On May 27, DataBreaches reported on two breaches that had been disclosed on the Friday before a holiday weekend. One of the two was a breach reported by Onix Group in Pennsylvania. As DataBreaches reported at the time:
Their notice was provided on their own behalf and on behalf of Addiction Recovery Systems, Cadia Healthcare, Physician’s Mobile X-Ray, and Onix Hospitality Group.
Onix reports they were the victim of a ransomware attack on March 27 and the attacker had accessed their network, corrupted some systems, and exfiltrated some files between March 20 and March 27.
Onix reported the breach to HHS as affecting 319,500 patients, but did not reply to inquiries sent by this site. There has been no report as to which ransomware group was responsible for the attack and no update to the March 26 notice on its website.
Now Marianne Kolbasuk McGee reports that Onix Group has already been hit with three proposed class action lawsuits. But looking at one of the complaints, it is based on claiming risk of future harm, etc. Has anyone claimed that their data has already been misused in any way? And if they don’t, will their complaints survive a challenge to standing?
In the past six months, there have been some massive incidents affecting hundreds and hundreds of entities and thousands or millions of patients or consumers. Suing over data breaches has become somewhat of a cottage industry, but the courts will be flooded if everyone just jumps to file lawsuits based on the possibility of future harm or injury.
DataBreaches is not sure what the solution is, but urges the legal community to sue responsibly.