The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Class Action Lawsuits Filed Over HealthEC Data Breach

Posted By on Jan 12, 2024

January 12, 2024: Class Action Lawsuits Filed Over HealthEC Data Breach

Multiple class action lawsuits have been filed against HealthEC LLC over a recently disclosed data breach that affected almost 4.5 million individuals. Hackers gained access to HealthEC’s population health management platform between July 14, and July 23, 2024, and obtained the sensitive data of patients of its healthcare provider clients, per The HIPAA Journal report below.

One of the class action lawsuits – Victoria Lempinen v. Health EC LLC – was filed in the U.S. District Court of New Jersey on behalf of Victoria Lempinen and similarly situated individuals who had their personal and protected health information compromised in the data breach.  The lawsuit alleges that HealthEC lost control of the sensitive data of almost 4.5 million individuals as a direct result of the failure to maintain reasonable and appropriate cybersecurity protocols and the lack of encryption of sensitive data on its network. The security failures are alleged to violate the FTC Act and Health Insurance Portability and Accountability Act (HIPAA). Further, the plaintiff argues that HealthEC did not have policies and procedures in place to ensure that sensitive data was deleted in a timely manner when it was no longer needed.

In addition to suffering a preventable data breach, HealthEC is alleged to have unnecessarily delayed issuing notifications, which were issued in December 2023, more than 5 months after the data breach occurred. This, it is argued, denied the opportunity for victims of the breach to take steps to protect themselves against identity theft and fraud. When notification letters were issued, the lawsuit alleges HealthEC failed to disclose important details about the breach, such as when the cyberattack and data breach were first detected, the dates of the investigation, the vulnerabilities that were exploited by the hackers, and the measures undertaken in response to the cyberattack to ensure that similar breaches are prevented in the future.

The lawsuit claims the plaintiff and class have suffered injuries including invasion of privacy, theft of private information, loss or diminished value of private information, lost time and opportunity costs, loss of benefit of the bargain, and an increase in spam calls, texts, and emails, and the plaintiff and class members now face an increased risk of identity theft and fraud. The 75-page lawsuit alleges negligence, breach of third-party beneficiary contract, breach of confidence, invasion of privacy, and unjust enrichment and seeks class action certification, a jury trial, and damages, restitution, and injunctive relief, including an order from the court to compel HealthEC to implement a raft of measures to improve data security. The plaintiffs and class are represented by Vicki J.  Maniatis and Gary M. Klinger of Millberg Coleman Bryson Phillips Grossman LLC.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

A second lawsuit was filed against HealthEC LLC on behalf of plaintiff Bree Marano and similarly situated individuals that makes similar claims, including the failure to comply with FTC guidelines, industry standards, and HIPAA. Those failures include inadequate cybersecurity measures given the level or risk of a cyberattack, insufficient monitoring of its network for intrusions, and the failure to issue adequate and timely individual notifications about the data breach. The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and breach of confidence, and claims the defendant has done absolutely nothing of value to provide the plaintiff and class with relief for the damages they have suffered as a result of the data breach.

January 3, 2024: HealthEC Data Breach Affects Almost 4.5 Million Individuals

HealthEC, an Edison, New Jersey-based analytics software vendor, has recently confirmed that the protected health information of 4,452,782 individuals has been exposed and potentially stolen in a recent cyberattack. HealthEC is the developer of a platform that healthcare organizations use to identify high-risk patients, close care gaps, and recognize barriers to optimal care. More than 1 million healthcare professionals in 18 U.S. states use the platform’s analytics to gain insights to improve patient outcomes.

HealthEC started mailing data breach notification letters to the affected individuals on December 22, 2023; however, the data breach occurred several months earlier. According to the notification letters, unauthorized individuals had access to HealthEC’s systems between July 14, 2023, and July 23, 2023. The forensic investigation revealed that during that time, files were removed.

HealthEC conducted a review of the affected files and determined that they contained the protected health information of its clients’ patients. HealthEC started notifying the affected clients on October 26, 2023, which included MD Valuecare in Virginia (112,005 records)  and Corewell Health in Michigan (1 million+ records). On December 21, 2023, the breach was reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 4.52 million individuals.

The information compromised in the attack varied from patient to patient and may have included names along with one or more of the following: address, date of birth, Social Security number, medical record number, diagnosis and diagnosis codes, mental/physical condition, prescription information, provider name, beneficiary number, subscriber number, Medicaid/Medicare identification number, patient account number, patient identification number, and treatment cost information. HealthEC is offering the affected individuals complimentary credit monitoring services and has taken steps to improve security to prevent further data breaches in the future.

HealthEC is the second vendor to experience a data breach that has affected more than 1 million Corewell Health patients this year. Michigan Attorney General, Dana Nassel, has called for new legislation to be introduced in the state mandating prompt notifications in the event of a data breach, as in each case, Michiganians had to wait several months to discover that their sensitive health data had been stolen.

Entities Impacted by HealthEC Data Breach

The entities known to have been affected by the HealthEC data breach, as disclosed by HEalthEC on December 22, 2023 are:

  • Alliance for Integrated Care of New York, LLC
  • Advantage Care Diagnostic & Treatment Center, Inc.
  • Beaumont ACO
  • Community Health Care Systems
  • Compassion Health Care
  • Corewell Health
  • East Georgia Healthcare Center
  • HonorHealth
  • Hudson Valley Regional Community Health Centers
  • Illinois Health Practice Alliance, LLC
  • KidneyLink
  • Long Island Select Healthcare
  • Metro Community Health Centers
  • Mid Florida Hematology & Oncology Centers, P.A, d/b/a Mid-Florida Cancer Centers
  • TennCare
  • State of Tennessee
  • University Medical Center of Princeton Physicians’ Organization
  • Upstate Family Health Center, Inc.
  • U.S. Renal Care Inc.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist