A specialty pharmacy based in Florida is dealing with a class-action lawsuit concerning an October 2021 cyberattack that resulted in the stealing of the personally identifiable information (PII) and protected health information (PHI) of around 350,000 patients.
BioPlus Specialty Pharmacy Services located in Altamonte Springs, FL stated a hacker got access to its network from October 25, 2021 to November 11, 2021, and in that time period viewed records that contain sensitive patient data. A computer forensics agency investigated the incident and affirmed the access of patient information. Because it can’t be determined how many individuals were affected, the healthcare provider decided to send breach notification letters to all 350,000 individuals on or around December 10, 2021, which is one month after the discovery of the data breach.
Data possibly compromised in the attack included names, dates of birth, contact details, Social Security numbers, medical record numbers, health insurance and claims data diagnoses, and prescription details. Affected people were provided a free 12-month subscription to credit monitoring services.
In late December, BioPlus patient Bonnie Gilbert along with her attorneys submitted a lawsuit in the U.S. District Court of the Middle District of Florida stating that BioPlus had violated the Health Insurance Portability and Accountability Act (HIPAA) by not being able to secure the confidentiality, integrity, and availability of its patients’ PHI.
The lawsuit claims negligence for failing to sustain acceptable data security procedures, failing to employ industry-standard data security procedures, and failing to practice reasonable care in the employment and oversight of its workers and agents. The lawsuit additionally alleges BioPlus failed to identify the attack and the exfiltration of sensitive information from its system and sent late breach notifications. The lawsuit states that if there was a reasonable amount of care taken and proper data security measures were in place, the attack may have been identified earlier and/or avoided.
The lawsuit states the plaintiff and class members have experienced many actual and imminent injuries because of the data breach, which include the theft of their PII and PHI, breach of privacy, a decrease in their PII and PHI’s economic value, emotional strain, and a substantial present and future threat of identity theft and financial fraudulence, along with incurring costs trying to offset and handle the effects of the security breach.
The lawsuit seeks a jury trial, class action certification, injunctive relief, declaratory relief, and monetary settlement. Morgan & Morgan and Markovits, Stock, & DeMarco LLC represent the plaintiff.