Data Media Associates Hit with Class Action Over Data Breach Announced in August 2023

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action alleges the failure of Data Media Associates (DMA) to adequately safeguard consumers’ personal and health information resulted in a “massive and preventable” data breach earlier this year.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.

The 47-page case says that in early June 2023, DMA, a healthcare billing services provider, became aware of a Cybersecurity and Infrastructure Security Agency alert that hackers had targeted MOVEit, a widely used file transfer platform. An investigation concluded later that month that the MOVEit security incident compromised highly sensitive, unencrypted information DMA maintained on its “inadequately protected” servers, the lawsuit states.

According to the filing, information impacted in the breach included consumers’ names, dates of birth, addresses, treatment information, provider names, patient identification numbers, diagnosis codes, health insurance information, health insurance ID numbers and Social Security numbers.

The filing says that DMA was obligated under the Health Insurance Portability and Accountability Act (HIPAA) to keep consumers’ health information confidential and protect it from unauthorized disclosure. The defendant also failed to comply with other applicable laws, regulations and industry standards relating to data security, the suit contends. 

As a result of DMA’s apparent negligence, data breach victims have been exposed to a “substantially increased risk of fraud, identity theft, and misuse” as their information will likely end up for sale on the dark web, the complaint stresses.

After reportedly discovering the breach in June, DMA then waited until August 23 to begin notifying victims whose information may have been impacted, the case says. 

The following day, DMA posted on its website a notice of the data breach, stating that it had taken “all remediation measures recommended by the MOVEit software developers” and “will be evaluating additional safeguards that can be put in place to further enhance the security of the data entrusted to it.”

However, the case says, the company’s notice lacks “sufficient information on how the breach occurred, what safeguards have been taken since then to safeguard further attacks, and/or where the information hacked exists today.” 

The lawsuit looks to represent anyone in the United States whose protected health information and/or personally identifiable information was exposed to unauthorized third parties as a result of the data breach discovered by Data Media Associates in June 2023.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.