QRS Patient Information Exposed in Data Breach Class Action

In recent years, healthcare providers and companies who offer services to them have been frequent targets of cybercriminals. These companies, like the defendant in this case, QRS, Inc., store not only the personally identifiable information (PII) of patients but also their protected health information (PHI). The complaint for this class action alleges that QRS did not adequately protect the PII and PHI it stored on its servers, leaving it vulnerable to a phishing attack.

The Nationwide Class is all persons living in the US whose personal and medical information was exposed in the QRS data breach of August 2021. A South Carolina Subclass has also been defined for those in the above class in South Carolina.

QRS offers services to medical practices. The complaint quotes its website as saying that it offers “creative software and hardware solutions using modern computer technology, … friendly customer driven implementation, and training and support [for] these products as well as a full line of services to supplement these products” to help “unburden you from the technical and administrative responsibilities of managing your practice[.]”

Nevertheless, QRS fell victim to a data breach that took place between August 23 and 26, 2021. The incident exposed the PII and PHI of nearly 320,000 people, including names, Social Security numbers, dates of birth, patient numbers, and some medical treatment and diagnosis information.

The complaint alleges “misconduct” on QRS’s part, including “failing to timely implement adequate and reasonable measures to protect [patients’] Personal and Medical Information, failing to timely detect the Data Breach, failing to take adequate steps to prevent and stop the Data Breach,” and more.

The theft of their PII and PHI leaves patients in danger of identity theft and medical and other fraud, the complaint alleges, a risk they will be forced to run for the rest of their lives.

Despite the fact that the data breach occurred in August, QRS did not notify the patient-victims until October 22, 2021, when it began sending out Notices of the data breach.

According to the complaint, QRS “failed to spend sufficient resources on monitoring its own software platform it built and training its employees to identify cyber threats and defend against them.”

The complaint alleges that QRS had an obligation under the Health Insurance Portability and Accountability Act (HIPAA) to protect patient information and keep it confidential. Also, the complaint alleges that the Federal Trade Commission (FTC) “has concluded that a company’s failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information is an ‘unfair practice’ in violation of the FTC Act.”

The complaint further claims that QRS should have been warned by data breaches at other prominent medical companies.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy