Nuvance Health, Health Quest Phishing Attack Class Action

Nuvance Health and Health Quest Systems, Inc., the defendants in this case, operate healthcare facilities, including seven hospitals, in the Hudson Valley area of New York and western Connecticut. The complaint for this class action alleges that a phishing incident at these companies exposed the information of more than 28,000 patients, because the companies “failed to store that information in a reasonably secure and adequately protected manner.”

The definition of the class for this action is very simple: all persons in the US whose PII was compromised as a result of the data breach.

The complaint claims, “On May 31, 2019, in a message posted to Defendants’ website … Defendants announced that nearly eleven months earlier, in July 2018, they first learned of a phishing incident that allowed one or more cyber criminals to gain access to the emails and attachments in several employee email accounts.” No excuse was given for the eleven-month time lag in announcing the data breach.

According to the complaint, “The 2019 Notice disclosed that on January 25, 2019, nearly five months after the initial discovery of the attack, Defendants ‘identified [breached] email attachments that contained certain health information’ and on April 2, 2019, determined that the breached emails and/or attachments contained patient information…”

The information exposed included treatment and diagnosis information, health insurance claims information, financial information, and personal information, among other things.

At around the same time the notice was published, the companies sent out notification letters to patients whose information may have been compromised.

Then, on January 10, 2020, seven months later, the companies issued another notice, the complaint says, “revealing that the Breach had impacted more patients and/or revealed more PII than previously acknowledged in the 2019 Notice, including ‘names in combination with[] dates of birth, Social Security numbers, Medicare Health Insurance Claim Numbers (HICNs), driver’s license numbers, provider name(s), dates of treatment, treatment and diagnosis information, health insurance plan member and group numbers, health insurance claims information, financial account information with PIN/security code and payment card information.’”

Once again, the complaint says, the companies did not offer any information about the reason for the delay between the first discovery of the breach and the issuance of information, now roughly eighteen months.

According to the complaint, the companies are not offering any account monitoring services to patients whose information was exposed.

The complaint alleges that the breach “occurred because Defendants failed to take reasonable measures to protect the Personal Identifiable Information it collected and stored.” The complaint claims that the healthcare industry had warnings about the risks of cyberattacks and previous incidents of medical information theft and should have taken more steps to protect patient information.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Nuvance Health, Health Quest Phishing Attack Breach Complaint

April 6, 2020

Nuvance Health and Health Quest Systems, Inc., the defendants in this case, operate healthcare facilities, including seven hospitals, in the Hudson Valley area of New York and western Connecticut. The complaint for this class action alleges that a phishing incident at these companies exposed the information of more than 28,000 patients, because the companies “failed to store that information in a reasonably secure and adequately protected manner.”

Nuvance Health, Health Quest Phishing Attack Breach Complaint

Case Event History

Nuvance Health, Health Quest Phishing Attack Breach Complaint

April 6, 2020

Nuvance Health and Health Quest Systems, Inc., the defendants in this case, operate healthcare facilities, including seven hospitals, in the Hudson Valley area of New York and western Connecticut. The complaint for this class action alleges that a phishing incident at these companies exposed the information of more than 28,000 patients, because the companies “failed to store that information in a reasonably secure and adequately protected manner.”

Nuvance Health, Health Quest Phishing Attack Breach Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Failure to Inform Promptly of Data Breach