Class Action Claims CareSouth to Blame for Patient Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

CareSouth Carolina has been hit with a proposed class action over its apparent failure to safeguard patients’ personal and protected health information from cybercriminals and offer meaningful assistance to affected consumers in the wake of the incident.

At the center of the 32-page case is a December 2020 cyberattack against CareSouth during which servers that housed sensitive and confidential patient information were accessed. The lawsuit says that patient data was left “unencrypted and unprotected” by CareSouth, who did not send notice of the breach to affected individuals until mid-May 2021.

According to the complaint, CareSouth’s negligent storage and handling of sensitive patient data has allowed the cybercriminals behind the incident to “misuse” and/or illegally market and sell the information. 

In the time since, CareSouth has done “virtually nothing” to protect those who were affected by the data breach, the lawsuit alleges. The suit states that CareSouth’s data breach notice relayed that the company had implemented additional network security, reported the incident to the federal government and required employees to change passwords. Consumers affected by the attack were offered only 12 months of identity theft protection, the case says. 

Further, NetGain Technology, the IT company who oversaw patient data held by CareSouth, paid the cybercriminals a significant amount of money in exchange for the promise that they would delete all copies of the stolen data and not publish, sell or otherwise share the information, the complaint says. The case contends, however, that the attackers’ promises can be assumed to be “at best hollow promises that will likely not be kept.”

The plaintiff, a Darlington County, South Carolina resident, claims her information was used by “nefarious actors” to open accounts in her name, which thus damaged her reputation and creditworthiness. 

“None of the above responses by Defendant or NetGain are adequate to make the Plaintiff whole,” the suit reads. 

Despite its duty under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to safeguard patients’ sensitive information, CareSouth nevertheless failed to properly train employees in cybersecurity, the case also alleges. 

The lawsuit looks to represent all CareSouth patients whose personal and medical information was compromised as a result of the December 2020 data breach. 

The complaint was initially filed in the Darlington County Court of Common Pleas on November 9, 2021 before being removed to South Carolina District Court on January 28, 2022. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.