by John R. Fischer
, Senior Reporter | January 14, 2022
Kentucky resident Matthew Tincher is taking EHR vendor QRS to court over a security breach of its patient portal server that potentially compromised his and nearly 320,000 other individuals’ health information.
QRS, a vendor of the Paradigm practice management and EHR systems, discovered in August that a cyberattacker had accessed the server over a three-day period. It reported the incident to the Department of Health and Human Services in October and began notifying patients the same month, reported GovInfoSecurity
In a federal class action lawsuit filed in a Tennessee federal court, Tincher accuses QRS of negligence, invasion of privacy, breach of confidence, unjust enrichment and violating the Tennessee Consumer Protection Act. He also is demanding that it implement a long list of security improvements.
While the EHR vendor did not specify the type of attack it endured, the suit refers to it as a form of ransomware. "Despite the prevalence of public announcements of data breach and data security compromises, [QRS] failed to take appropriate steps to protect the personally identifiable information and PHI of Plaintiff and Class Members from being compromised," wrote Tincher in his complaint.
He adds that while he received notification of the breach from QRS, the company failed to implement one or more “government-recommended” security measures prior to the breach, including updating and patching systems, configuring firewalls to block access to known malicious IP addresses and a variety of access and other controls.
He believes his PII and PHI and those of others affected were sold on the dark web as a direct result, with the complaint saying that he experienced “...actual identity theft. It is more likely than not that his sensitive information was exfiltrated and stolen during the data breach.”
In a statement, QRS said the information “may have included, depending on the individual, their name, address, date of birth, social security number, patient identification number, portal username, and/or medical treatment or diagnosis information,"
The complaint says that individuals affected have allegedly had to pay out-of-pocket expenses to prevent, detect and recover from identity theft and fraud; experience a violation of privacy; and experienced an increased risk to their PII and PHI, which “remains unencrypted and available for unauthorized third parties to access and abuse.”