around August 26, 2022.

CSI offers services and products to pediatric practitioner groups that include electronic medical records, practice management software, billing services, and business analysis tools.

According to the complaint, CSI promotes its data security. The complaint quotes the company website as saying that clients and patients “can place a high degree of trust behind the accuracy and integrity of the information you are storing and accessing with [CSI]. [CSI] not only meets[] but exceeds best practices and industry standards for data security and preservation. [CSI’s Data] is hosted in a maximum security AWS environment[] that utilizes the latest and greatest hardware available.”

“On or about August 26, 2022,” the complaint alleges, “CSI detected encrypted files on some of its systems and began investigating the incident. But September 13, CSI determined that an unauthorized party had accessed certain CSI servers.”

CSI provided notice to the Montana and Texas attorneys general on November 14 and 17, respectively, the complaint alleges, and eventually sent notice of the data breach to around 2.2 million people throughout the country.

According to the complaint, not much information was given in the notice. It quotes the notice as saying that “an unauthorized party was able to access an offline set of patient data used for data conversion and troubleshooting. Some of that data was removed by the unauthorized party.” The notice did not say how long the hackers had access to the system, the method they used to get into the systems, how CSI found the encrypted files, or what CSI has done since then to make its systems more secure so that it will not experience future cyberattacks.

The information exposed, the complaint alleges, included names, dates of birth, Social Security numbers, health insurance information, medical and treatment information, and billing information.

The complaint alleges, “The Data Breach was the direct result of CSI’s failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect patients’ Private Information from the foreseeable threat of a cyberattack.” CSI had a duty to keep this information safe under both the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act (FTCA).

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy