Oral and Maxillofacial Surgery Associates Facing Class Action Over Feb. 2020 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action alleges Oral and Maxillofacial Surgery Associates, P.A.’s failure to implement “basic data security practices” allowed patients’ information to be compromised in a February 2020 data breach.

Had Oral and Maxillofacial Surgery Associates (OMSA) fixed what the lawsuit calls “the deficiencies in its data security systems” and adopted reasonable security measures recommended by industry experts, the data breach would not have occurred, the plaintiff says.

OMSA boasts three offices across North and South Carolina, at which the practice provides wisdom teeth surgery, prepares patients for dental implants and performs corrective face and jaw surgery, among other services, the suit relays. According to the case, OMSA discovered in late April 2020 that an unauthorized person had accessed files on the company’s system on February 21.

Per the complaint, the files contained personally identifiable patient information (PII) and personal health information (PHI), including names, X-ray and other treatment-related images, and dates of birth, though the plaintiff avers the cyberattack included more sensitive information as well given the defendant’s offer of one year of free credit monitoring.

“Certainly, the concern was so comprehensive and deep that OMSA felt obligated to provide credit monitoring services for one year, something that would not have otherwise be [sic] required on the data that OMSA says was stolen, unless that data contained more sensitive information,” the complaint reads.

Although the breach occurred in February and was discovered in April, OMSA waited four months after the incident to notify affected patients via notices sent in June, the lawsuit states.

As the case tells it, the data breach occurred in part because of OMSA’s failure to follow Federal Trade Commission guidelines concerning data security. Per the lawsuit, OMSA failed to employ “reasonable and appropriate” security measures despite its knowledge of the sensitive nature of patients’ information and obligation to protect such.

“OMSA was always fully aware of its obligation to protect the PII of patients because of its position as a healthcare provider,” the complaint states. “OMSA was also aware of the significant repercussions that would result from its failure to do so.”

Moreover, the suit argues OMSA ignored “the abundance and availability” of cybersecurity best-practices information for the healthcare industry and, as a result, subjected patients to “long lasting and severe” ramifications, including a heightened risk of identity theft and fraud “for years to come.”

Originally filed in the County of Spartanburg, South Carolina Court of Common Pleas, the lawsuit was removed to the state’s district court on November 25, 2020.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.