Ransomware, Incident Response

Health tech vendor QRS faces lawsuit after data theft impacting 319K patients

LONDON, ENGLAND – JUNE 02: Crisis Volunteer and Coach Lauren Duncan sits with her laptop in the kitchen, where she usually logs on for her shifts with the crisis text service Shout 85258 on June 02, 2020 in the Woodside Park area of London, United Kingdom. While studying for her psychology degree, discovering that it isn’t usually an ad...

Technology services vendor QRS is facing a class-action lawsuit, following its The Health Insurance Portability and Accountability Act breach notification informing 319,778 patients that their data was possibly stolen during a hack on an electronic patient portal.

QRS is a third-party vendor that provides electronic patient portals and related services to healthcare provider organizations.

In early November, QRS reported that an attacker gained access to a single, dedicated patient portal server for three days in August, leading to the unauthorized access to and likely exfiltration of patient-related data. The lawsuit shows the client was Lexington Heart Specialists in Kentucky.

No other QRS or client systems were accessed in the hack, but the impacted data included Social Security numbers, patient identification numbers, treatments, diagnoses, and other sensitive data.

Filed in the U.S. Eastern District Court of Tennessee on Jan. 3, the lawsuit argues that the data exfiltration could have been prevented if QRS had adequately secured, monitored, and maintained the protected health information in its possession.

The suit argues that QRS should have implemented federally recommended cybersecurity measures, which would have detected or prevented the hack. The lawsuit names a laundry list of cybersecurity measures, but it’s unclear whether they were employed by QRS at the time of the incident.

The lawsuit boldly claims the breach indicates that QRS failed to implement one or more of the measures. However, even with strong security based on industry standards, the attackers may have been able to gain access.

QRS is also accused of negligence and/or recklessness, as well as violating federal and state regulations, as well as HIPAA.

The lawsuit argues the two-month wait to inform patients placed them at a greater risk of identity theft. But it should be plainly noted that HIPAA requires covered entities and business associates to report breaches within 60 days of discovery, for which QRS complied.

It also claims a number of data security failings led to the breach, including failure to take steps to prevent compromise and failure to leverage appropriate data encryption protocols and procedures. Further, the suit argues the breach “resulted from a combination of insufficiencies demonstrating [QRS] failed to comply with safeguards mandated by HIPAA.”

The breach victims allege they’ve suffered actual and imminent injury, such as lost or diminished value to their personal data, out-of-pocket expenses for responding to potential fraud and identity theft risks, lost time and money for recovery efforts, and continued risk to their data. They’re also claiming to have experienced “emotional distress, fear, anxiety, nuisance and annoyance related to the theft and compromise of their [data].”

The victim who filed the lawsuit experienced identity theft shortly after the data breach and believes his data, and that of other patients, “was subsequently sold on the dark web following the data breach.” 

Shortly after the incident, the breach victim experienced more than “10 unauthorized charges on his bank account and credit card. This resulted in trips to the bank, with gas charges and consumption and mileage on his car, and additional time spent completing paperwork and discussing the issues with the bank for resolution.”

Further, he was targeted with scams following the incident, including robocalls and texts. The fraud attempts resulted in the breach victim paying for a credit monitoring app out-of-pocket, as well as identity theft protection.

The detailing of actual harms will be critical for the case moving forward, given the 2020 Supreme Court ruling that established concrete harm must be established for lawsuits to proceed. Individuals must have an analogue to a common law tradition; or “factual evidence” of some type of  materialized actual harm.

Lastly, the lawsuit raises concerns with the health information left under QRS control, as it “remains unencrypted and available for unauthorized third parties to access and abuse.” As long as QRS “fails to undertake appropriate and adequate measures to protect” the data remains at risk.

As a result, the victims are seeking an injunction that would require QRS to remedy ongoing harms and better protect the data in their control. The lawsuit seeks to address the concerns and arguments raised, with particular scrutiny to QRS cybersecurity policies and tech measures.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.