Connexin Software, doing business as Office Practicum, is currently facing another lawsuit as a result of the data breach that occurred in August 2022. The ransomware attack had a significant impact on more than 2.2 million individuals. Connexin Software provides electronic medical records and practice management software to pediatric practices, making it a crucial player in the healthcare industry. The recent lawsuit adds to the mounting legal action against Connexin Software, as the company continues to deal with the aftermath of the data breach.
In August 2022, Connexin Software detected an unusual data activity on its internal network, which prompted the company to launch an immediate investigation. To help determine the scope and nature of the incident, third-party forensic experts were brought in. After further investigation, it was discovered on September 13, 2022, that an unauthorized party had gained access to an offline set of patient data used for data conversion and troubleshooting. Connexin Software has reported to the HHS’ Office for Civil Rights that personal and medical information of over 2.2 million individuals may have been exposed in the data breach. The patient information that may have been impacted by the breach includes both basic and sensitive data, such as name, address, email address, and date of birth, as well as social security numbers, health insurance information, medical and/or treatment information, and billing and/or claims information. In addition to affecting millions of individuals, the breach has also impacted 199 healthcare insurance companies and service providers.
Upon discovering the data breach, Connexin Software took immediate action to stop the unauthorized activity. The company’s response included resetting all corporate passwords and moving all patient data that was being used for data conversion and troubleshooting into an even more secure environment. In addition, a third-party cybersecurity forensic firm was engaged by the company to investigate the issue, and Connexin Software has been collaborating with law enforcement to further investigate the incident. To assist the breach victims, the company offered 12 months of free credit monitoring services.
Despite the measures taken by Connexin Software to secure patient data after the data breach, the company is now facing a second class-action lawsuit filed in the District Court of the Eastern District of Pennsylvania on behalf of the breach victims. According to the lawsuit, as a company that stores personal health information, Connexin had a duty under the Health Insurance Portability and Accountability Act (HIPAA) to maintain patient confidentiality by employing appropriate safeguards, which the company allegedly failed to do. The lawsuit asserts that Connexin’s failure to implement appropriate cybersecurity measures to safeguard consumers’ data led to the data breach.
“Moreover, it appears that the Private Information was stored unencrypted [on Connexin’s computer network] and had proper encryption practices been implemented, the cyber attacker would have exfiltrated only unintelligible data,” states the suit.
According to the lawsuit, Connexin Software failed to comply with the HIPAA Breach Notification Rule when it waited until November to notify victims of the data breach, even though the cyberattack was discovered as early as August 26. The plaintiffs maintain that the identity theft monitoring services offered to the victims for a duration of 12 months by the company are not enough, and they argue that additional protective measures will have to be implemented long after the free service period ends. Furthermore, the notice provided by the company to patients failed to include crucial details, such as the length of time the system was compromised, how the breach occurred, and the company’s investigation of the incident and its efforts to prevent similar cyberattacks from happening again. These concerns are heightened because Connexin Software still holds sensitive patient data.
“[Connexin]’s failure to timely notify the victims of its Data Breach meant that Plaintiff and Class Members were unable to take affirmative measures to prevent or mitigate the resulting harm,” the suit reads, stating that affected individuals have now face a heightened risk of fraud and identity theft that may last for the rest of their respective lifetimes. “In some cases, it did not notify patients at all.”
The second class-action lawsuit filed against Connexin Software seeks relief for the victims impacted by the data breach. The lawsuit asserts claims of negligence, negligence per se, and unjust enrichment, and requests a jury trial. The plaintiffs are pursuing a monetary award that is suitable to compensate for the damages, which includes actual, statutory, and punitive damages, restitution, and disgorgement. The lawsuit also requests equitable, injunctive, and declaratory relief, which mandates Connexin Software to adopt and implement best practices for data security to safeguard private information.The plaintiffs are also seeking an extension of the identity theft and credit monitoring services beyond the current 12-month period, which is considered inadequate to protect the victims sufficiently. If the lawsuit is successful, it could result in significant monetary compensation for the victims, as well as significant changes in the way Connexin Software handles personal data in the future.