A Tennessee-based healthcare technology services company is facing legal action over a cyber-attack that occurred in August 2021.
The class action lawsuit was filed against QRS Healthcare Solutions (QRS, Inc), an electric health record (EHR) vendor and provider of integrated practice management and clinical services, including electronic patient portals.
On August 26 2021, QRS discovered that a cyber-attacker had accessed a QRS dedicated patient portal server on which certain sensitive information was stored.
According to a data security notice published by QRS on its website, the cyber-attack “involved the personal information, including the health information, of some of its clients’ patients.”
The impacted server was taken offline when the attack was discovered, and QRS hired a digital forensics security firm to analyze the incident.
Investigators determined that an unknown attacker had accessed the server from August 23 2021 to August 26 2021, and may have acquired files containing the protected health information (PHI) of almost 320,000 patients.
“The information may have included, depending on the individual, their name, address, date of birth, Social Security number, patient identification number, portal username and/or medical treatment or diagnosis information,” reads QRS’s notice.
In October, on behalf of its clients, QRS began sending written notifications to individuals whose personal information was accessed in the incident. The healthcare technology services company also offered complimentary identity theft protection services to individuals whose Social Security numbers may have been compromised.
Following the data breach, Kentucky resident Matthew Tincher has filed a class action complaint in the US District Court for the Eastern District of Tennessee against QRS. Tincher, who lives in Frankfurt, alleges that QRS failed to take reasonable action to secure, monitor and maintain the personally identifiable information (PII) and PHI stored on its patient portal.
The suit alleges that the data was stored by QRS in an unencrypted form. It also criticizes QRS for waiting two months before sending out data breach notifications to impacted individuals.