Upstream Rehabilitation Hit with Class Action Over Data Breach Announced in September 2023
Sawyer v. Upstream RollCo LLC
Filed: September 28, 2023 ◆§ 2:23-cv-01293-AMM
Upstream Rehabilitation faces a class action over a cyberattack that reportedly occurred in early 2023 and compromised the personal information of current and former patients.
Upstream Rehabilitation faces a proposed class action over a cyberattack that reportedly occurred in early 2023 and compromised the personal information of current and former patients.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
The 80-page lawsuit says that the cyberattack experienced by Upstream RollCo LLC—which does business as Upstream Rehabilitation—exposed individuals’ names, diagnoses, medical record and patient account numbers, treatment data, health insurance subscriber numbers and other health insurance information.
The suit argues that the company, a nationwide provider of outpatient physical therapy, “negligently” failed to implement reasonable cybersecurity practices to protect patient data, which was allegedly stored unencrypted and unredacted in the defendant’s system.
A September 15 notice letter relays that after the company detected “suspicious activity related to certain employee email accounts,” a subsequent investigation concluded that files stored in the affected email accounts may have been acquired by an unauthorized third party between January 24 and January 31, as well as between February 3 and February 9 of this year.
According to the case, the notice letter sent to victims lacked crucial information about the incident, such as the date the unusual activity was discovered in the network, how cybercriminals gained access, why it took several months to notify impacted individuals of the data breach and what steps are being taken to ensure information is safeguarded in the future.
Given the prevalence of cyberattacks in the medical industry in recent years, Upstream Rehabilitation should have understood that the sensitive data entrusted to it would be a target for cybercriminals, the complaint contends. The company, therefore, should have taken commensurate measures to secure the information, the filing states.
As the lawsuit tells it, the defendant has only offered affected individuals 12 months of identity monitoring services, a gesture which the case claims is “wholly inadequate” in light of the lifelong risks of fraud and identity theft that victims now face.
The plaintiff, a Georgia resident and Upstream Rehabilitation patient, received notice in September informing him that his personal data had been compromised in the breach, the suit says. Like other victims, the man’s confidential information is now at a greater risk of illegal misuse as a result of the company’s negligence, the complaint alleges.
The lawsuit looks to represent anyone in the United States whose private information was accessed or acquired by an unauthorized party as a result of the data breach reported by Upstream Rehabilitation on September 15, 2023.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
How Do I Join a Class Action Lawsuit?
Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?
Read more here: How Do I Join a Class Action Lawsuit?
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.