BioPlus Specialty Pharmacy Services is facing a class-action data breach lawsuit after the company recently disclosed a weeks-long IT cyber hack that led to unauthorized access to previous and current patient-related information. The lawsuit claims the incident was caused by inadequate security measures by the vendor, while raising further questions about the breach itself.
The breach notice described the incident as unauthorized access to patient information, while the lawsuit alleges the data was stolen from the network. In addition, victims “have received no assurances from BioPlus… that all personal data or copies of data have been recovered or destroyed.”
Interestingly, the announcement did not include data-stealing language, but the lawsuit says the patient “received a notification letter from BioPlus that her sensitive PII had been stolen.”
BioPlus discovered the hack on Nov. 11, but the breach of the system began nearly a month ago on Oct. 25. Subsequent investigations confirmed that the attackers accessed a range of information belonging to 350,000 former and current patients.
Data exposed may include dates of birth, health plan member ID numbers, claims data, medical record numbers, diagnosis and/or prescription details. Participants also accessed the Social Security numbers of a small group of patients.
The lawsuit, filed Jan. 5 at the Orlando, U.S., Central District of Florida division, claims that data exposed during the hack was leaked on the dark web by attackers. To make matters worse, a patient named Patricia White claimed that BioPlus should not have had her data in the first place.
White claims her information was entered into the BioPlus system in 2015 due to a “clerical error” that caused her prescribing information to be sent to BioPlus from her provider instead of her in-network pharmacy. The patient informed the client in error and canceled the BioPlus service.
However, “her information remains in [BioPlus]’s systems are vulnerable to abuse until a data breach occurs in November 2021. ”
Additionally, a month after the initial hack, White was notified by her credit monitoring service provider that her information had appeared on the dark web and was shared on a forum used to trade health insurance and other banks Sensitive patient information used in scams.
The lawsuit said the data theft was caused by BioPlus because it “failed to exercise reasonable care” in protecting sensitive protected health information and personally identifiable information. The alleged failure “enables hackers to steal private information”…and puts patients’ “information at serious, immediate and ongoing risk”.
As a result of the theft, patients are now bearing recovery costs and “loss of productivity from spending time resolving and trying to improve the release of personal data, as well as the emotional grief accounts associated with the ongoing monitoring of personal banking and credit.”
The language surrounding the damage claim reflects recent lawsuits related to the breach and revolves around ongoing monitoring of accounts, ongoing efforts to prevent fraud attempts, and “imposing withdrawal and purchase limits on compromised accounts.”
BioPlus did offer one year of free credit monitoring to all victims of the breach, and the lawsuit was challenged for a lack of assurances about the security of patient information. It further claims that in order to obtain the services provided, the individual’s data will be “shared with third parties and the complete privacy of her sensitive PII cannot be guaranteed.”
As a result, the victims who filed the lawsuit opted to no longer provide any data to the provider to receive these services.
Only one of the two victims who filed the lawsuit provided evidence of data misuse. Victims of breach are seeking declaratory relief for negligence claims and breach of contract, implied contract and fiduciary duty.
Finally, the lawsuit also challenges the three-month delay in notice. However, disclosure is well within the 60-day discovery-to-notification timeline outlined in the Health Insurance Portability and Accountability Act.
Given the steady stream of security incidents, breach lawsuits are becoming more common in healthcare.At least three other lawsuits were filed last month, including a planned parenting This, QRS, and bansley and Keener.
