Several lawsuits were filed against Shields Health Care Group in Massachusetts in relation to one of the biggest healthcare data breaches in 2022, where nearly 2 million people were affected. The lawsuits were combined into one Biscan v. Shields Health Care Group Inc lawsuit that was submitted in a Massachusetts federal court just this week.
Shields Health Care Group offers MRI, Ct/PET, radiation surgical, and oncology services to medical practices. The breach in March 2022 affected about 60 of those medical practices. Hackers acquired access to its system and took the protected health information (PHI) of patients in a period of two weeks. The stolen information contained names, contact details, Social Security numbers, insurance details, billing data, and clinical data like diagnoses and treatment details. The company offered a credit monitoring service for two years to the affected individuals.
The plaintiffs claim Shields Health Care Group did not use proper safety measures to stop unauthorized access to sensitive patient information and then did not give prompt notices to patients to tell them that their information was in the possession of cyber criminals. The notification letters lacked information to enable the victims to take proper action to evaluate and offset risk.
The lawsuit claims Shields Health Care Group knew about the danger of hacking and ransomware attacks on healthcare providers considering the many security notifications given by the HHS, CISA, and FBI. Still, it failed to use satisfactory procedures to minimize risk, which violated the requirements of the HIPAA Security Rule.
Shields Health Care Group stated that a security warning on March 18, 2022 prompted an investigation. However, there was no breach found. On March 28, 2022, suspicious activity was seen inside its system. An investigation confirmed the compromise of patient data and notification letters had been sent to the victims on June 7, 2022, which was beyond the allowed reporting time period of the HIPAA Breach Notification Rule.
According to the lawsuit, the notifications were delayed, and lacking in details, not being able to even give basic details concerning the breach, for example, there was no mention of patient data access by hackers. The lawsuit additionally claims the credit monitoring services provided were insufficient considering the fact that impacted persons are at risk of many years of recurring identity theft.
Although lots of lawsuits are submitted based upon the future potential for harm, the plaintiffs assert to have sustained financial losses because of the breach and needed to spend a lot of time checking their financial accounts. One plaintiff mentioned suspicious activity was seen in his email account and there were thousands of dollars of bogus transactions made to his Bank of America account. One more plaintiff states that scammers targeted him/her over the mobile phone because of the data breach.
The combined lawsuit charges breach of contract, negligence, breach of fiduciary duty, and invasion of privacy by intrusion, and wants class-action status, injunctive relief, and damages.