fbpx

Medical Review Institute of America Unencrypted PII and PHI Class Action

Entities that store medical information are a prime target for cybercriminals. Medical Review Institute of America, LLC (MRIoA) maintained a great deal of personally identifiable information (PII) and protected health information (PHI) on its servers when it was attacked by cybercriminals, who took information from its systems. It learned of the data breach on November 9, 2021. The complaint alleges that the company bears some responsibility for the theft of information because it failed to take adequate measures to safeguard the information.

The class for this action is all persons whose private information was kept on MRIoA’s system and was compromised in the data breach, and who were sent a notice of the data breach.

MRIoA calls itself “the top medical review company in the United States” which the complaint claims “provides external review of medical, dental, behavioral health, pharmacy, vision, disability, workers’ compensation, and auto claims for insurance carriers, employers, TPAs, self-administered union groups, pharmacy benefit managers, human resource consultants, and departments of insurance throughout the country.”

The complaint alleges, “By obtaining, collecting, using, and deriving a benefit from [the] PHI and PII, [MRIoA] assumed legal and equitable duties to [the] individuals” who owned the information.

The company claims that it “takes the privacy and security of your information very seriously” and says on its website, “We have implemented procedures designed to limit the dissemination of your Data to only such designated staff as are reasonably necessary to carry out the state purposes we have communicated to you.”

But the complaint claims that these measures were not adequate to keep patient PII and PHI from being stolen by cybercriminals. It alleges that MRIoA maintained the information “without adequate safeguards. [MRIoA’s] conduct amounts to negligence and violates federal and state statutes.”

MRIoA learned of the intrusion into its systems on November 9, 2021, and on November 12, the complaint claims, it found out that information stored in its systems had been stolen. According to the complaint, the stolen information “include[ed] Social Security numbers and health and financial information, and was not encrypted.”

The complaint alleges that MRIoA did not follow reasonable security procedures, many of which it lists in detail. It also alleges that the company did not comply with guidelines for businesses set forth by the Federal Trade Commission and did not meet industry standards for the protection of private information.

The complaint reviews the value of information like Social Security numbers and driver’s license numbers, and the difficulty of preventing cybercriminals from using this information for fraud and identity theft purposes once it is stolen.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Medical Review Institute of America Unencrypted PII and PHI Complaint

March 18, 2022

Entities that store medical information are a prime target for cybercriminals. Medical Review Institute of America, LLC (MRIoA) maintained a great deal of personally identifiable information (PII) and protected health information (PHI) on its servers when it was attacked by cybercriminals, who took information from its systems. It learned of the data breach on November 9, 2021. The complaint alleges that the company bears some responsibility for the theft of information because it failed to take adequate measures to safeguard the information.

Medical Review Institute of America Unencrypted PII and PHI Complaint

Case Event History

Medical Review Institute of America Unencrypted PII and PHI Complaint

March 18, 2022

Entities that store medical information are a prime target for cybercriminals. Medical Review Institute of America, LLC (MRIoA) maintained a great deal of personally identifiable information (PII) and protected health information (PHI) on its servers when it was attacked by cybercriminals, who took information from its systems. It learned of the data breach on November 9, 2021. The complaint alleges that the company bears some responsibility for the theft of information because it failed to take adequate measures to safeguard the information.

Medical Review Institute of America Unencrypted PII and PHI Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy