Reventics Hit with Class Actions Over December 2022 Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Reventics, LLC has been hit with at least two proposed class actions over its alleged failure to adequately safeguard certain personal and health information, which resulted in a “massive and preventable” data breach discovered in December 2022.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The lawsuits claim that Reventics, which describes itself as a “clinical documentation improvement and revenue cycle management company,” failed to properly secure the personal and health information of at least 250,918 patients, customers and employees. According to the cases, cybercriminals infiltrated its “inadequately protected” network servers on December 15 and accessed a score of sensitive data.

Although Reventics says it discovered the ransomware attack on December 27, it waited until February 10 to publicly announce that cybercriminals had stolen affected individuals’ full names, dates of birth, Social Security numbers, financial information, healthcare provider’s name and address, health plan name, clinical data, the numeric codes used to identify services received from healthcare providers and descriptions of these codes, one filing claims. Another lawsuit says the breach also exposed consumers’ medical record numbers, patient account numbers, and driver’s license and other government-issued ID numbers.

Before the company directly notified victims of the incident in late February and early March, a February 19 report published by DataBreaches.net announced that the Royal ransomware group had leaked more than 16 GB of files exfiltrated from Reventics’ servers onto their dark web leak site on February 13, one case relays.

“As of this writing, there exist many class members who have no idea their [sensitive personal information] has been compromised, and that they are at significant risk of identity theft and various other forms of personal, social, and financial harm,” the case reads. “The risk will remain for their respective lifetimes.”

The suits allege that Reventics could have prevented the incident had it properly encrypted its computer servers. Per the cases, Reventics’ failure to comply with applicable industry standards to protect consumers’ confidential personal and health information violates the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act.

“Defendant’s negligence in safeguarding Representative Plaintiff’s and Class Members’ [protected health information/personally identifiable information] is exacerbated by repeated warnings and alerts directed to protecting and securing sensitive data, as evidenced by the trending data breach attacks in recent years,” one case states. “The healthcare industry has experienced a large number of high-profile cyberattacks even in just the short period preceding the filing of this Complaint and cyberattacks, generally, have become increasingly more common.”

The lawsuits look to cover anyone in the United States whose protected health information or personally identifiable information was exposed to unauthorized third parties as a result of the data breach discovered by Reventics in December 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.