HealthEC LLC faced multiple class action lawsuits because of a data breach that affected about 4.5 million people. Hackers acquired access to the population health management system of HealthEC from July 14 to July 23, 2024, and acquired the sensitive information of patients of its healthcare company clients.
The plaintiff Victoria Lempinen and similarly situated people filed the Victoria Lempinen v. Health EC LLC class action lawsuit in the U.S. District Court of New Jersey over the exposure of personal data and protected health information (PHI) in a data breach. The lawsuit claims that HealthEC lost the sensitive information of roughly 4.5 million people because of the inability to maintain acceptable and proper cybersecurity practices and the insufficient encryption of sensitive data on its system. The security problems are purported to violate the Health Insurance Portability and Accountability Act (HIPAA) and the FTC Act. The plaintiff states that HealthEC has no guidelines and procedures set up to ensure the prompt removal of sensitive data when no longer required.
Besides allowing an avoidable data breach, HealthEC is purported to have unnecessarily postponed notifying breach victims. The organization sent notifications in December 2023, which is over 5 months after the data breach took place. This resulted in a lost opportunity for breach victims to take action to safeguard themselves against fraud and identity theft. The lawsuit also alleges that the notification letters issued by HealthEC did not mention crucial information regarding the breach, for instance, the date of discovering the attack and data breach, the dates of investigating the incident, the vulnerabilities exploited by the attackers, and the action taken to counter the cyberattack to prevent identical breaches later on.
As per the lawsuit, the plaintiff and class have endured injuries such as privacy violation, private data theft, loss or reduced value of personal data, loss of benefit of the bargain, lost time and opportunity costs, and more spam phone calls, SMS, and emails. The plaintiff and class members are exposed to a greater risk of fraud and identity theft. The 75-page lawsuit claims breach of third-party beneficiary contract, negligence, breach of confidence, unjust enrichment, and violation of privacy. The lawsuit wants a jury trial, class action certification, and damages, reparation, injunctive relief, and a court order to make HealthEC carry out some measures to enhance data protection. Gary M. Klinger and Vicki J. Maniatis of Millberg Coleman Bryson Phillips Grossman LLC represented the plaintiffs and the class.
Plaintiff Bree Marano, together with similarly situated people who make similar claims, also filed a lawsuit against HealthEC LLC, alleging the inability to adhere to FTC rules, industry requirements, and HIPAA. HealthEC failed in the following issues: insufficient cybersecurity procedures were implemented considering the risk of a cyberattack, inadequate tracking of its system for attacks, and the inability to issue sufficient and prompt individual breach notifications. The lawsuit claims breach of implied contract, negligence, breach of confidence, and unjust enrichment. The lawsuit likewise claims that the accused did nothing valuable to give the plaintiff and the class the comfort for the damages they have endured because of the data breach.
Image credit: Filip, AdobeStock / logo ©HealthEC LCC
