When did Shields Health Care Group, Inc. become aware of an intrusion into its systems? The complaint alleges that that and other information about its 2022 data breach is unclear. It claims that the data breach “was a direct result of [Shields’s] failure to implement adequate and reasonable [cybersecurity] procedures and protocols necessary to protect patients’ Private Information.”
The class for this action is all persons whose Private Information was compromised in the data breach and who Shields sent a notice of the data breach.
Shields, being a health care group, maintains information in its servers pertaining to its providers and their patients, including the patients’ personally identifiable information (PII) and protected health information (PHI).
The complaint claims that an unauthorized party acquired data from Shields sometime between March 7 and 21, 2022. The complaint says, “The Notice of Data Security Incident … however, is unclear—it states that Shields became aware of suspicious activity on March 28, 2022, while the Notice also states that Shields ‘had identified a security alert on or around March 18, 2022,’ which is when the Data Breach was actively occurring.”
In any case, Shields did not announce the data breach until June 2022. Unfortunately, the complaint alleges that even then Shields did not provide enough information, including (1) the exact date when Shields first found out about the data breach, (2) what specific information was exposed or acquired by the intruders, and (3) how the intruders managed to get into Shields’s systems.
The complaint says the Notice merely observed that the type of information acquired “may have” included full names, dates of birth, Social Security numbers, provider information, diagnosis, billing information, insurance number, and other treatment information.
The complaint asserts, “The Data Breach was a direct result of [Shields’s] failure to implement adequate and reasonable [cybersecurity] procedures and protocols necessary to protect patients’ Private Information.”
“Further,” the complaint alleges, “if [Shields] had been monitoring its servers for the presence of hackers, malware, ransomware, or whatever type of cyberattack occurred here … [Shields] would have detected the presence of the unauthorized individual(s) sooner.”
The Federal Trade Commission (FTC) offers a publication called Protecting Personal Information: A Guide for Business that discusses guidelines for cybersecurity. The complaint alleges that Shields did not comply with these guidelines, and also claims that it failed to comply with industry standards for the protection of private information.
According to the complaint, because of Shields’s “incompetent and ineffective security measures,” the individual victims whose information was exposed will be at risk of identity theft for the rest of their lives.
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Shields Heath Care Data Security Incident Complaint
June 24, 2022
When did Shields Health Care Group, Inc. become aware of an intrusion into its systems? The complaint alleges that that and other information about its 2022 data breach is unclear. It claims that the data breach “was a direct result of [Shields’s] failure to implement adequate and reasonable [cybersecurity] procedures and protocols necessary to protect patients’ Private Information.”
Shields Heath Care Data Security Incident ComplaintCase Event History
Shields Heath Care Data Security Incident Complaint
June 24, 2022
When did Shields Health Care Group, Inc. become aware of an intrusion into its systems? The complaint alleges that that and other information about its 2022 data breach is unclear. It claims that the data breach “was a direct result of [Shields’s] failure to implement adequate and reasonable [cybersecurity] procedures and protocols necessary to protect patients’ Private Information.”
Shields Heath Care Data Security Incident Complaint