Goodman Campbell Brain and Spine Data Breach Class Action

Companies that provide healthcare services have become a prime target of cybercriminals because of the richness of the information they store, including both personally identifiable information (PII) and protected health information (PHI). The complaint for this class action brings suit against Indianapolis Neurosurgical Group, PC, which does business as Goodman Campbell Brain and Spine, alleging that it failed to safeguard the information in its systems, permitting a data breach it discovered on or around May 20, 2022.

A class and a subclass have been proposed for this action:

• The Nationwide Class is all individuals in the US whose PII, PHI, or financial information was exposed to unauthorized third parties as a result of the data breach discovered on May 20, 2022.
• The Indiana Subclass is all individuals in Indiana whose PII or PHI was stored by Goodman Campbell or was exposed to unauthorized third parties as a result of the data breach discovered on May 20, 2022.

Goodman Campbell originated in 19070 as the Indianapolis Neurosurgical Group. The complaint claims that it currently runs programs for the treatment of for a number of vascular and other problems, including brain tumors, spine problems, trauma, neuro endovascular issues, and other issues.

The complaint alleges, “By obtaining, collecting, using, and deriving a benefit from [its customers’] PHI/PII, [Goodman Campbell] assumed legal and equitable duties to those individuals.” The complaint claims that the company is responsible “for not ensuring that the PHI/PII was maintained in a manner consistent with” industry standards, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including its Privacy Rule and Security Rule, and other applicable standards.

HIPAA sets minimum standards for the maintenance and protection of medical records and other private health information and requires that companies like Goodman Campbell use appropriate safeguards to keep medical information private. According to the complaint, the HIPAA Security Rule “requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”

Even so, what the complaint calls a “massive and preventable cyberattack” occurred at the company in the first half of 2022. Goodman Campbell claims to have discovered the data breach on May 20, 2022. However, the complaint says the company did tell the individual victims immediately, but began sending out letters only around July 19, 2022.

The complaint claims that Goodman Campbell ignored the rights of those whose information was held in its systems “by intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures to ensure” that information was properly protected from unauthorized disclosures, “and failing to follow applicable, required, and appropriate protocols, policies, and procedures regarding the encryption of data, even for internal use.”

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy