EHR Vendor Faces Legal Action Over Data Breach


A Tennessee-based healthcare technology services company is facing legal action over a cyber-attack that occurred in August 2021.

The class action lawsuit was filed against QRS Healthcare Solutions (QRS, Inc), an electric health record (EHR) vendor and provider of integrated practice management and clinical services, including electronic patient portals.

On August 26 2021, QRS discovered that a cyber-attacker had accessed a QRS dedicated patient portal server on which certain sensitive information was stored.

According to a data security notice published by QRS on its website, the cyber-attack “involved the personal information, including the health information, of some of its clients’ patients.”

The impacted server was taken offline when the attack was discovered, and QRS hired a digital forensics security firm to analyze the incident. 

Investigators determined that an unknown attacker had accessed the server from August 23 2021 to August 26 2021, and may have acquired files containing the protected health information (PHI) of almost 320,000 patients.

“The information may have included, depending on the individual, their name, address, date of birth, Social Security number, patient identification number, portal username and/or medical treatment or diagnosis information,” reads QRS’s notice.

In October, on behalf of its clients, QRS began sending written notifications to individuals whose personal information was accessed in the incident. The healthcare technology services company also offered complimentary identity theft protection services to individuals whose Social Security numbers may have been compromised.

Following the data breach, Kentucky resident Matthew Tincher has filed a class action complaint in the US District Court for the Eastern District of Tennessee against QRS. Tincher, who lives in Frankfurt, alleges that QRS failed to take reasonable action to secure, monitor and maintain the personally identifiable information (PII) and PHI stored on its patient portal.

The suit alleges that the data was stored by QRS in an unencrypted form. It also criticizes QRS for waiting two months before sending out data breach notifications to impacted individuals. 

Products You May Like

Articles You May Like

“Workarounds” Helped Royal Mail Resume Shipping After Ransomware Attack
Tech support scammers are still at it: Here’s what to look out for in 2023
Massive Ad Fraud Scheme Targeted Over 11 Million Devices with 1,700 Spoofed Apps
T-Mobile admits to 37,000,000 customer records stolen by “bad actor”
Mastodon vs. Twitter: Know the differences

Leave a Reply

Your email address will not be published. Required fields are marked *