in Newswire Published on October 6, 2022

Physician's Business Office Failed to Prevent 2022 Data Breach, Class Action Alleges

by Kelly Mehorter

Last Updated on October 10, 2022

View Comments

Freeland V. Physician's Business Office, Inc.

Filed: October 4, 2022 § 2:22-cv-00431

Read Complaint

A class action claims that the failure of Physician’s Business Office to safeguard health and personal information resulted in a massive data breach.

Defendant(s)

Physician's Business Office

Law(s)

State(s)

West Virginia

Categories

Privacy Data Breach

A proposed class action claims that the failure of Physician’s Business Office to adequately safeguard the health and personally identifiable information of nearly 200,000 customers, patients, employees and children resulted in a “massive” data breach earlier this year.

The 46-page lawsuit alleges Physician’s Business Office, a medical billing and physician practice management company, failed to implement reasonable cybersecurity procedures to protect proposed class members’ sensitive data. The case claims that although the data breach was detected in April 2022, Physician’s Business Office waited to disclose the cyberattack to the at least 196,573 victims until September 2022.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The cybercriminals behind the incident gained access to consumers’ full names, home address, dates of birth, Social Security numbers, driver’s license numbers, medical treatment and diagnosis information, diagnosis codes, prescription details and health insurance account information, the filing says. In its notice to victims, Physician’s Business Office did not state when or for how long the data breach occurred, the complaint says.

The case argues that Physician’s Business Office was obligated under the federal Health Insurance Portability and Accountability Act (HIPAA) to protect the confidential consumer data entrusted to it by clients. According to the lawsuit, the cyberattack was foreseeable due to “repeated warnings and alerts directed to protecting and securing sensitive data.” Likewise, the HIPAA Journal reported significant spikes in healthcare data breaches throughout 2020 and 2021, the suit relays.

Physician’s Business Office’s alleged disregard for mandated privacy and cybersecurity standards was “intentional, willful, reckless and/or grossly negligent,” the complaint scathes.

Additionally, the HIPAA Breach Notification Rule states that individuals affected by a data breach must be notified “without unreasonable delay and in no case later than 60 days following discovery of the breach,” the case explains. The suit alleges Physician’s Business Office waited five months to notify victims.

The ramifications of the data breach are “long lasting and severe” for its victims, the complaint asserts. As the case tells it, the sensitive information compromised in the data breach is highly valued on the “cyber black market.”

“For instance, identity thieves may commit various types of government fraud such as immigration fraud, obtaining a driver’s license or identification card in the victim’s name but with another’s picture, using the victim’s information to obtain government benefits, or filing a fraudulent tax return using the victim’s information to obtain a fraudulent refund.”

The lawsuit looks to represent individuals within the United States whose protected health information, personally identifiable information, and/or financial information was stored by Physician’s Business Office and exposed to unauthorized third parties as a result of the data breach discovered in April 2022.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

Case Spotlight

Video Game Addiction Lawsuits

If your child suffers from video game addiction — including Fortnite addiction or Roblox addiction — you may be able to take legal action. Gamers 18 to 22 may also qualify.

Learn more:Video Game Addiction Lawsuit

Depo-Provera Lawsuits

Anyone who received Depo-Provera or Depo-Provera SubQ injections and has been diagnosed with meningioma, a type of brain tumor, may be able to take legal action.

Read more: Depo-Provera Lawsuit

How Do I Join a Class Action Lawsuit?

Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?

Read more here: How Do I Join a Class Action Lawsuit?

ClassAction.org Newsletter

Stay Current

Sign Up For
Our Newsletter

New cases and investigations, settlement deadlines, and news straight to your inbox.

This browser does not support PDFs. Please download the PDF to view it: Download PDF.
Open Document
Last Updated on October 10, 2022 — 9:27 AM

Kelly Mehorter

kelly@classaction.org

Kelly works primarily on ClassAction.org’s newswire, reporting on cases as they happen.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.