Tennessee Orthopaedic Clinics Facing Class Action Over March 2023 Data Breach
Cadenas v. TOC Enterprises, Inc.
Filed: June 12, 2023 ◆§ 3:23-cv-00598
A class action lawsuit claims the “outdated” and “negligent” cybersecurity practices of Tennessee Orthopaedic Clinics resulted in a data breach announced by the medical treatment center in May 2023.
Tennessee
A proposed class action lawsuit claims the “outdated” and “negligent” cybersecurity practices of Tennessee Orthopaedic Clinics (TOC) resulted in a data breach announced by the medical treatment center in May 2023.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
The 34-page lawsuit says that though TOC first detected unusual activity on its computer systems on May 2, a subsequent investigation revealed that hackers had infiltrated the network and had “unfettered access” to the sensitive records stored there for more than four days between March 20 and 24 of this year. The suit relays that the data compromised in the breach included current and former patients’ names, contact details, dates of birth, diagnosis and treatment information, dates and costs of services, provider names and prescription and health insurance details.
The treatment center for bone, joint and soft tissue disorders—a division of surgery group Tennessee Orthopaedic Alliance, P.A.—first reported the cyberattack in mid-May using “a place-holder indicating that ‘500’ individuals were affected,” the case explains. However, the complaint contends that victims of the breach may actually number in the thousands.
The filing argues that TOC failed to implement updated cybersecurity practices to protect patient data from unauthorized disclosure, leaving its network as an “unguarded target for theft and misuse.”
“[TOC’s] use of outdated and insecure computer systems and software that are easy to hack, and its failure to maintain adequate security measures and an up-to-date technology security strategy, demonstrates a willful and conscious disregard for privacy, and has exposed the private information of potentially thousands of [victims] to unscrupulous criminals.”
As of the date of the filing, the defendant has not yet sent out notices to affected individuals—an alleged violation of Tennessee law, which requires companies to notify victims within 45 days of a breach, the lawsuit shares.
Further, TOC’s “bare-bones” online breach notice, which it posted on its website in May 2023, “obfuscated the nature of the breach and the threat it posed” and did not provide details about how many patients were impacted, how the hackers gained entry or why it took over two months to publicly announce the incident, the suit charges.
As of the filing of the complaint, the defendant had not offered victims any form of credit monitoring services, despite the lifelong risks of identity theft and fraud that affected individuals now face as a result of TOC’s negligence, the case claims.
The lawsuit looks to represent anyone whose personal information was compromised in the data breach discovered by Tennessee Orthopaedic Clinics in May 2023.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
How Do I Join a Class Action Lawsuit?
Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?
Read more here: How Do I Join a Class Action Lawsuit?
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.