Lyon Firm Files QRS Data Breach Complaint
The Lyon Firm has filed a lawsuit against QRS, a healthcare technology company that provides EHR services, on behalf of a Kentucky plaintiffs and a class of data breach victims nationwide.
After an August 2021 cyberattack impacted around 320,000 patients, privacy attorneys took legal action. In the filing, the plaintiff alleges QRS failed to properly safeguard protected health information (PHI) and took two months for QRS to notify impacted individuals.
According to reports, between August 23 and August 26, an unauthorized third party accessed the QRS network, and potentially acquired Social Security numbers, patient identification numbers, portal usernames, names, addresses, birth dates, and medical treatment information.
The Lyon Firm’s QRS data breach plaintiff, Kentucky resident Matthew Tincher, said he received a notice on October 22 that an unauthorized third party had gained access to his Social Security number, birth date, patient number, and portal username.
The lawsuit argues that by entering into a HIPAA business associate agreement with its clients, QRS was responsible for keeping the plaintiff’s information safe from cyberattacks.
The lawsuit lists a number of cybersecurity measures outlined by the Cybersecurity and Infrastructure Security Agency (CISA) and the Microsoft Threat Protection Intelligence Team, claiming that QRS should have implemented these measures to prevent a ransomware attack.
The lawsuit also explained Tincher and other potential class members expended energy and funds to mitigate the risks associated with the breach.