When a company collects, uses, and derives a benefit from individuals’ private information, the complaint for this class action says, it “assume[s] legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion.” The complaint therefore sues QRS, Inc. for failing to safeguard sensitive information that was disclosed in a data breach in 2021.
The class for this action is all individuals QRS identified as being among those impacted by the data breach, including all those who were sent a notice of the data breach.
QRS is a provider of software and services to medical practices and other healthcare providers to help them with scheduling, imaging, data security, and other functions. As such, it collects and stores a great deal of personally identifying information (PII) and protected health information (PHI).
The complaint alleges, “Because of the highly sensitive and personal nature of the information ARS acquires and stores with respect to its healthcare provider clients’ patients, and by operation of the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’), QRS has a legal duty to keep patient PHI safe and confidential.”
QRS discovered the data breach on August 26, 2021; its investigation revealed that the intruder had first accessed its systems three days earlier, on August 23. The files that were accessed, the complaint says, contained patient names, dates of birth, Social Security numbers, patient identification numbers, and medical treatment or diagnosis information. More than 319,000 people were affected.
PII and PHI is in high demand on the dark web, with prices for PII going for between $40 and $200. The complaint alleges, “Criminals can also purchase access to entire company data beaches from $900 to $4,500.”
The complaint lists certain measures it claims QRS should have taken to prevent the data breach. These include such points as “Implement an awareness and training program” and “Enable strong spam filters to prevent phishing emails and authenticate inbound email … to prevent email spoofing.”
It also lists measures recommended by the US Cybersecurity & Infrastructure Security Agency and by the Microsoft Threat Protection Intelligence Team that it claims QRS should have taken to prevent and deter cyberattacks.
The complaint alleges that QRS promises on its website to protect PII and PHI. It claims that QRS “could have prevented this Data Breach by properly securing and encrypting the files and file servers containing the PII and PHI…” In addition, the complaint points out that healthcare-related businesses have so often been targets of cyberattacks.
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
QRS Exposure of PII and PHI in Data Breach Complaint
January 3, 2022
When a company collects, uses, and derives a benefit from individuals’ private information, the complaint for this class action says, it “assume[s] legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion.” The complaint therefore sues QRS, Inc. for failing to safeguard sensitive information that was disclosed in a data breach in 2021.
QRS Exposure of PII and PHI in Data Breach ComplaintCase Event History
QRS Exposure of PII and PHI in Data Breach Complaint
January 3, 2022
When a company collects, uses, and derives a benefit from individuals’ private information, the complaint for this class action says, it “assume[s] legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion.” The complaint therefore sues QRS, Inc. for failing to safeguard sensitive information that was disclosed in a data breach in 2021.
QRS Exposure of PII and PHI in Data Breach Complaint