Designed Receivable Solutions Sued Over 500M-Record Data Breach
Designed Receivable Solutions, a Cypress, CA-based revenue cycle management company, is facing a class action lawsuit over a data breach that affected almost half a million individuals. The intrusion was detected on January 22, 2024, and it was confirmed on March 8, 2024, that sensitive data had been exfiltrated in the attack, including the data provided by at least 17 of its clients. According to the notifications sent to the HHS’ Office for Civil Rights, the protected health information of 498,686 individuals was exposed or stolen in the attack, including names, addresses, dates of birth, health insurance information, dates of service, and Social Security numbers.
The lawsuit alleges that the data breach was preventable and would have been prevented if Designed Receivable Solutions had implemented reasonable and appropriate cybersecurity measures. As a result of that failure, the personal and protected health information of more than 498,000 individuals is now in the hands of malicious actors who conducted the attack for financial gain, and those individuals now face an immediate and ongoing risk of identity theft and fraud.
Designed Receivable Solutions provides debt collection services to healthcare organizations and is provided with patient data to allow those contracted duties to be performed. As such, Designed Receivable Solutions is a business associate under HIPAA and is required to comply with the HIPAA Rules as well as state data privacy laws. The lawsuit alleges that Designed Receivable Solutions failed to meet those responsibilities.
The lawsuit also takes issue with the length of time it took to issue notifications, which were not sent until 4 months after the breach was detected, and also that inadequate credit monitoring services that have been offered as the victims of the breach face an ongoing risk of identity theft and fraud that will last for several years. The lawsuit alleges negligence, negligence per se, breach of implied contract, breach of confidence, breach of the implied covenant of good faith and fair dealing, breach of fiduciary duty, and unjust enrichment.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit seeks class certification; a jury trial; actual, nominal, and consequential damages; and equitable and injunctive relief. In terms of the latter, the lawsuit requests an order from the court requiring Designed Receivable Solutions to implement and maintain a range of cybersecurity measures including a comprehensive information security program, encryption of data, independent third-party security audits, regular database and security checks, information security training for its workforce, and to delete all personal and protected health information unless there is a legitimate business purpose for retaining the data and to stop storing patient data in the cloud.
The plaintiff and the class are represented by Daniel Srourian of the Srourian Law Firm.
