Connexin Software Facing Another Class Action Over August 2022 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Connexin Software faces another proposed class action over an allegedly “foreseeable” and “preventable” August 2022 data breach that exposed the personal and health information of more than 2.2 million patients.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 56-page case claims that Connexin, who does business as Office Practicum and provides electronic medical records and management software for pediatric practices, detected on August 26 of last year that some files on some of its systems had been encrypted. After an investigation, Office Practicum determined the following month that an “unauthorized party” had accessed the Connexin servers and that some data had been removed by the intruder, the filing says.

Per the company’s online notice of the incident, the cybercriminal removed files containing patients’ names, parents’/guardians’ names, home and email addresses, dates of birth, Social Security numbers, health insurance information, medical and/or treatment details and billing and/or claims information.

Connexin has reported that 2,216,365 individuals and 199 healthcare insurance companies and service providers have been impacted by the breach, the complaint relays.

As an entity that stores personal health information, Connexin was obligated under the Health Insurance Portability and Accountability Act (HIPAA) to maintain patient confidentiality by employing proper safeguards, the suit explains. However, the case contends, the incident was a direct result of the company’s failure to implement cybersecurity measures that would have adequately protected consumers’ data.

“Moreover, it appears that the Private Information was stored unencrypted [on Connexin’s computer network] and had proper encryption practices been implemented, the cyber attacker would have exfiltrated only unintelligible data,” the suit adds.

Connexin was also required under the HIPAA Breach Notification Rule to notify all affected individuals “without unreasonable delay and in no case later than 60 days following [the] discovery of the breach,” the complaint relays. Although the cyberattack was detected on August 26, Connexin waited until November to inform victims of the breach, the case says.

“[Connexin]’s failure to timely notify the victims of its Data Breach meant that Plaintiff and Class Members were unable to take affirmative measures to prevent or mitigate the resulting harm,” the suit reads, stating that affected individuals have now face a heightened risk of fraud and identity theft that may last for the rest of their respective lifetimes. “In some cases, it did not notify patients at all.”

The complaint argues that the 12 months of identity theft monitoring services Connexin has offered victims is “inadequate” given that they will have to pay out of pocket for additional protective measures long after the offer expires.

According to the case, the company’s notice failed to provide patients several crucial details, including how long Connexin’s systems were compromised, “the means and mechanism” of the breach, why the defendant waited three months to notify victims, details about its investigation of the incident and how it plans to prevent future cyberattacks, which is of particular concern since Connexin still possesses sensitive patient data.

“[Connexin]’s data security obligations were particularly important given the substantial increase in cyberattacks and/or data breaches in the healthcare industry and other industries holding significant amounts of [personally identifiable information] and [protected health information] preceding the date of the breach,” the filing states.

Connexin (Office Practicum) was hit with a proposed class action on January 11 in Pennsylvania federal court over the same data breach.

The lawsuit looks to cover anyone in the United States and its territories whose private information was compromised in the data breach detected by Connexin Software, Inc. on or about August 26, 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.