EHR Vendor Facing Class Action Lawsuit Over 320,000-Record Data Breach

QRS, a Tennessee-based healthcare technology services company and EHR vendor, is facing a class action lawsuit over an August 2021 cyberattack in which the protected health information (PHI) of almost 320,000 patients was exposed and potentially stolen.

The investigation into the data breach confirmed a hacker had gained access to one of its dedicated patient portal servers between August 23 and August 26, 2021, and viewed and possibly obtained files containing patients’ PHI. Sensitive data stored on the server included patients’ names, addresses, birth dates, usernames, medical information, and Social Security numbers. QRS started sending notification letters to affected individuals in late October and offered identity theft protection services to individuals who had their Social Security number exposed.

On January 3, 2022, Matthew Tincher, a Frankfurt, KY resident, filed a class action complaint in the U.S. District Court for the Eastern District of Tennessee against QRS. The lawsuit alleges QRS was negligent for failing to reasonably secure, monitor, and maintain the PHI and personally identifiable information (PII) stored on its patient portal.

As a result of those failures, the lawsuit alleges Tincher and class members have suffered actual, concrete, and imminent injury, including present injury and damages from identity theft, loss or diminished value of their PHI and PII, and have incurred out-of-pocket expenses from attempting to remedy the exposure of their sensitive information and have had to spend time mitigating the effects of the unauthorized data access. They also face a continued and increased risk to their PHI and PII, which were unencrypted and remain available to unauthorized parties to access and abuse.

Please see the HIPAA Journal Privacy Policy

The lawsuit also takes issue with the speed at which QRS issued breach notification letters, which were issued almost 2 months after the discovery of the breach. During those two months, the plaintiffs and class embers were unaware they had been placed at significant risk of identity theft, fraud, and personal, social, and financial harm.

The lawsuit alleges QRS had a responsibility to ensure the PHI and PII within its patient portal were appropriately protected, and the breach of its duties to protect that information amounts to negligence and/or recklessness, which violates federal and state statutes. The lawsuit claims QRS signed business associate agreements (BAAs) with its healthcare provider clients, so was aware or should have been aware of its responsibilities to ensure PHI was protected against cyberattacks. The lawsuit also lists cybersecurity measures recommended by the Cybersecurity and Infrastructure Security Agency (CISA) which should have been implemented in that regard and maintains QRS should have been aware of the high risk of being attacked due to the large number of healthcare data breaches that have been reported in recent years.

Lawsuits are often filed against healthcare organizations over data breaches that exposed sensitive information. Whether the lawsuits succeed often depends on whether the plaintiffs are able to demonstrate they have suffered actual harm as a direct consequence of the data breach. Tincher claims to have been notified about the breach on October 22, 2021, and within 3 days was the victim of actual identity theft, and that it is more likely than not that his sensitive information was exfiltrated from the QRS patient portal during the data breach.

The lawsuit alleges the total damages incurred by the plaintiff and class members exceed the minimum $5 million jurisdictional amount required by the Court, and that the Court has jurisdiction over the defendant because QRS operates and is incorporated in the district. The plaintiff and class members seek a jury trial, unspecified damages, and injunctive and equitable relief.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.