Class Action Lawsuit Filed Against Shields Health Care Group Over 2 Million-Record Data Breach

A class action lawsuit has been filed against Shields Health Care Group over its recently announced 2 million-record data breach – the largest healthcare data breach to be reported so far this year by a single HIPAA-regulated entity.

Shields Health Care Group is the largest provider of MRI imaging services in New England and operates more than 40 facilities in the region. On May 27, 2022, the Massachusetts-based medical imaging service provider reported the data breach to the HHS’ Office for Civil Rights and confirmed that an unauthorized actor had access to some of its IT systems from March 7 to March 21, 2022. During that time, files were exfiltrated from its systems that included protected patient information (PHI) such as names, addresses, birth dates,  Social Security numbers, diagnoses, billing information, insurance numbers and medical or treatment information.

A data breach of this scale is likely to see several lawsuits filed, with Keller Postman LLC and co-counsel Sweeney Merrigan Law LLP, and Finkelstein, Blankinship, Frei-Pearson, & Garber LLC the first to file.  The lawsuit, William Biscan v. Shields Health Care Group Inc.– was filed in the District Court for the District of Massachusetts and alleges the defendant negligently handled the private health information of the plaintiff and other similarly situated individuals.

The lawsuit alleges the defendant should have been aware of the risk of a data breach yet failed to implement reasonable and appropriate safeguards to keep patient data private and confidential and protect against unauthorized access and disclosure. As a result, the personal and protected health information of patients in “a dangerous and vulnerable condition” and failed to notify affected individuals in a timely manner.

As a result of those failures, the plaintiff claims he and other class members now face a heightened and imminent risk of fraud and identity theft and will continue to incur out-of-pocket costs for purchasing credit monitoring services, credit freezes, credit reports, and other protective measures to prevent and detect identity theft and fraud.

In addition to the negligence claim, the lawsuit alleges a breach of express contract, breach of implied contract, invasion of privacy by intrusion, breach of fiduciary duty, breach of confidence, unjust enrichment, and violations Massachusetts General Laws.

The lawsuit seeks class certification, monetary relief, actual and punitive damages, litigation fees, adequate credit monitoring and identity theft protection services, and an injunction requiring the defendant to improve security to prevent similar breaches in the future and undergo annual security audits.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.