QRS Data Breach Exposed Psych Care Consultants Patient Information, Class Action Alleges

New to ClassAction.org? Read our Newswire Disclaimer

Psych Care Consultants, LLC and patient portal vendor QRS, Inc. have been hit with a proposed class action in the wake of a data breach discovered in August 2021.

The 37-page lawsuit alleges the breach, in which unauthorized actors gained access to patients’ sensitive personal and health data over the course of at least three days, was a direct result of the defendants’ failure to take adequate steps to safeguard the information.

The case clams Psych Care Consultants (PCC), as a healthcare provider, and QRS, as the vendor entrusted by PCC with patients’ information, were obligated by the Health Insurance Portability and Accountability Act (HIPAA), industry standards, common law and representations made to patients to protect that data from unauthorized disclosure. Despite these obligations, the defendants maintained patients’ medical records “in a condition vulnerable to unknown, unsupervised, and unauthorized access” and failed to take the necessary steps to properly secure the data, the suit alleges.

As a result, patients whose information was compromised now face a heightened risk of identity theft and fraud, according to the case.

“Because of the Protected Information Security Failure, Plaintiffs no longer have autonomy and control over their medical and treatment histories,” the complaint reads. “They have no idea who may now have access to this information.”

In the course of providing psychiatric and psychological medical services, Psych Care shares protected patient information with QRS, who offers a patient portal that, among other functions, allows for payment processing and collections, the case relays.

The lawsuit states that QRS’s system on which PCC’s patient data was stored was compromised in late August 2021. Per the suit, the exposed information included patients’ names, Social Security numbers, dates of birth, patient numbers, portal usernames, addresses and treatment and diagnostic information. The case says that after patients were notified of the breach in November 2021, “acknowledged ransomware threat actors” claimed responsibility for the incident on November 30.

The suit argues that PCC failed to “exercise due care” in overseeing QRS’s handling of its patients’ private information and ensure that the vendor employed reasonable data security standards, such as deleting inactive records.

“PCC had an obligation to exercise oversight over QRS in a manner that would include immediate knowledge of any data security incident experienced by QRS that could affect PCC’s patients,” the complaint stresses.

According to the suit, although QRS claims to have notified PCC of the data breach within 10 days of its discovery, PCC failed to provide notice to patients.

“Rather, PCC’s patients had to hear about the failure from a vendor to whom they did not entrust their Protected Information,” the lawsuit says. “That notice did not come until November 26, 2021, i.e. 90 days after the Protected Information Security Failure was discovered.”

The case goes on to claim that the notice QRS provided to patients was not only late but “deficient” in that it failed to explain the oversight PCC exercised over its business associates or how the data breach occurred in the first place.

The lawsuit looks to represent Psych Care Consultants patients whose protected information was compromised in the data breach announced around November 26, 2021. The case also proposes to cover Illinois residents whose protected information was compromised in the data breach announced around November 26, 2021.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.