Over 850 Total Lots Up For Auction at One Location - NJ Cleansweep 06/13

Spanish SpanishPortuguese Portuguese

EHR vendor QRS sued over breach to patient portal server

by John R. Fischer, Senior Reporter | January 14, 2022
Cyber Security Health IT
Share
EHR vendor QRS is being sued for a data breach that occurred in its patient portal system back in August.
Kentucky resident Matthew Tincher is taking EHR vendor QRS to court over a security breach of its patient portal server that potentially compromised his and nearly 320,000 other individuals’ health information.

QRS, a vendor of the Paradigm practice management and EHR systems, discovered in August that a cyberattacker had accessed the server over a three-day period. It reported the incident to the Department of Health and Human Services in October and began notifying patients the same month, reported GovInfoSecurity.

In a federal class action lawsuit filed in a Tennessee federal court, Tincher accuses QRS of negligence, invasion of privacy, breach of confidence, unjust enrichment and violating the Tennessee Consumer Protection Act. He also is demanding that it implement a long list of security improvements.

While the EHR vendor did not specify the type of attack it endured, the suit refers to it as a form of ransomware. "Despite the prevalence of public announcements of data breach and data security compromises, [QRS] failed to take appropriate steps to protect the personally identifiable information and PHI of Plaintiff and Class Members from being compromised," wrote Tincher in his complaint.

He adds that while he received notification of the breach from QRS, the company failed to implement one or more “government-recommended” security measures prior to the breach, including updating and patching systems, configuring firewalls to block access to known malicious IP addresses and a variety of access and other controls.

He believes his PII and PHI and those of others affected were sold on the dark web as a direct result, with the complaint saying that he experienced “...actual identity theft. It is more likely than not that his sensitive information was exfiltrated and stolen during the data breach.”

In a statement, QRS said the information “may have included, depending on the individual, their name, address, date of birth, social security number, patient identification number, portal username, and/or medical treatment or diagnosis information,"

The complaint says that individuals affected have allegedly had to pay out-of-pocket expenses to prevent, detect and recover from identity theft and fraud; experience a violation of privacy; and experienced an increased risk to their PII and PHI, which “remains unencrypted and available for unauthorized third parties to access and abuse.”
Sign up for Health IT stories Sign up for Weekly Top stories

You Must Be Logged In To Post A Comment

Sign up for Weekly Top stories

Sign up for Health IT stories

 

advertisement

Health IT Homepage

Diversifying revenue stream using patient payments
Improving standard of Prostate Cancer Diagnosis and Care while increasing MRI revenues
Preventing cyberattacks: Finding the right strategic partner
How virtual assistants are transforming business models
Technology, transparency and the bottom line: Considerations for the specialty benefits ecosystem
The consequences of the hack of Lurie Children’s Hospital
Through Edgility acquisition ABOUT aims for end-to-end AI-driven patient flow
Bayer and Google Cloud to accelerate development of AI-powered radiology applications
GE HealthCare closes MIM Software deal
Teleradiology company and CEO admit to unlawful billing, will pay $3.1 million