Companies that store both personally identifiable information (PII) and protected health information (PHI) appear to be major targets for data breaches these days. This class action brings suit against one of these companies, Medical Associates of the Lehigh Valley (MATLV), alleging that this Pennsylvania entity did not adequately protect the PII and PHI in maintained in its systems.
The class for this action is all individuals whose PII or PHI was accessed or exfiltrated during the data breach.
MATLV is a primary care group in Pennsylvania. According to the complaint, it maintains on its site two documents about privacy, a HIPAA Policy and Consent Form and an Updated HIPAA Notice of Privacy Practices.
The complaint quotes the first of these as promising, “Your information will be kept confidential except as is necessary to provide services or to ensure that all administrative matters related to your care are handled appropriately.” The other lists conditions in which a patient’s information can be disclosed without authorization, adding, “Other uses and disclosures mot described in this [Privacy Notice] will be made only with authorization.”
The data breach took place on or before July 3, 2022, the complaint alleges, “an intruder gained unauthorized access to [MATLV’s] network and attempted to shut down its computer network.” In the course of this intrusion, the complaint alleges that the hacker gained access to files that contained personal information on patients.
This information, the complaint says, may have included such things as names, birth dates, Social Security numbers, driver’s license or state ID numbers, health insurance providers, diagnoses, treatments, medications, and lab results.
Roughly two months later, on September 10, 2022, MATLV admitted that it had suffered a data breach.
The complaint sets forth a number of measures MATLV could have taken to prevent or mitigate the data breach. For example, it says the company could “encrypted or tokenized the sensitive PII and PHI” of the patients and could have deleted any PII or PHI it no longer had any reason to keep. But MATLV did not do these things, it claims, and therefore bears some responsibility for the data breach.
According to the complaint, MATLV was negligent in its efforts to protect the PII and PHI, particularly in light of the many warnings companies, particularly health care companies, have had about data security threats.
The complaint alleges that MATLV “did not use reasonable security procedures and practices appropriate to the nature of the sensitive unencrypted information it was maintaining for current and former patients, causing the access and/or exfiltration of the PII and PHI…”
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Medical Associates of the Lehigh Valley Data Breach Complaint
November 11, 2022
Companies that store both personally identifiable information (PII) and protected health information (PHI) appear to be major targets for data breaches these days. This class action brings suit against one of these companies, Medical Associates of the Lehigh Valley (MATLV), alleging that this Pennsylvania entity did not adequately protect the PII and PHI in maintained in its systems.
Medical Associates of the Lehigh Valley Data Breach ComplaintCase Event History
Medical Associates of the Lehigh Valley Data Breach Complaint
November 11, 2022
Companies that store both personally identifiable information (PII) and protected health information (PHI) appear to be major targets for data breaches these days. This class action brings suit against one of these companies, Medical Associates of the Lehigh Valley (MATLV), alleging that this Pennsylvania entity did not adequately protect the PII and PHI in maintained in its systems.
Medical Associates of the Lehigh Valley Data Breach Complaint