Breach, Incident Response, Governance, Risk and Compliance

After hack, BioPlus faces class-action lawsuit, allegations into security measures

Prescription medication is pictured on May 15, 2014 in Auckland, New Zealand.  (Photo by Phil Walter/Getty Images)

BioPlus Specialty Pharmacy Services is facing a class-action data breach lawsuit, following its recent disclosure of a weeks-long IT network hack that resulted in the unauthorized access of former and current patient-related information. The lawsuit claims the incident was caused by the vendor’s inadequate security measures, while raising further questions into the breach itself. 

The breach notice describes the incident as unauthorized access of patient information, while the lawsuit alleges the data was exfiltrated from the network. Further, victims have been given “no assurance… from BioPlus that all personal data or copies of data have been recovered or destroyed.”

What’s interesting is that the public notice does not include the data theft language, but the lawsuit states that the patient “received a notification letter from BioPlus stating that her sensitive PII was taken.”

The hack was discovered by BioPlus on Nov. 11, but the systems’ intrusion began nearly a month earlier on Oct. 25. The investigation that followed confirmed the threat actor accessed a range of information belonging to 350,000 former and current patients.

The exposed data could include dates of birth, health plan member ID numbers, claims data, medical record numbers, diagnoses, and or prescription details. The actors also accessed the Social Security numbers of a smaller subset of patients.

The lawsuit, filed on Jan. 5 in the U.S. Middle District of Florida, Orlando Division, alleges that the data exposed during the hack was leaked on the dark web by the attackers. To make matters worse, a patient named Patricia White claims that BioPlus shouldn’t have had her data in the first place.

White claims her information was entered into the BioPlus system in 2015 due to a “clerical error,” which resulted in her prescription information being sent from her provider to BioPlus instead of her in-network pharmacy. The patient informed the parties of the mistake and canceled the BioPlus service.

However, “her information remained in [BioPlus]’s systems, vulnerable to misuse, until the data breach occurred in November of 2021.” 

In addition, one month after the initial hack, White received a notice from her credit monitoring services vendor that her information appeared on the dark web and was shared on a forum for trading sensitive patient information used in health insurance and other banking scams.

The lawsuit asserts the data theft was caused by BioPlus, for its “failure to exercise reasonable care” in securing sensitive protected health information and personally identifiable information. The alleged failures “enabled the hackers to steal the private Information”... and put patients’ “information at a serious, immediate, and ongoing risk.”

As a result of the theft, patients are now burdened with the costs of recovery and “loss of productivity from taking time to address and attempt to ameliorate the release of personal data, as well as emotional grief associated with constant monitoring of personal banking and credit accounts.”

The language surrounding the claims of harm mirror recent breach-related lawsuits, centering around constant monitoring of accounts, ongoing efforts to prevent fraud attempts, and “the imposition of withdrawal and purchase limits on compromised accounts.”

BioPlus did offer a year of free credit monitoring services to all breach victims, the lawsuit takes issue with the lack of assurances about the security of patient information. It further claims that to receive the provided services, the data of individuals would “be shared with third parties and could not guarantee complete privacy of her sensitive PII.”

As a result, the victims who filed the lawsuit chose not to give the vendor any more data to receive those services.

Just one of the two victims who filed the lawsuit provided evidence of data misuse. The breach victims are seeking declaratory relief for claims of negligence, as well as breach of contract, implied contract, and fiduciary duty.

Lastly, the lawsuit also takes issue with the three month delay in notification. However, the disclosure was well-within the 60-day timeline from discovery to notification, outlined in The Health Insurance Portability and Accountability Act.

Breach lawsuits have become increasingly common in the healthcare sector in light of the steady stream of security incidents. At least three other suits were filed in the last month and include Planned Parenthood LA, QRS, and Bansley and Kiener.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.