Claims Made in QRS Data Breach Lawsuit
A Kentucky resident filed a class-action lawsuit in the Eastern District of Tennessee. The complaint alleges that QRS failed to safeguard protected health information (PHI) adequately. It also cites a two-month delay in notifying impacted individuals of the data exposure.
The complaint further argues that by entering into a HIPAA business associate agreement (BAA) with clients, QRS was responsible for keeping the plaintiff’s information safe from cyberattacks.
It also lists recommendations from the federal Cybersecurity and Infrastructure Security Agency (CISA) and the Microsoft Threat Protection Intelligence Team. The plaintiff claims QRS should have had a system to provide adequate protection from cybercrimes.
Takeaways from QRS Data Breach Lawsuit
As cybercrimes like ransomware and hacking incidents continue to victimize the healthcare industry, class-action lawsuit filings have almost become a matter of course following major breaches.
In addition to maintaining effective HIPAA compliance that fully addresses all of the law’s requirements, these lawsuits create legal headaches and an additional risk of financial exposure.
Many healthcare providers (covered entities) and business associates choose to add cybersecurity insurance to their risk assessment toolbox. Most general business liability policies specifically exclude cyberattack liability. The added expense is usually minimal compared to the cost of defending against a lawsuit and potentially facing civil penalties.
The experts at Compliancy Group are available to guide you along every step of becoming fully HIPAA compliant. After more than 16 years of experience in HIPAA compliance, no client has ever failed an audit or been fined.
Our team takes the time to build a comprehensive compliance strategy that fully satisfies HIPAA regulations. This process also ensures your organization is better equipped to meet the growing risk of cyber threats.