Serviceaide Facing Multiple Class Action Lawsuits Over 483K-Record Data Breach
A California company that provides an agentic AI-powered software solution for streamlining healthcare operations and improving operational efficiency has recently disclosed a major data breach involving the personal and protected health information of almost half a million patients of Catholic Health in Buffalo, New York. The HIPAA Journal reported on the breach on May 19, 2025, the same day six class action lawsuits were filed in federal court in California over the data breach. More lawsuits are expected to be filed in the coming days.
The data breach was discovered on November 15, 2024, when an unsecured Elasticsearch database was identified that had been exposed online for more than 6 weeks between September 19, 2024, and November 5, 2024. The database contained the data of approximately 483,000 Catholic Health patients, including names, dates of birth, Social Security numbers, medical/health information, treatment information, health insurance information, and email/usernames and accompanying passwords. The affected individuals started to be notified about the data breach on May 9, 2025.
All of the lawsuits were filed in the U.S. District Court for the Northern District of California and assert similar claims against the Santa Clara, California-headquartered company, including negligence for failing to implement reasonable and appropriate safeguards to ensure the confidentiality, integrity, and availability of sensitive data, a failure to comply with industry standard data security practices, and a failure to follow Federal Trade Commission cybersecurity guidelines.
The lawsuits also take issue with the length of time it took to issue notification letters, which were not sent to the affected individuals until 6 months after the data breach was identified. The lawsuits claim that the delay in issuing notifications violates federal and state data breach notification laws. As is now common in breach notifications, only limited information about the data breach was disclosed. The lawsuits claim there were important omissions, such as how the breach occurred and the measures taken to ensure similar breaches are prevented in the future. The lawsuits contend that the lack of information in the breach notification letters has severely diminished the plaintiffs’ and class members’ ability to mitigate the harms from the data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In addition to negligence, the lawsuits assert claims of invasion of privacy, unjust enrichment, breach of implied contract, and a violation of California’s unfair competition law. The lawsuits seek a jury trial, damages in excess of $5 million, and injunctive relief. The plaintiffs are represented by the law firms Millberg Coleman Bryson, Phillips Grossman, Mason LLP, Siri & Glimstad, Cole & Van Note, Srourian Law Firm, EXSM, and Kristensen Law Group.
