Data breaches have become all too common. In this class action, the target was OneTouchPoint, Inc., which the complaint alleges did not adequately secure and protect the personally identifiable information (PII) or protected health information (PHI) it kept in its files and did not notify the individual victims in a timely or adequate manner.
The Nationwide Class for this action is all nationwide residents whose private information was actually or potentially access or acquired during the data breach that is the subject of the Notice of Cybersecurity Incident that OneTouchPoint published on or around September 2, 2022. A New York Class has also been defined for those in the above class who are New York residents.
The complaint describes OneTouchPoint as “a corporation engaged in marketing execution, digital marketing, fulfillment, and related services provided for client companies … including health insurance carriers, medical providers and financial service companies” that “received information provided by individuals to their client companies for business purposes.” The complaint alleges that OneTouchPoint is governed by the Health Insurance Portability and Accountability Act (HIPAA), which requires, among other things, that health information be kept confidential.
OneTouchPoint discovered that its systems had been hacked on April 28, 2022, the complaint alleges, “when it found files on its system were tampered with and encrypted.” The data breach had taken place the previous day, the complaint alleges, with information being accessed by an unauthorized third party.
According to the complaint, OneTouchPoint did not notify its client companies until June 3 and did not begin informing the individual victims until July 17, 2022. The notice at first stated that the company was “unable to determine what specific files the unauthorized actor viewed[,]” the complaint alleges, it later said that it potentially involved names, member IDs, and “information that may have been provided during a health assessment.”
The complaint claims the data breach affected some two million individuals.
The individual victims are now at “a lifetime risk of identity theft[,]” the complaint alleges, “due to [OneTouchPoint’s] negligent and/or careless acts and omissions and its failure to protect said information.”
The complaint alleges that OneTouchPoint did not comply with statutory, regulatory, or industry standards for the protection of PII and PHI. It lists a number of recommended best practices and refers to the requirements of HIPAA and guidelines published by the Federal Trade Commission (FTC).
The complaint claims that OneTouchPoint has “obligations under other federal and state laws, regulations, contracts, and common law to maintain reasonable and appropriate physical, administrative, and electronic and technical measures to keep … PII confidential and to protect it from unauthorized access or disclosure.”
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
OneTouchPoint Data Breach Exposes PII and PHI Complaint
January 12, 2023
Data breaches have become all too common. In this class action, the target was OneTouchPoint, Inc., which the complaint alleges did not adequately secure and protect the personally identifiable information (PII) or protected health information (PHI) it kept in its files and did not notify the individual victims in a timely or adequate manner.
OneTouchPoint Data Breach Exposes PII and PHI ComplaintCase Event History
OneTouchPoint Data Breach Exposes PII and PHI Complaint
January 12, 2023
Data breaches have become all too common. In this class action, the target was OneTouchPoint, Inc., which the complaint alleges did not adequately secure and protect the personally identifiable information (PII) or protected health information (PHI) it kept in its files and did not notify the individual victims in a timely or adequate manner.
OneTouchPoint Data Breach Exposes PII and PHI Complaint