Consolidated Class Action Lawsuit Filed Against Shields Health Care Group Over 2 Million-Record Data Breach
Multiple lawsuits have been filed against Massachusetts-based Shields Health Care Group, which suffered one of the largest healthcare data breaches of the year, affecting more than 2 million individuals. Seven of the lawsuits have recently been consolidated into a single lawsuit – Biscan v. Shields Health Care Group Inc. – that was filed in a Massachusetts federal court this week. The lawsuit covers all individuals affected by the data breach who did not live in Massachusetts at the time of the breach. A second lawsuit has been filed in state court that covers Massachusetts residents.
Shields Health Care Group provides MRI, PET/CT, radiation oncology, and surgical services to healthcare practices, around 60 of which were affected by the breach. Hackers gained access to its network and stole the protected health information of patients over a two-week period in March 2022. The stolen data included names, contact information, Social Security numbers, insurance information, billing information, and clinical information such as diagnoses and treatment information. Affected individuals were offered a 2-year membership to a credit monitoring service.
The plaintiffs allege Shields Health Care Group failed to implement appropriate safeguards to prevent unauthorized access to highly sensitive patient data and then failed to issue timely notifications to patients to inform them that their data was in the hands of cybercriminals and that the notification letters did not provide adequate information to allow the affected individuals to take appropriate action to assess and mitigate risk.
The lawsuits allege Shields Health Care Group was fully aware of the risk of hacking and ransomware attacks on healthcare organizations given the multiple security alerts issued by the FBI, CISA, and the HHS, yet failed to implement adequate measures to reduce risk, which was in violation of its obligations under the HIPAA Security Rule.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Shields Health Care Group said a security alert was triggered on March 18, 2022, which was investigated, but no breach was detected. Then, suspicious activity was identified within its network on March 28, 2022. The investigation confirmed patient data had been compromised notifications were issued to affected individuals on June 7, 2022, outside the reporting time frame of the HIPAA Breach Notification Rule.
The lawsuits claim notifications were untimely and deficient in information, failing to even provide basic information about the breach, such as whether patient data on the servers was accessed. The lawsuit also alleges that the credit monitoring services offered were inadequate, given that affected individuals face many years of ongoing identity theft.
While many lawsuits are filed based on future risk of harm, the plaintiffs claim to have suffered financial losses as a result of the breach and have had to spend a significant amount of time monitoring their financial accounts. One plaintiff said suspicious activity was identified in his email account, and he had thousands of dollars of fraudulent charges to his Bank of America account, and another plaintiff claims to have been targeted by scammers over the phone since the data breach.
The lawsuit alleges negligence, breach of contract, invasion of privacy by intrusion, and breach of fiduciary duty, and seeks class action status, damages, and injunctive relief.
Update: May 2025: A $15.35 million settlement has been agreed to resolve a consolidated class action lawsuit over the data breach.
