This class action falls into the ever-more-common category of ransomware attacks and data breaches. The complaint brings suit against PracticeMax, Inc., saying that the breaching of its systems occurred “[b]ecause [PracticeMax] presented such a soft target to cybercriminals[.]”
The class for this action is all persons living in the US whose personal information was compromised as a result of the PracticeMax data breach that took place in April and May 2021.
Medical information is a frequent target for hackers these days, and the complaint describes PracticeMax as providing services like billing and registration to “hospitals, insurance companies, employers, and physician offices.” The information it maintains in its systems includes both personally identifiable information (PII) and protected health information (PHI).
“By taking possession and control of” all this private information, the complaint alleges, PracticeMax “assumed a duty to securely store and protect” it.
But PracticeMax found suspicious activity in its systems on May 1, 2021, the complaint alleges, and after an investigation discovered that hackers had had access to its systems between April 17 and May 5, 2021, as well as access to certain email accounts that contained personal information. The complaint alleges that they had access to the PII and PHI of more than 150,000 people, including names, dates of birth, Social Security numbers, financial information, medical treatment and diagnosis information, and health insurance information.
The complaint faults PracticeMax on a number of counts, including its failure to put in place adequate security measures, failure to promptly discover the data breach, failure to stop it, and failure to tell the individual victims within a reasonable length of time.
PracticeMax had obligations and standards to meet, the complaint alleges, under a number of systems and requirements.
For example, the complaint says the Health Insurance Portability and Accountability Act (HIPAA) has a Privacy Rule and a Security Rule that set forth security and protection standards for keeping and transferring patient information. It also has a Breach Notification Rule that requires that affected individuals be informed of a data breach no later than sixty days after the discovery of the event.
The Federal Trade Commission (FTC), the complaint alleges, has decided “that a company’s failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information is an ‘unfair practice’ in violation of the FTC Act.”
The Department of Health and Human Services’ Office for Civil Rights urges companies to encrypt sensitive information, the complaint says: “As long ago as 2014, the Department fined two healthcare companies approximately two million dollars for failing to encrypt laptops containing sensitive personal information.” The complaint alleges that PracticeMax had not encrypted the email accounts that were accessed or the information they contained.
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
PracticeMax Ransomware Attack and Data Breach Complaint
September 29, 2022
This class action falls into the ever-more-common category of ransomware attacks and data breaches. The complaint brings suit against PracticeMax, Inc., saying that the breaching of its systems occurred “[b]ecause [PracticeMax] presented such a soft target to cybercriminals[.]”
PracticeMax Ransomware Attack and Data Breach ComplaintCase Event History
PracticeMax Ransomware Attack and Data Breach Complaint
September 29, 2022
This class action falls into the ever-more-common category of ransomware attacks and data breaches. The complaint brings suit against PracticeMax, Inc., saying that the breaching of its systems occurred “[b]ecause [PracticeMax] presented such a soft target to cybercriminals[.]”
PracticeMax Ransomware Attack and Data Breach Complaint