EHR vendor QRS is being sued for a data breach that occurred in its patient portal system back in August.
EHR vendor QRS sued over breach to patient portal server
January 14, 2022
by John R. Fischer, Senior Reporter
Kentucky resident Matthew Tincher is taking EHR vendor QRS to court over a security breach of its patient portal server that potentially compromised his and nearly 320,000 other individuals’ health information.
QRS, a vendor of the Paradigm practice management and EHR systems, discovered in August that a cyberattacker had accessed the server over a three-day period. It reported the incident to the Department of Health and Human Services in October and began notifying patients the same month, reported GovInfoSecurity.
In a federal class action lawsuit filed in a Tennessee federal court, Tincher accuses QRS of negligence, invasion of privacy, breach of confidence, unjust enrichment and violating the Tennessee Consumer Protection Act. He also is demanding that it implement a long list of security improvements.
While the EHR vendor did not specify the type of attack it endured, the suit refers to it as a form of ransomware. "Despite the prevalence of public announcements of data breach and data security compromises, [QRS] failed to take appropriate steps to protect the personally identifiable information and PHI of Plaintiff and Class Members from being compromised," wrote Tincher in his complaint.
He adds that while he received notification of the breach from QRS, the company failed to implement one or more “government-recommended” security measures prior to the breach, including updating and patching systems, configuring firewalls to block access to known malicious IP addresses and a variety of access and other controls.
He believes his PII and PHI and those of others affected were sold on the dark web as a direct result, with the complaint saying that he experienced “...actual identity theft. It is more likely than not that his sensitive information was exfiltrated and stolen during the data breach.”
In a statement, QRS said the information “may have included, depending on the individual, their name, address, date of birth, social security number, patient identification number, portal username, and/or medical treatment or diagnosis information,"
The complaint says that individuals affected have allegedly had to pay out-of-pocket expenses to prevent, detect and recover from identity theft and fraud; experience a violation of privacy; and experienced an increased risk to their PII and PHI, which “remains unencrypted and available for unauthorized third parties to access and abuse.”
It is requesting that QRS be forced to implement and maintain an information security system to protect the confidentiality and integrity of the plaintiff’s and others’ information. It also wants QRS to use independent third-party security auditors, penetration testers and internal security personnel to conduct simulated attacks, penetration tests and audits of its systems periodically, and for QRS to “promptly correct” any problems or issues detected by third-party security auditors. Additionally, it asks that the court prevent the company from maintaining the PII and PHI information on a cloud-based database.
In the past year and a half, 82% of healthcare providers have experienced some form of an IoT cyberattack, according to a report by data security firm Medigate and cloud-based protection provider CrowdStrike. Of these, 34% were hit with ransomware and of this group, 33% paid the ransom, but only 69% reported a full restoration of their data.
The findings indicate that healthcare delivery organizations are in need of more basic defense, including cyber insurance considerations, firewalling, and NAC enforcement products.
Scripps Health was hit with a malware attack in late April that led it to shut down its patient portals and email servers for most of the month. The attack led to a lawsuit that claimed the attack potentially created "a lifetime risk of identity theft” for nearly 150,000 patients.
A combination of mid-year revenue lost, and incremental expenses incurred from its response to the attack ended up costing the company almost $113 million.
For this current case, regulatory attorney Paul Hales of the Hales Law Group told GovInfoSecurity that the plaintiff must allege that they endured harm due to the breach. "The sole plaintiff in this case claims to have suffered specific examples of actual identity theft resulting from the QRS data breach. We have yet to hear from other potential class members."
QRS and Tincher’s attorney did not respond to Gov Info Security’s requests for comment.
QRS, a vendor of the Paradigm practice management and EHR systems, discovered in August that a cyberattacker had accessed the server over a three-day period. It reported the incident to the Department of Health and Human Services in October and began notifying patients the same month, reported GovInfoSecurity.
In a federal class action lawsuit filed in a Tennessee federal court, Tincher accuses QRS of negligence, invasion of privacy, breach of confidence, unjust enrichment and violating the Tennessee Consumer Protection Act. He also is demanding that it implement a long list of security improvements.
While the EHR vendor did not specify the type of attack it endured, the suit refers to it as a form of ransomware. "Despite the prevalence of public announcements of data breach and data security compromises, [QRS] failed to take appropriate steps to protect the personally identifiable information and PHI of Plaintiff and Class Members from being compromised," wrote Tincher in his complaint.
He adds that while he received notification of the breach from QRS, the company failed to implement one or more “government-recommended” security measures prior to the breach, including updating and patching systems, configuring firewalls to block access to known malicious IP addresses and a variety of access and other controls.
He believes his PII and PHI and those of others affected were sold on the dark web as a direct result, with the complaint saying that he experienced “...actual identity theft. It is more likely than not that his sensitive information was exfiltrated and stolen during the data breach.”
In a statement, QRS said the information “may have included, depending on the individual, their name, address, date of birth, social security number, patient identification number, portal username, and/or medical treatment or diagnosis information,"
The complaint says that individuals affected have allegedly had to pay out-of-pocket expenses to prevent, detect and recover from identity theft and fraud; experience a violation of privacy; and experienced an increased risk to their PII and PHI, which “remains unencrypted and available for unauthorized third parties to access and abuse.”
It is requesting that QRS be forced to implement and maintain an information security system to protect the confidentiality and integrity of the plaintiff’s and others’ information. It also wants QRS to use independent third-party security auditors, penetration testers and internal security personnel to conduct simulated attacks, penetration tests and audits of its systems periodically, and for QRS to “promptly correct” any problems or issues detected by third-party security auditors. Additionally, it asks that the court prevent the company from maintaining the PII and PHI information on a cloud-based database.
In the past year and a half, 82% of healthcare providers have experienced some form of an IoT cyberattack, according to a report by data security firm Medigate and cloud-based protection provider CrowdStrike. Of these, 34% were hit with ransomware and of this group, 33% paid the ransom, but only 69% reported a full restoration of their data.
The findings indicate that healthcare delivery organizations are in need of more basic defense, including cyber insurance considerations, firewalling, and NAC enforcement products.
Scripps Health was hit with a malware attack in late April that led it to shut down its patient portals and email servers for most of the month. The attack led to a lawsuit that claimed the attack potentially created "a lifetime risk of identity theft” for nearly 150,000 patients.
A combination of mid-year revenue lost, and incremental expenses incurred from its response to the attack ended up costing the company almost $113 million.
For this current case, regulatory attorney Paul Hales of the Hales Law Group told GovInfoSecurity that the plaintiff must allege that they endured harm due to the breach. "The sole plaintiff in this case claims to have suffered specific examples of actual identity theft resulting from the QRS data breach. We have yet to hear from other potential class members."
QRS and Tincher’s attorney did not respond to Gov Info Security’s requests for comment.