On September 8, Brady Martz & Associates in North Dakota disclosed a data breach in November 2022 that reportedly affected more than 53,000 individuals. Less than two weeks later, at least four lawsuits had been filed against the firm.
Now, four months later, we see a notice from one of their clients:
Family HealthCare was recently informed of a data security breach experienced by its third-party service provider, Brady Martz & Associates PC. Brady Martz provides tax-related services, audit and financial guidance, and bookkeeping and payroll assistance to clients throughout the country and is headquartered in North Dakota. Family HealthCare contracts with Brady Martz for bookkeeping and tax-related services which typically involve Brady Martz’s auditing of Family HealthCare’s patient billing documents.
Brady Martz is notifying, by letter, all impacted individuals to inform them of this incident and to identify the steps that individuals can take to protect themselves from the potential misuse of this information. However, in an effort to encourage our patients to take precautionary steps to protect themselves and their information, we’ve provided more details related to the incident as well as additional resources for your use below.
What Happened and What Information was Involved:
According to Brady Martz, the breach, which occurred on November 19, 2022, was promptly detected and the company immediately took steps to secure its systems and engage independent cybersecurity experts to investigate the incident. Brady Martz reports that its investigation into the incident resulted in a determination that an unauthorized third-party may have accessed and/or acquired files containing certain individuals’ personal information.
The information impacted as a result of the incident included information related to certain employees and patients of Family HealthCare. Notably, this incident did not involve unauthorized access to any of Family HealthCare’s computer systems and did not impact our ability to provide care to patients.
According to Brady Martz, the information potentially accessed during the incident included some or all of the following: patient and/or employee name, date of birth, age, phone number, financial account information, health insurance information, patient account number, Social Security number, and information regarding care received at a Family HealthCare facility.
Read more of Family Healthcare’s notice on their website. Their notice does not mention that Brady Martz appeared to be offering complimentary mitigation services that Family Healthcare patients can access.
Why the Delay?
If abnormal activity was “promptly detected” on November 19, 2022 why did it take Brady Martz until August 2023 to recognize that personal and protected health information was involved and until September 2023 to disclose the breach? And why did it take until January 2024 for Family Healthcare to alert its patients? Were they notified by Brady Martz in September or were they only notified later? Their submission to HHS has yet to be posted on HHS’s public breach tool.
Inquiries were sent to Brady Martz seeking clarification on the reasons for the delays in disclosure, but no reply was immediately available.
At this point, DataBreaches is unaware of what other clients of Brady Martz were affected.
In terms of litigation, DataBreaches found that all four cases filed in September were consolidated under Quaife v. Brady Martz & Associates, P.C. At the end of December, Brady Martz moved to have the lawsuits dismissed for lack of jurisdiction and for failure to state a claim. According to their motion, any negligence claim fails, in part, because it was filed by employees of its clients and not the clients. Brady Martz argued that it has no duty of care to the individuals, i.e., they have no business relationship with the plaintiffs. There has been no response from the plaintiffs as yet.