An Athens man has filed a class-action lawsuit against Health Recovery Services, Inc., in federal court alleging that a data breach at the private nonprofit agency jeopardized the private information of patients, putting them at “grave risk” of identity theft.
Troy Foster said in the suit – filed this month in the Southern District of Ohio U.S. District Court – that he was a recipient of HRS services, and he along with potentially “thousands” of other patients had their data compromised in the data breach, information that could include Social Security numbers.
The suit comes after HRS learned last Feb. 5 that an “unauthorized IP address had remotely accessed its computer network,” the suit reads.
“Despite Defendant HRS’ duty to expeditiously notify individuals that their personal information may have been compromised, defendant HRS kept its knowledge of the data breach secret from plaintiff Foster and Data Breach Class members until releasing notification titled ‘NOTICE OF DATA INCIDENT’ on April 5, 2019, roughly two months after defendant discovered that the personal information of plaintiff Foster and the Data Breach Class members had been compromised and misappropriated since Nov. 14, 2018,” according to the lawsuit.
Ellen C. Martin, CEO of Health Recovery Services Inc., in a statement issued Tuesday confirmed that the network was accessed by that unauthorized IP address on Feb. 5.
However, she said her agency “immediately hired” a third-party forensic expert to “assist us with the investigation of the incident, as well as to help us ensure that any threat to our system had been eliminated.”
She said that in the eight months since the incident, there has been “no indication that any of our patient information was actually accessed or otherwise taken from HRS’ system.”
However, according to a copy of the letter sent to patients, the data intrusion started on Nov. 14, 2018, and continued until it was discovered on Feb. 5, 2019.
“After conducting an in-depth investigation, this expert indicated to us that they did not believe that any patient information was ever accessed, but that they were unable to definitively rule out the possibility,” Martin said in the statement this week. “Therefore, because patient privacy is of the utmost importance to us at HRS, out of an abundance of caution, we mailed notification letters to all potentially impacted patients informing them about the incident, posted the information about the incident on our website, and provided recommendations for preventative steps that our patients could take to further protect themselves and their identities.”
The suit – filed by attorney Mike Fradin of Athens and Chicago – noted that 2013 research from a private firm called Javelin Strategy and Research suggests that “one in four data breach notification recipients became victim of identity fraud.”
Fradin said Wednesday that the data breach could have impacted the data of HRS patients going back as far as 2014, if not before that. HRS notified roughly 20,485 patients of the data breach in April, according to the website databreaches.net.
Regardless, Fradin in Foster’s lawsuit alleges that HRS’ approach at maintaining the privacy of the personal information of patients was “lackadaisical, cavalier, reckless or at the very least negligent.”
The suit additionally alleges a “strong possibility” that “entire batches of stolen information have yet to be dumped on the black market,” meaning HRS patients could be at risk of fraud and identity theft “for years into the future.”
Martin in her statement noted that HRS has offered “free credit monitoring and restoration services to all those eligible for a one-year period” in response to the data breach.
Because this is a specific kind of class-action lawsuit, other members of the “data breach class” can receive their share of the financial settlement or judgment in the case, Fradin said, so long as the class is officially certified by the judge after a motion from the defendant.
HRS has not yet filed a response in the Southern District of Ohio federal court.