QRS Hit with Class Action Over August 2021 Patient Portal Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

QRS, Inc. faces a proposed class action over a data breach that reportedly exposed the health and personal information of more than 319,000 current and former patients last summer.

The 39-page lawsuit alleges the Knoxville, Tennessee-based healthcare technology services vendor, who hosts an electronic patient portal for healthcare providers, recklessly failed to protect the personally identifiable and health information with which it was entrusted by clients. As a result, an unauthorized actor in August 2021 gained entry to a QRS patient portal server for three days and accessed consumer names, Social Security numbers, dates of birth, patient numbers, portal usernames, and medical treatment or diagnosis details, according to the complaint.

Per the case, patients whose information was exposed now face a heightened risk of identity theft and fraud due to the defendant’s alleged conduct.

The lawsuit claims QRS could have prevented the data breach by implementing security measures recommended by the U.S. government, including a training program for employees; strong spam filters; firewall configurations that block access to known malicious IP addresses; patches for operating systems, software and firmware; regular automatic scans with anti-virus and anti-malware programs; and properly configured access controls. Moreover, both the U.S. Cybersecurity & Infrastructure Security Agency and Microsoft Threat Protection Intelligence Team have issued recommendations for detecting and preventing cyberattacks, the case adds.

The suit contends that the occurrence of the data breach shows that QRS failed to implement adequate data security measures despite its duty to protect patients’ sensitive information.

“By obtaining, collecting, and storing the PII [personally identifiable information] and PHI [protected health information] of Plaintiff and Class Members, Defendant assumed legal and equitable duties and knew or should have known that it was responsible for protecting the PII and PHI from disclosure,” the complaint reads.

The suit goes on to claim that QRS waited until late October 2021 to notify patients whose information was compromised and for whom the company had contact information. In the months between August and October 2021, victims of the data breach were unaware that their information had been compromised and that they were, and still are, at “significant risk of identity theft and various other forms of personal, social, and financial harm,” the lawsuit alleges.

Moreover, the case argues that QRS’s offer of 12 months of identity monitoring services is “wholly inadequate” to compensate data breach victims given they may face multiple years of identity theft and fraud.

“The ramifications of Defendant’s failure to keep secure the PII and PHI of Plaintiff and Class Members are long lasting and severe,” the complaint stresses. “Once PII and PHI is stolen, particularly Social Security numbers, fraudulent use of that information and damage to victims may continue for years.”

The lawsuit looks to represent anyone QRS identified as among the individuals impacted by the data breach, including those who were sent a notice of the incident.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.