DuPage/Duly Data Breach Compromise of Patient Information Class Action

Medical companies and facilities are increasingly becoming targets of data breaches. The complaint for this class action attempts to hold DuPage Medical Group, Ltd. and Duly Health and Care responsible for what it calls “a massive and preventable data breach” in which cyber criminals gained access to the DuPage network sometime between July 12 and 13, 2021.

The Nationwide Class for this action is all persons living in the US whose personal or medical information was compromised because of the DuPage/Duly data breach that took place sometime between July 12 and 13, 2021. An Illinois Subclass has been defined, for all those in this class who live in Illinois.

DuPage changed its name to Duly Health and Care in 2021 and calls itself “the largest independent, multi-specialty physician-directed medical group in the Midwest with more than 900 primary care and specialty care physicians and more than 6,000 team members.”

Duly holds personal and medical information for its patients on its website. The complaint claims that, by taking possession and control of this private information, Duly takes on the duty of securely storing and protecting this information.

The information compromised includes contact information (such as names, addresses, and dates of birth), diagnosis codes, Current Procedural Technology (CPT) codes, treatment dates, and Social Security numbers. The breach affected around 650,000 persons.

The complaint alleges that the data breach took place “[b]ecause of [Duly’s] negligence and failure to train and supervise its employees[.]” While the incident took place on July 12 or 13, the complaint alleges that Duly did not realize that certain of its files had been affected until August 17, and did not begin notifying the individuals affected until September 10.

The breach put the personal and medical information of the plaintiff in this case, Catherine Garcia, into the possession of cyber criminals.

“On or about August 2, 2021,” the complaint claims, Garcia “learned that an unknown individual opened a new credit card associated with [Garcia’s] bank account in and [Garcia’s] name. Fraudulent charges were incurred thereon.” After that, on August 12, “an unknown individual withdrew $50 from [Garcia’s] bank account.” An additional $50 withdrawal was made the following day.

Garcia then had to freeze her credit, cancel credit cards, and take other steps to deal with the effects of the data breach.

The complaint alleges that Duly “has done very little to protect Plaintiff and the Class” and in the notice suggests they “remain vigilant against incidents of identity theft.”

According to the complaint, Duly is covered by HIPAA and must comply with both HIPAA’s Privacy Rule and its Security Rule. Also, it says, The Federal Trade Commission (FTC) “has concluded that a company’s failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information is an ‘unfair practice’ in violation of the FTC Act.”

The counts include negligence and breach of implied contract, among other things.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy