This class action alleges that MedData, Inc. bears responsibility for a “massive and preventable disclosure of medical information … during which highly sensitive MedData files had been uploaded and saved to a public-facing website…” The complaint refers to this event as the Healthcare Data Breach.
A class and a subclass have been defined for this action:
The Nationwide Class is all persons living in the US whose personal or medical information was exposed in the MedData Healthcare Data Breach that began between December 2018 and September 2019 and ran through December 17, 2020.
The Missouri Subclass is all persons living in Missouri whose personal or medical information was exposed in the MedData Healthcare Data Breach that began between December 2018 and September 2019 and ran through December 17, 2020.
The complaint calls MedData a “full-service healthcare revenue cycle management services provider” that does such things as processing Medicaid eligibility, third-party liability, workers’ compensation, and patient billing for various hospitals, doctors, and healthcare facilities. MedData thus maintains Personally Identifiable Information (PII) as well as Protected Health Information (PHI).
The information exposed in the data breach include names, addresses, dates of birth, Social Security numbers, diagnoses, and health insurance policy numbers, among other things. The complaint claims the incident affected more than 135,000 persons.
The complaint alleges that the data breach was discovered in December 17, 2020, but that the notice was not sent to victims before March 31, 2021.
The complaint alleges that MedData bears responsibility because of its “failure to implement adequate and reasonable security measures…, failure to timely detect the Healthcare Data Breach, failing to take adequate steps to prevent and stop the Healthcare Data Breach, … and failing to provide timely and adequate notice of the Healthcare Data breach…”
One of the plaintiffs in this case, identified as MS, experienced an unsettling incident in which an unknown party tried to impersonate medical transportation. The complaint alleges, “Plaintiff MS was suspicious based on the car, which did not appear to be from the medical transportation company, and on the manner of the driver, who was unable to verify that he was affiliated with the company. MS called the medical transportation company, who informed MS that the driver attempting to transport MS was not their employee nor otherwise affiliated with the transportation company.”
MedData may not to have discovered the data breach on its own. The complaint alleges, “On or about December 10, 2020, [MedData] was notified by security researcher Jelle Ursem that some of its data bad been discovered on the open-source software development hosting website ‘GitHub’…” The PII and PHI found there was not encrypted, the complaint alleges. An investigation determined that an employee had saved some files to a public-facing website.
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Med-Data Data Breach PII and PHI on Public-Facing Website Complaint
August 9, 2021
This class action alleges that MedData, Inc. bears responsibility for a “massive and preventable disclosure of medical information … during which highly sensitive MedData files had been uploaded and saved to a public-facing website…” The complaint refers to this event as the Healthcare Data Breach.
Med-Data Data Breach PII and PHI on Public-Facing Website ComplaintCase Event History
Med-Data Data Breach PII and PHI on Public-Facing Website Complaint
August 9, 2021
This class action alleges that MedData, Inc. bears responsibility for a “massive and preventable disclosure of medical information … during which highly sensitive MedData files had been uploaded and saved to a public-facing website…” The complaint refers to this event as the Healthcare Data Breach.
Med-Data Data Breach PII and PHI on Public-Facing Website Complaint