Nuvance, Health Quest Hit with Another Class Action Over 2018 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Nuvance Health and Health Quest Systems, Inc. have been hit with another proposed class action after announcing a data breach that reportedly exposed the personal information of over 28,900 patients. The lawsuit alleges the defendants failed to take “reasonable measures” to protect patients’ sensitive information and chides the companies for “inexplicably” waiting 11 months before notifying affected individuals of the breach.

The 41-page lawsuit out of New York explains that Nuvance and Health Quest operate seven hospitals in the state’s Hudson Valley region and western Connecticut. As healthcare providers, the companies are entrusted with “some of the most sensitive and personal information imaginable,” the case argues, stressing that patients reasonably expect their data to be protected in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Despite the defendants’ legal obligation to secure patients’ personal and medical information, the companies revealed in a May 31, 2019 website post that they had learned of a “phishing incident” nearly 11 months earlier during which cybercriminals had gained access to personal and medical information pertaining to patients who were treated between January and June 2018. Among the compromised data were patients’ Social Security numbers, addresses, credit card numbers, bank account information, provider names, dates of treatment, diagnosis information, and health insurance claims information, the case says. In subsequent letters mailed to affected patients, the defendants offered no explanation for the delay in notification, according to the lawsuit.

The suit goes on to state that Nuvance and Health Quest released another notice in January 2020 in which the companies admitted that the scope of the breach was broader than previously acknowledged, revealing that even more personal and medical information may have been exposed in the incident.

The lawsuit alleges that the security breach occurred because the defendants failed to maintain “basic security measures,” including multi-factor authentication, complex data encryption, and proper employee training, despite representing to patients that their information would be protected. Moreover, the case claims the healthcare providers “exacerbated the injuries” resulting from the breach by waiting 11 months to notify affected patients, plus another seven months to fully disclose the scope of the breach. According to the lawsuit, the defendants have yet to individually notify patients regarding which specific data was compromised.