EMSI Facing Class Action Over 2023 Data Breach Affecting 540K People

New to ClassAction.org? Read our Newswire Disclaimer

Electrostim Medical Services, Inc., which does business as EMSI, has been hit with a proposed class action over a 2023 data breach that reportedly affected about 540,000 current and former customers.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

According to the 78-page case, an “unknown and unauthorized third party” gained access to the medical device company’s network and stole files containing unencrypted customer data between April 27 and May 13, 2023.

The EMSI data breach case says that the “foreseeable and preventable” cyberattack exposed customers’ names, addresses, emails, phone numbers, diagnoses, insurance information and the medical devices they were prescribed and billed for.

The lawsuit alleges the data breach was a direct result of the defendant’s negligence and would not have occurred had EMSI implemented reasonable cybersecurity measures.

“Defendant could have prevented this data breach by properly securing and encrypting the files and file servers containing the private information of plaintiff and class members,” the suit contends. Per the case, EMSI “knew or should have known” of the risks associated with overlooking its data security obligations given the prevalence of recent high-profile cyberattacks, especially in the healthcare industry.

The filing stresses that affected individuals now face a heightened risk of identity theft or fraud and may be forced to spend a substantial amount of time and money mitigating the effects of the breach.

Although EMSI claims to have detected the intrusion in mid-May 2023, the company waited more than six months before it began to notify data breach victims, the filing shares. The case argues that the defendant’s notice letter, which was sent around December 28, is deficient in that it failed to reveal “critical facts” about the incident, including details about its root cause, the vulnerabilities that were exploited and what steps have been taken to ensure data is safeguarded in the future.

“Without these details,” a victim’s ability to mitigate the harms caused by the exposure of their private information is “severely diminished,” the case contends.

The lawsuit looks to cover anyone in the United States whose private information was maintained on EMSI’s computer systems that were compromised in the data breach announced by the company in December 2023.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.