Physician's Business Office Failed to Prevent 2022 Data Breach, Class Action Alleges
Last Updated on October 10, 2022
Freeland V. Physician's Business Office, Inc.
Filed: October 4, 2022 ◆§ 2:22-cv-00431
A class action claims that the failure of Physician’s Business Office to safeguard health and personal information resulted in a massive data breach.
A proposed class action claims that the failure of Physician’s Business Office to adequately safeguard the health and personally identifiable information of nearly 200,000 customers, patients, employees and children resulted in a “massive” data breach earlier this year.
The 46-page lawsuit alleges Physician’s Business Office, a medical billing and physician practice management company, failed to implement reasonable cybersecurity procedures to protect proposed class members’ sensitive data. The case claims that although the data breach was detected in April 2022, Physician’s Business Office waited to disclose the cyberattack to the at least 196,573 victims until September 2022.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
The cybercriminals behind the incident gained access to consumers’ full names, home address, dates of birth, Social Security numbers, driver’s license numbers, medical treatment and diagnosis information, diagnosis codes, prescription details and health insurance account information, the filing says. In its notice to victims, Physician’s Business Office did not state when or for how long the data breach occurred, the complaint says.
The case argues that Physician’s Business Office was obligated under the federal Health Insurance Portability and Accountability Act (HIPAA) to protect the confidential consumer data entrusted to it by clients. According to the lawsuit, the cyberattack was foreseeable due to “repeated warnings and alerts directed to protecting and securing sensitive data.” Likewise, the HIPAA Journal reported significant spikes in healthcare data breaches throughout 2020 and 2021, the suit relays.
Physician’s Business Office’s alleged disregard for mandated privacy and cybersecurity standards was “intentional, willful, reckless and/or grossly negligent,” the complaint scathes.
Additionally, the HIPAA Breach Notification Rule states that individuals affected by a data breach must be notified “without unreasonable delay and in no case later than 60 days following discovery of the breach,” the case explains. The suit alleges Physician’s Business Office waited five months to notify victims.
The ramifications of the data breach are “long lasting and severe” for its victims, the complaint asserts. As the case tells it, the sensitive information compromised in the data breach is highly valued on the “cyber black market.”
“For instance, identity thieves may commit various types of government fraud such as immigration fraud, obtaining a driver’s license or identification card in the victim’s name but with another’s picture, using the victim’s information to obtain government benefits, or filing a fraudulent tax return using the victim’s information to obtain a fraudulent refund.”
The lawsuit looks to represent individuals within the United States whose protected health information, personally identifiable information, and/or financial information was stored by Physician’s Business Office and exposed to unauthorized third parties as a result of the data breach discovered in April 2022.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.