DataBreaches.net does not report on most potential class action lawsuits because many of them will not survive motions to dismiss. This case, however, is a bit more interesting to me because it involves sensitive mental health data, ransomware, leaked data, and claims about inadequate monitoring of a business associate. The case is K.L. v. Psych Care Consultants, LLC et al., § 3:22-CV-00061.
The breach itself was first covered on this site in November, 2021 after this site found a notification by the business associate, QRS. At the time, QRS reported:
On August 26, healthcare technology services company QRS, Inc. (“QRS”) discovered that an attacker had compromised a patient portal and exfiltrated some files from that client’s server. The compromise had been detected within three days of the attack. The information the threat actor may have accessed or acquired may have included, depending on the individual, their name, address, date of birth, Social Security number, patient identification number, portal username, and/or medical treatment or diagnosis information. This attack did not involve any other QRS systems or the systems of any of QRS’s clients.
This incident was reported to HHS as impacting 319,788 patients. We would subsequently learn that one of QRS’s clients was Psych Care Consultants (PCC), whose external counsel first notified the New Hampshire Attorney General’s Office on December 29, 2021. By then, however, QRS data was also allegedly available on the dark web and clear net by threat actors who call themselves “Snatch Team.” Whether they had all of QRS’s data or just some of it is not known to this site, but the fact that some of QRS’s data was leaked to put pressure on the vendor to pay ransom suggests that other data of held by QRS may also find its way on to the dark web or clear net.
In describing the lawsuit, Erin Shaak reports, in part (emphasis added by this site):
The suit argues that PCC failed to “exercise due care” in overseeing QRS’s handling of its patients’ private information and ensure that the vendor employed reasonable data security standards, such as deleting inactive records.
[…]
According to the suit, although QRS claims to have notified PCC of the data breach within 10 days of its discovery, PCC failed to provide notice to patients.
Have we ever seen a case that prevailed because, in part, a covered entity (CE) failed to monitor whether a business associate/vendor deleted inactive records? Was that even covered in the business associate agreement (BAA)? Remember that this incident reportedly affected 319,788 patients, but we do not know how many of those were PCC patients. The lawsuit claims that the potential class is “thousands” of individuals and that PCC is one of QRS’s two biggest clients. But then plaintiffs allege:
45. Some of the easiest ways to minimize exposure to a data security incident are to limit the type and amount of information provided to business associates, and routine destruction or archiving of inactive PII and PHI so that it cannot not be accessed through online channels. The
sheer number of records suggests that QRS was not destroying or archiving inactive records.
Did PCC ever ask QRS to delete any records? Was there to be an automated system for deletion? Although state laws vary, usually patient records have to be retained, by law, for a certain number of years. How does that factor into plaintiffs’ claims about deleting records? An argument about archiving inactive patients’ records and encrypting them and/or taking them offline may stand a better chance than claims that data should have been deleted.
And what did the BAA require in terms of notification by the BA to the CE in the event of a breach? If QRS detected the breach within 3 days and notified PCC on September 7 as they claim, PCC should have been notifying HSS and patients no later than on or about November 7. Instead, QRS issued notifications on November 26. HIPAA/HITECH makes notification the responsibility of the CE. Did the BAA (assuming, for now, that there was one) specify whether QRS would help with notifications?
As DataBreaches.net has frequently lamented, OCR has not been particularly impressive when it comes to enforcement of the “no later than 60 days” rule to notify HHS and patients. In fact, there’s been almost no enforcement of that at all so far. Will a claim based on state law have a better chance of success? We’ll have to wait and see.
You can read the whole complaint on ClassAction.org.