Practice Resources Facing Class Action Over 2022 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Practice Resources, LLC faces a proposed class action after the medical billing services provider was targeted by cybercriminals during an April 2022 data breach. 

The 57-page complaint says that the data stolen from Syracuse, New York-based Practice Resources on or around April 12 includes patient and employee names, home addresses, treatment dates, birth dates, health plan and Social Security numbers and medical record information. 

According to reports, more than 924,000 individuals have been sent notice of the Practice Resources data breach. 

The case blames the incident on Practice Resources’ alleged failure to “exercise reasonable care” in protecting patients’ and employees’ sensitive personal data, which it obtained through its client relationships with dozens of hospitals and medical providers. 

“The Breach occurred because Defendant failed to take reasonable measures to protect the [personally identifiable information] it collected and stored. Among other things, Defendant failed to implement data security measures designed to prevent this attack, despite repeated warnings to the healthcare industry, insurance companies, and associated entities about the risk of cyberattacks and the highly publicized occurrence of many similar attacks in the recent past on other healthcare providers.” 

Per Syracuse.com, Practice Resources’ clients whose records may have been impacted by the data breach include: 

• Achieve Physical Therapy, PC;
• CNY Obstetrics and Gynecology, P.C.;
• Community Memorial Hospital, Inc;
• Crouse Health Hospital, Inc;
• Crouse Medical Practice PLLC;
• Family Care Medical Group, PC;
• Fitness Forum Physical Therapy, PC;
• FLH Medical PC;
• Greece Dermatological Associates, PC;
• Guidone Physical Therapy, PC;
• Hamilton Orthopedic Surgery & Sports Medicine;
• Helendale Dermatological and Medical Spa, PLLC;
• Kudos Medical, PLLC;
• Laboratory Alliance of Central New York, LLC;
• Liverpool Physical Therapy, PC;
• Michael J Paciorek, MD PC;
• Nephrology Associates of Watertown, PC;
• Nephrology Hypertension Associates of CNY, PC;
• Orthopedics East, PC;
• Salvation Army;
• Soldiers & Sailors Memorial Hospital—Physician Practices;
• St. Joseph’s Medical;
• Surgical Care West, PLLC;
• Syracuse Endoscopy Associates, LLC;
• Syracuse Gastroenterological Associates, PC;
• Syracuse Pediatrics;
• Tully Physical Therapy; and
• Upstate Community Medical, PC.

Although the company discovered the “first signs” of the ransomware attack in April and concluded its internal investigation in June, Practice Resources did not begin notifying victims until at least August 4, the suit states. As a result of the delay, victims face, and will face for years to come, a heightened risk of identity theft, fraud, unauthorized credit card charges and other harm related to the misuse of their personal information, the filing says. 

The lawsuit states that Practice Resources has offered no explanation for the delay between when it first discovered the data breach and when it began notifying victims. Moreover, the case contends that the defendant’s notice was “woefully deficient” in that it lacked certain “basic details,” including how the hackers accessed Practice Resources’ networks, whether the affected information was encrypted, whether the breach was system-wide and how many people were affected by the cyberattack. 

Further, the complaint argues that the defendant’s offer of 12 months of credit monitoring is “woefully inadequate” as it only alerts consumers to the misuse of their information after it has already happened, which might not occur until years after a data breach. 

The suit contends that Practice Resources’ failure to protect the sensitive data in its care was “especially egregious” given the company operates in an industry that’s frequently a target of scammers and hackers. 

The case looks to represent all United States residents whose private information was compromised as a result of the Practice Resources data breach discovered on or about April 2022 and were sent notice of the incident.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.