QRS EHR Provider Sued for Patient Portal Server Breach
Kentucky resident Matthew Tincher is suing EHR provider QRS over a security breach of its patient portal server that potentially compromised his health information and that of nearly 320,000 others.
QRS, a provider of practice management systems and EHR Paradigm, discovered in August that a cyberattacker had accessed the server over a three-day period. He reported the incident to the Department of Health and Human Services in October and began notifying patients the same month, GovInfoSecurity reported.
In a federal class action lawsuit filed in federal court in Tennessee, Tincher accuses QRS of negligence, invasion of privacy, breach of trust, unjust enrichment and violation of the Consumer Protection Act of Tennessee. It also demands that it implement a long list of security improvements.
New and Refurbished C-Arm Systems. Call 702.384.0085 today!
Quest Imaging Solutions supplies all major brands of C-arms (new and refurbished) and has an extensive inventory to buy or rent. With over 20 years of experience in the medical equipment industry, we can help meet your equipment needs.
Although the EHR provider did not specify the type of attack it suffered, the lawsuit refers to it as a form of ransomware. “Despite the prevalence of public announcements of data breaches and data security compromises, [QRS] failed to take appropriate steps to protect the personally identifiable information and PHI of the plaintiff and class members from compromise,” Tincher said in its complaint.
He adds that although he received notification of the QRS breach, the company failed to implement one or more “government recommended” security measures prior to the breach, including updating and remediating. systems, configuring firewalls to block access to known malicious IP addresses, and a variety of access and other controls.
He believes his and other affected individuals’ PII and PHI were sold on the dark web as a direct result, with the complaint saying he suffered “genuine identity theft”. It is more likely than not that his sensitive information was exfiltrated and stolen during the data breach.
In a statement, QRS said the information “may include, depending on the individual, name, address, date of birth, social security number, patient identification number, portal and/or information on medical treatment or diagnosis”.
The complaint states that the individuals concerned should have paid personal expenses to prevent, detect and recover from identity theft and fraud; suffer a breach of privacy; and suffered increased risk to their PII and PHI, which “remain unencrypted and available for unauthorized third parties to access and abuse”.