Electronic Health Record (EHR) services provider QRS Inc. is facing a data breach lawsuit following an August cyberattack that may have compromised the privacy of 319,778 patients.

Background of QRS Data Breach Lawsuit

QRS Data Breach Lawsuit

In a statement on their website, QRS confirmed their discovery on August 26, 2021, that a threat actor had accessed a server and may have obtained electronic protected health information (ePHI) contained on the network.

The Knoxville, Tennessee-based company immediately shut down the server and notified law enforcement. The company’s subsequent investigation determined that the breach started on August 23, 2021.

The data breached could include patient names, addresses, dates of birth, Social Security numbers, patient identification numbers, portal usernames, and medical treatment or diagnosis information. 

On October 22, 2021, QRS began notifying affected patients in writing and offering complimentary identity theft protection for individuals whose Social Security numbers were potentially compromised. 

QRS’s notification timeline appears to comply with the HIPAA Breach Notification Rule requirements. Among other things, the rule mandates written notification to affected individuals within 60 days of discovering a breach.

This attack did not involve any other QRS systems or the systems of any of QRS’s clients.

Let’s Simplify Compliance

Learn how to protect your business against breaches in our upcoming webinar!

Sign Up!
HIPAA Seal of Compliance

Claims Made in QRS Data Breach Lawsuit

A Kentucky resident filed a class-action lawsuit in the Eastern District of Tennessee. The complaint alleges that QRS failed to safeguard protected health information (PHI) adequately. It also cites a two-month delay in notifying impacted individuals of the data exposure. 

The complaint further argues that by entering into a HIPAA business associate agreement (BAA) with clients, QRS was responsible for keeping the plaintiff’s information safe from cyberattacks.

It also lists recommendations from the federal Cybersecurity and Infrastructure Security Agency (CISA) and the Microsoft Threat Protection Intelligence Team. The plaintiff claims QRS should have had a system to provide adequate protection from cybercrimes.

Takeaways from QRS Data Breach Lawsuit

As cybercrimes like ransomware and hacking incidents continue to victimize the healthcare industry, class-action lawsuit filings have almost become a matter of course following major breaches.

In addition to maintaining effective HIPAA compliance that fully addresses all of the law’s requirements, these lawsuits create legal headaches and an additional risk of financial exposure.  

Many healthcare providers (covered entities) and business associates choose to add cybersecurity insurance to their risk assessment toolbox. Most general business liability policies specifically exclude cyberattack liability. The added expense is usually minimal compared to the cost of defending against a lawsuit and potentially facing civil penalties.

The experts at Compliancy Group are available to guide you along every step of becoming fully HIPAA compliant. After more than 16 years of experience in HIPAA compliance, no client has ever failed an audit or been fined.

Our team takes the time to build a comprehensive compliance strategy that fully satisfies HIPAA regulations. This process also ensures your organization is better equipped to meet the growing risk of cyber threats.