Revenue cycle management company, Designed Receivable Solutions based in Cypress, CA, is facing a class action lawsuit associated with a data breach that impacted more or less half a million people. The company detected an attack on January 22, 2024. On March 8, 2024, Designed Receivable Solutions confirmed the exfiltration of sensitive data during the attack. The compromised data included the information made available from a minimum of 17 clients. The breach notifications sent to the HHS’ Office for Civil Rights indicated the exposure or theft of the protected health information (PHI) of 498,686 people, which includes names, birth dates, addresses, dates of service, medical insurance data, and Social Security numbers.
The lawsuit claims that the breach could have been avoided if only Designed Receivable Solutions had applied reasonable and proper cybersecurity procedures. Because of that failure, more than 498,000 individuals’ personal data and PHI are currently in the possession of threat actors who performed the attack for monetary profits. Those persons are now at a higher risk of identity theft and fraud.
Designed Receivable Solutions is a debt collection services provider to healthcare companies and is given access to patient information to perform its contracted duties. Consequently, Designed Receivable Solutions is a business associate covered by HIPAA and must comply with the HIPAA Regulations and state data privacy legislation. The lawsuit claims that Designed Receivable Solutions did not fulfill those obligations.
The lawsuit likewise brought up the following issues:
- the long time it took Designed Receivable Solutions to send notifications, which was 4 months after the company discovered the breach
- the insufficient credit monitoring services that were offered to the breach victims who are facing the risk of identity theft and fraud potentially for several years.
The lawsuit mentioned the following charges: negligence, negligence per se, unjust enrichment, breach of confidence, breach of implied contract, breach of fiduciary duty, and breach of the implied covenant of good faith and fair dealing.
The lawsuit wants class certification; equitable and injunctive relief; and actual, nominal, and consequential damages. The lawsuit asked for a court order demanding Designed Receivable Solutions to enforce and maintain a selection of cybersecurity procedures which include a detailed data security program, data encryption, third-party security audits, routine database and security monitoring, data security training for employees, and to remove all personal data and PHI unless there is a valid business reason for keeping the data and to stop saving patient information in the cloud.
Daniel Srourian of the Srourian Law Firm represents the plaintiff and the class.
Photo Credit: Nelson / stock.adobe
