Sav-Rx Sued Over 2.8 Million-record Data Breach
A class action lawsuit has been filed against A&A Services, a medication benefits management service provider that operates as Sav-Rx, over a data breach in October 2023 that affected 2.8 million individuals.
On or around October 3, 2023, hackers accessed the Sav-Rx network and exfiltrated files containing the protected health information of employees and clients’ health plan members. The breach was detected on October 8, 2023, and the file review confirmed names, contact information, dates of birth, and Social Security numbers had been stolen. Sav-Rx said it was provided with the final results of its file review on April 30, 2024, and the affected individuals were notified about the breach on May 10, 2024, and were offered complimentary credit monitoring and identity theft protection services.
On June 5, 2024, a class action lawsuit was filed in the U.S. District Court for the District of Nebraska by Rodney Hill, whose protected health information was compromised in the cyberattack. The lawsuit alleges the defendant failed to implement reasonable and appropriate cybersecurity procedures and protocols and maintained sensitive data in a reckless manner. The lawsuit claims a cyberattack was foreseeable since Sav-Rx stored large amounts of sensitive data that cybercriminals actively target and that the attack and data breach were preventable. The lawsuit alleges that Sav-Rx failed to meet its obligations under HIPAA, contract law, common law, Federal Trade Commission guidelines, and industry standards.
The lawsuit also alleges Sav-Rx failed to issue timely notifications. While detailed information was provided about the breach in the notifications there were some major omissions, such as how the breach occurred, the vulnerabilities that were exploited, the measures that would be implemented to prevent further data breaches. The lawsuit claims the missing information affected the ability of the plaintiff and class members to mitigate the harmful effects of the data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit alleges the plaintiff and class face a heightened and imminent risk of identity theft and fraud, have incurred out-of-pocket expenses, suffered a diminution of the value of their personally identifiable information, and other harms. The lawsuit alleges negligence, breach of third-party beneficiary contract, and unjust enrichment and seeks class certification, a jury trial, damages, equitable relief, and injunctive relief, including an order from the court for a raft of measures to be implemented to improve security and prevent further data breaches.
