Imagine360 Facing Class Action Over February 2023 Cyberattack by Russian Hackers

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit claims healthcare company Imagine360 failed to protect the personal information of nearly half a million individuals from a cyberattack reportedly detected in January and early February 2023.

Did you receive a data breach email or letter from Imagine360? Let us know here.

The 46-page lawsuit says Imagine360 announced in June of this year that it had been affected by two data breaches in late January and early February 2023, both of which targeted third-party file-sharing platforms the company uses.

According to the defendant’s online notice of the incidents, the company discovered on January 30 that the file-sharing platform Citrix had been hacked. Then, on February 3, Imagine360 was notified by third-party vendor Fortra that its GoAnywhere file-transfer software had also fallen victim to a data breach, the notice says.

The suit relays that Clop, a Russia-linked ransomware group, claimed responsibility for the cyberattack against Fortra, which compromised data belonging to over 130 client organizations, including Imagine360.

The defendant, a Pennsylvania-based healthcare company that provides self-funded health insurance plans to employers, is accused of failing to ensure that Fortra and Citrix utilized sufficient data security measures to protect the personal information of its clients’ employees, the case explains.

According to the complaint, the private data compromised in the breach included employees’ names, addresses, dates of birth, Social Security numbers and medical billing and insurance information. Per the filing, the cyberattack also exposed certain medical information, such as diagnoses and medication details.

“Had [Imagine360] provided adequate supervision over its agents, vendors, and/or suppliers, it could have prevented the data breach,” the suit contends.

Further, although the cyberattacks purportedly occurred in January and early February of this year, the defendant did not notify victims of the breach until June, the case shares.

By collecting and storing the private information of its clients’ employees, Imagine360 was legally obligated to protect the data from falling into the hands of cybercriminals, the complaint charges.

The plaintiff in the case is an employee of Lapham-Hickey Steel Corp., an Imagine360 client that was impacted by the breach, the filing says. Like other victims, the plaintiff now faces a heightened risk of fraud, identity theft, phishing schemes and other illegal activity as a result of the company’s negligence, the suit alleges.

The lawsuit looks to represent anyone in the United States who was impacted by the data breach, including those who received a notice of the incident.

Did you receive a data breach email or letter from Imagine360? Let us know here.