Following Data Breach EHR Vendor Gets Lawsuit

After a breach exposed the Data of 319,778 people, an electronic health record company was sued this week. QRS, Inc., a Tennessee-based provider of EHR and practise management software, began notifying individuals of the issue in October. QRS failed to keep protected health information and personally identifiable information on its patient portal secure, monitored, and maintained in a reasonable manner.

Plaintiff and approximately 319,000 current and former patients of healthcare providers who used QRS’ services suffered current injury and damages in the form of identity theft, loss of value of their Sensitive Information, out-of-pocket expenses, and the value of their time reasonably incurred to remedy or mitigate the effects of unauthorised access, exfiltration, and subsequent criminal misuse of their sensitive and highly personal information.

QRS discovered on August 26, 2021, that an unauthorised actor had accessed a patient portal server – and, by extension, the personal information stored on that server – three days before, as detailed in the complaint. Tincher believes that his information, as well as those of his classmates, was sold on the dark web, based on previous cyber criminal behaviours.

Tincher claims he was the victim of identity theft shortly after the Data leak, with more than 10 unauthorised charges on his bank account and credit card. He accused QRS of neglecting to execute threat intelligence specialists’ and federal agencies’ recommendations for preventing and detecting cyber threats. Tincher is seeking damages as well as an injunction against QRS from storing his and the other class members’ information on a cloud-based Data base, among other things.