Lincare Holdings, Inc. faces a proposed class action lawsuit over its alleged failure to safeguard sensitive personal patient information stored on its servers.
Lincare Waits Nine Months After Data Breach Before Informing Victims
The lawsuit alleges Lincare, a medical equipment and services provider, was the subject of a cyber attack beginning on or about September 10, 2021. The attack was discovered on September 26 of that year. Although Lincare claims to have discovered the breach on September 26, 2021 and blocked the unauthorized access by September 29, it did not begin to notify victims until June 2022, roughly nine months later.
According to the lawsuit, current and former patients’ medical treatment information, provider names, dates of services, diagnoses and procedures, account and/or record numbers, names and dates of birth were compromised in the incident.
Lincare’s Failure To Maintain A Minimum Data Security Standard Enabled Data Breach
The lawsuit contends that Lincare was obligated under the Health Insurance Portability and Accountability Act (HIPAA) to satisfy at least the law’s minimum standards of care for organizations who deal with personal health information. More specifically, HIPAA requires organizations such as Lincare to maintain appropriate safeguards for the information with which it is entrusted, and sets limits and conditions on the uses and disclosures of the data that may be made without a customer or patient’s consent, the suit states.
Victims of Data Breach Still Don’t Know The Extent Of Information Stolen
According to the lawsuit, despite the nine months that have elapsed since the breach, Lincare victims remain uninformed as to the extent of information that was compromised, the kind of malware used during the incident and any steps being taken to secure their information going forward.
“Representative Plaintiff and Class Members are left to speculate as to the full impact of the Data Breach and how exactly Defendant intends to enhance its information security systems and monitoring capabilities so as to prevent further breaches,” the filing reads.