Cybercriminals often target healthcare or health-related companies for data breaches because of the wealth of information they store in their systems, including not just personally identifiable information (PII) but also protected health information (PHI). The complaint for this class action alleges that Lincare Holdings, Inc. bears responsibility for a data breach that took place against it on September 26, 2021.
The class for this action is all Missouri citizens who used Lincare since September 26, 2016 and whose PII or PHI was disclosed by Lincare to unauthorized third parties.
Lincare provides healthcare and medical services to the public. The complaint’s central allegation is that Lincare bears responsibility for the data breach because it betrayed the trust of its customers and employees by not adequately protecting their PII and PHI from access by cybercriminals.
The complaint claims that the company “recklessly fail[ed] to take the necessary precautions required to safeguard and protect” the information it kept on file and that the PII and PHI “was improperly handled, inadequately protected, readily able to be copied by thieves and not kept in accordance with basic security protocols.”
Lincare sent a notice letter to the individual victims of the data breach on June 21, 2022, which the complaint alleges said that the company had found “unusual activity on certain systems in its network” in September 2021. Also, the complaint alleges, the letter said that the PHI and PII “was first accessed on September 10, 2021; the infiltration was identified on September 26, 2021; and[] the infiltrator(s) were not blocked until September 29, 2021.”
Therefore, the complaint claims, the cybercriminals “enjoyed unfettered access” to the information “for over three weeks without being stopped.”
The information exposed, the complaint alleges, included names, Social Security numbers, dates of birth, dates of service and medical conditions, treatments, and diagnoses. “Upon information and belief,” the complaint alleges, “the Breach affected tens of thousands of [Lincare’s] patients.”
Also, according to the complaint, the time Lincare took to inform the individual victims of the data breach “was well beyond the time frame required by applicable laws.”
The complaint quotes the Federal Trade Commission (FTC) as saying that “the range of privacy-related harms is more expansive than economic or physical harm or unwarranted intrusions and that any privacy framework should recognize additional harms that might arise from unanticipated uses of data.”
These harms may include obtaining jobs with stolen Social Security numbers, obtaining medical services in a victim’s name, or giving the victim’s name to police during an arrest, so that the victim may later be wrongly subjected to an arrest warrant or a criminal record.
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Lincare Data Breach Missouri Complaint
October 20, 2022
Cybercriminals often target healthcare or health-related companies for data breaches because of the wealth of information they store in their systems, including not just personally identifiable information (PII) but also protected health information (PHI). The complaint for this class action alleges that Lincare Holdings, Inc. bears responsibility for a data breach that took place against it on September 26, 2021.
Lincare Data Breach Missouri ComplaintCase Event History
Lincare Data Breach Missouri Complaint
October 20, 2022
Cybercriminals often target healthcare or health-related companies for data breaches because of the wealth of information they store in their systems, including not just personally identifiable information (PII) but also protected health information (PHI). The complaint for this class action alleges that Lincare Holdings, Inc. bears responsibility for a data breach that took place against it on September 26, 2021.
Lincare Data Breach Missouri Complaint