Share this article on:
A Florida specialty pharmacy is facing a class action lawsuit over an October 2021 cyberattack in which the personally identifiable information (PII) and protected health information (PHI) of up to 350,000 patients were stolen.
Altamonte Springs, FL-based BioPlus Specialty Pharmacy Services said a hacker had access to its network from October 25, 2021, until November 11, 2021, and during that time viewed files containing sensitive patient data. A computer forensics firm investigated the breach and confirmed patient data had been accessed. Since it was not possible to determine how many patients had been affected, the decision was taken to send notification letters to all 350,000 patients on or around December 10, 2021, one month after the breach was discovered.
Data potentially compromised in the attack included names, contact information, dates of birth, medical record numbers, health insurance and claims information diagnoses, prescription information, and Social Security numbers. Affected individuals were offered a 12-month subscription to credit monitoring services at no cost.
In late December, BioPlus patient Bonnie Gilbert and her attorneys filed a lawsuit in the U.S. District Court of the Middle District of Florida alleging BioPlus had violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to ensure the confidentiality, integrity, and availability of the PHI of its patients.
The lawsuit alleges negligence for failing to maintain reasonable data security safeguards, failing to implement industry-standard data security practices, and failing to exercise reasonable care in the hiring and supervision of its employees and agents. The lawsuit also claims BioPlus failed to detect the attack and the exfiltration of sensitive data from its network, and delayed breach notifications. The lawsuit claims that if a reasonable amount of care had been taken and appropriate data security measures had been in place, the attack could have been detected sooner and/or prevented.
The lawsuit alleges the plaintiff and class members have suffered “numerous actual and imminent injuries” as a direct result of the data breach, including the theft of their PII and PHI, invasion of privacy, a reduction in the economic value of their PII and PHI, emotional distress and stress, and a significant present and future risk of identity theft and financial fraud, as well as incurring costs attempting to mitigate and deal with the consequences of the data breach.
The lawsuit seeks class action certification, a jury trial, injunctive relief, declaratory relief, and monetary damages. The plaintiff is represented by Morgan & Morgan and Markovits, Stock, & DeMarco LLC.