Truly Nolen PII and PHI Stolen in Data Breach Class Action

Truly Nolen of America, Inc. provides pest control services to some 150,000 customers around the world, the complaint for this class action alleges, but the complaint also claims that the company stores protected health information (PHI) as well as personally identifiable information (PII). The complaint alleges that it bears responsibility for a data breach it suffered between April and May of 2022, for not making sure that the information was adequately protected.

A class and a subclass have been defined for this action:

• The Nationwide Class for this action is all individuals in the US whose PHI, PII, or financial information was exposed to unauthorized third parties as a result of the data breach discovered by the company on May 11, 2022.
• The Arizona Subclass is all individuals in Arizona whose PII or PHI was stored by the company or was exposed to unauthorized parties as a result of the data breach discovered by the company on May 11, 2022.

The data breach took place between April 29 and May 11, 2022, the complaint alleges, and was discovered by the company on May 11. However, the complaint alleges that the company did not begin informing the individuals affected until August 26, 2022, and that even then the company did not provide information as to “when or for how long the Data Breach occurred[,]” but it did claim that it had “shut down and rebuilt its systems and added additional technical controls.”

During the data breach, the complaint alleges, unauthorized parties gained access to private information including names, Social Security numbers, medical information, and health insurance information.

The complaint faults the company for not making sure that the PHI and PII was kept in a manner that met industry standards, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and Security Rule, and other applicable standards.

According to the complaint, the company “intentionally, willfully, recklessly, or negligently fail[ed] to take and implement adequate and reasonable measures to ensure that” the “PHI/PII was safeguarded , fail[ed] to take available steps to prevent and unauthorized disclosure of data, and fail[ed] to follow applicable, required and appropriate protocols, policies and procedures regarding the encryption of data…”

The complaint points out that a number of “high-profile cyberattacks” have occurred in recent years, so that the company “was and/or certainly should have been on notice and aware of usch attacks occurring in the healthcare industry and, therefore, should have assumed and adequately performed the duty of preparing for such an imminent attack.”

The complaint quotes the executive director of World Privacy Forum as saying, about medical identity theft, that “[v]ictims often experience financial repercussions and worse yet, they frequently discover erroneous information has been added to their personal medical files due to the thief’s activities.”

Furthermore, the complaint alleges that “data breaches are preventable.”

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy