fbpx

PracticeFirst Ransomware Attack Steals PII and PHI Class Action

In some ransomware attacks, hackers claim they will destroy information they have stolen if the ransom is paid. Unfortunately, there’s no way to make sure that they do this. At issue in this class action is a ransomware attack suffered by Professional Business Systems, which does business as PracticeFirst Medical Management Solutions. The complaint alleges that PracticeFirst had “maintained the Private Information in a reckless manner.”

The class for this action is all persons whose private information was exposed as a result of the data breach announced by Practice First around June 30, 2021.

PracticeFirst, the complaint says, is “a medical management company that processes data for health care providers[.]” As such, it maintains sensitive information in its systems, including personally identifiable information (PII) and protected health information (PHI).

The information exposed in the data breach including dates of birth, driver’s license and Social Security numbers, diagnoses, lab and treatment information, patient identification numbers, medication information, health insurance and claims information, and bank account or payment card information, among other things.

The complaint alleges, “Upon information and belief, the mechanism of the cyberattack and potential for improper disclosure of … [the] Private Information was a known risk to [PracticeFirst], and thus [PracticeFirst] was on notice” that it had to “take steps necessary to secure the Private Information from the risk of a ransomware attack.”

However, the complaint alleges that PracticeFirst did not take adequate measures to protect the information in its files. The company learned on December 31, 2020 that its systems had been penetrated by hackers, gaining access to areas where it stored employee and patient information. More than 1.2 million individuals were affected.

To add to the problem, PracticeFirst did not promptly report the data breach, the complaint claims: “Despite learning of the Data Breach on December 30, 2020, notification letters were not sent to affected patients until more than six months later, on or around June 30, 2021, and [PracticeFirst] did not notify the Department of Health and Human Services’ Office for Civil Rights until July 1, 2021.”

PracticeFirst claims that the hackers destroyed the information they took and did not share it, but the complaint quotes a computer expert as saying, “Proof of deletion is not a thing.”

The complaint alleges that PracticeFirst has no way of knowing if the hackers did not simply copy the information to another location before it supplied whatever “proof” of destruction they offered. It claims, “That [PracticeFirst] has put its trust in the very people responsible for the Ransomware Attack in the first place is a disaster in waiting.”

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

PracticeFirst Ransomware Attack Steals PII and PHI Complaint

August 17, 2021

In some ransomware attacks, hackers claim they will destroy information they have stolen if the ransom is paid. Unfortunately, there’s no way to make sure that they do this. At issue in this class action is a ransomware attack suffered by Professional Business Systems, which does business as PracticeFirst Medical Management Solutions. The complaint alleges that PracticeFirst had “maintained the Private Information in a reckless manner.”

PracticeFirst Ransomware Attack Steals PII and PHI Complaint

Case Event History

PracticeFirst Ransomware Attack Steals PII and PHI Complaint

August 17, 2021

In some ransomware attacks, hackers claim they will destroy information they have stolen if the ransom is paid. Unfortunately, there’s no way to make sure that they do this. At issue in this class action is a ransomware attack suffered by Professional Business Systems, which does business as PracticeFirst Medical Management Solutions. The complaint alleges that PracticeFirst had “maintained the Private Information in a reckless manner.”

PracticeFirst Ransomware Attack Steals PII and PHI Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy