Conifer, Tenet Failed to Prevent January 2022 Data Breach, Class Action Claims

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims Conifer Revenue Cycle Solutions and parent company Tenet Healthcare Corporation are responsible for a January 2022 data breach that impacted potentially thousands of consumers.

If you’re a Facebook user who’s used a hospital website operated by Tenet Healthcare between 2021 and June 2023 for healthcare services, let us know here.

The 36-page case says that Conifer, which provides revenue cycle management to healthcare providers, conducts its business by storing sensitive data belonging to current and former patients of its clients. According to the lawsuit, cybercriminals were able to infiltrate Conifer’s network and access consumers’ personal and health information on January 20 last year due to the defendants’ failure to implement adequate cybersecurity measures.

Although affected individuals have never directly done business with Conifer, the complaint contends that the data breach exposed their full names, home addresses, dates of birth, medical and treatment information, health insurance information and billing and claims details. The cyberattack may have also compromised third-party consumers’ Social Security numbers, driver’s license numbers and financial account information, the filing says.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

It wasn’t until April 14 that Tenet and Conifer discovered that they had been hacked by an unauthorized actor, who reportedly gained access to a Microsoft Office 365-hosted business email account, the suit relays.

“In other words, Defendants had no effective means to prevent, detect, stop, or mitigate breaches of their systems—thereby allowing cybercriminals unrestricted access to patients’ Sensitive Information,” the case reads.

Tenet and Conifer then waited until August 12, 2022 to begin notifying their client healthcare providers, and then the companies finally informed data breach victims on September 30 that their information had been stolen, the complaint claims.

Per the suit, the defendants’ negligence has subjected impacted individuals to a “present, continuing, and significant” risk of identity theft and fraud, as their private information may be traded on the dark web for years to come.

The lawsuit alleges that Tenet and Conifer were obligated to protect third-party consumers’ sensitive information in accordance with their own internal policies and state and federal law. Specifically, the companies were required under the Health Insurance Portability and Accountability Act (HIPAA) to employ necessary technical safeguards to ensure that consumers’ protected health information remained confidential, the filing states.

The case goes on to note that another Conifer entity, Conifer Value-Based Care, LLC, fell victim to a separate cyberattack in March 2022. In its August 2022 notice letter, Conifer told consumers that the incident involved their names, addresses, dates of birth, health insurance information, medical information and Social Security numbers, the suit relays.

“The proximity of these two serious data breaches make [sic] clear that Defendants were not adequately protecting the sensitive information it possessed,” the complaint asserts.

The lawsuit looks to cover anyone in the United States whose personally identifiable information or protected health information was compromised in the data breach discovered by Tenet and Conifer in January 2022.

If you’re a Facebook user who’s used a hospital website operated by Tenet Healthcare between 2021 and June 2023 for healthcare services, let us know here.