Class-Action for Advanced Data Processing Breach Denied
An Advanced Data Processing breach lawsuit was recently filed in a Florida court, with the case taking just 24 hours to be tossed by the judge. In this case, the judge ruled that the move to certify the class was premature, and the case was denied, even though the plaintiff alleges to have suffered identity theft as a direct result of the data breach.
In the lawsuit, the plaintiffs allege that in 2012, the healthcare clearinghouse suffered a data breach that exposed the Protected Health Information (PHI) for several months. The data stolen is alleged to have been used to steal identities and fraudulently obtain funds from the IRS. The suit also claims there was a delay in issuing breach notification letters to victims, some of whom were not notified of the theft of their data for three years. The data breach affected 27 agencies in 17 states, and in total 10,000 individuals had their data stolen and potentially sold to an identity theft ring.
One plaintiff, Yehonatan Weinberg, claimed to have visited a Californian hospital in 2012, yet received a breach notification letter in April 2015. The breach was discovered by the clearinghouse in October 2012. It is also alleged that the media notice, required under HIPAA Rules, was not placed in a prominent location, and as a result it was not noticed. The notice was placed on the website of a company called Intermedix, a business associate of ADP. As a result, the majority of breach victims would not be aware of the company, or to check its website regularly for news relating to them.
The data was stolen by a former employee who had allegedly viewed patient names, Social Security, dates of birth and health information of patients who had called ambulances to take them to hospital. That data was then sold to identity thieves who used the information to file fraudulent tax returns with the IRS. The suit cites HIPAA and NIST regulations as having been violated.
The judge, ruled “To act diligently, a named plaintiff need not file a class-certification motion with the complaint or prematurely; it is enough that the named plaintiff diligently takes any necessary discovery, complies with any applicable local rules and scheduling orders, and acts without undue delay.” The Advanced Data Processing breach lawsuit was subsequently denied without prejudice.