Shields Health Care Group Data Breach Class Action

Medical companies have become a prime target for cybercriminals. Shields Health Care Group, Inc. Now, Shields Health Care Group, Inc. has reported an unauthorized intrusion into its systems in March 2022. But the complaint for this class action alleges that Shields bears some responsibility for this data breach because, because it did not take adequate measures to safeguard the personally identifiable information (PII) and protected health information (PHI) in its care, and also did not provide timely and adequate notice of the data breach.

The National Class for this action is all persons whose PII or PHI was compromised in the data breach of Shields Health Care Group between roughly March 7-21, 2022. A Massachusetts Subclass has also been defined for those in the above class who are in Massachusetts.

The attack on Shields allowed unauthorized parties to access its systems for a period of roughly two weeks, between approximately March 7 to 21, 2022, exposing the personal information and medical records of around two million patients. The information compromised includes names, addresses, dates of birth, Social Security numbers, insurance information, medical record and patient identification numbers, among other things.

The complaint alleges that Shields maintained the information “in a negligent and/or reckless manner” and that the data breach was a known and foreseeable risk that Shields should have taken steps to prevent. Shields also did not adequately monitor its own computer network, the complaint says.

According to the complaint, “[d]espite investigating the Data Breach on or about March 18, 2022, [Shields] did not publish a press release regarding the Data Breach until approximately June 7, 2022…” It adds, “This was the first notice of the Data Breach that Shields provided to its patients.”

The complaint quotes a 2019 Health Information Management Systems Society, Inc. Cybersecurity Survey as saying that “[a] pattern of cybersecurity threats and experiences is discernable across U.S. healthcare organizations. Significant security incidents are a near-universal experience in U.S. healthcare organizations with many of the incidents initiated by bad actors, leveraging e-mail as a means to compromise the integrity of their targets.”

The Federal Trade Commission FTC) publishes guidelines for security practices, including Personal Information: A Guide for Business, that the complaint says “establishes cyber-security guidelines for businesses.” The complaint reviews some of these guidelines and notes that the FTC has brought enforcement actions against businesses that don’t take appropriate measures to protect consumer information.

It also alleges that Shields did not comply with FTC or industry guidelines for safeguarding private information.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy