Lawsuit Filed Against Conifer & Tenet Healthcare Over Email Account Breach
A class action lawsuit has been filed against Conifer and Tenet Healthcare over a breach of the protected health information of thousands of individuals. The lawsuit names Conifer Value-Based Care, Conifer Health Solutions, Conifer Revenue Cycle Solutions, and Tenet Healthcare Corporation as defendants. Conifer provides revenue cycle management and value-based care services and all Conifer entities are subsidiaries of, and therefore under the control of, Tenet Healthcare. The lawsuit was filed in the U.S. District Court Northern District of Texas, Dallas Division, on behalf of plaintiff Nicole Kolb, and similarly situated individuals. The plaintiff and class are represented by Joe Kendall of Kendall Law Group, Samuel J. Strauss and Raina Borrelli of Turke & Strauss, and Gary. M. Klinger of Milberg Coleman Bryson Phillips Grossman.
The lawsuit was filed in response to a breach of a Microsoft 365-hosted business email account that was detected on April 14, 2022. The investigation concluded the account was compromised on January 20, 2023. The information in the compromised email account included full names, home addresses, dates of birth, medical and treatment information, health insurance information, and billing and claims information, with some individuals also having their Social Security numbers, financial account information, and driver’s license numbers compromised.
The lawsuit alleges the defendants failed to protect highly sensitive data, did not have adequate monitoring measures in place to detect unauthorized account activity such as an Office 365 spam filter, and then delayed sending notification letters for several months. The plaintiff discovered she had been affected by the data breach on September 30, 2022, more than 8 months after the breach occurred and more than 5 months after the breach was detected, then was offered nothing to remedy the ill effects of the data breach. The lawsuit also alleges three violations of the HIPAA Rules – a failure to ensure the confidentiality, integrity, and availability of electronic protected health information, a failure to protect against reasonably anticipated threats to the security of ePHI, and a failure to protect against anticipated uses and disclosures of ePHI not permitted under the HIPAA Privacy Rule.
While the lawsuit was filed in response to a breach at Conifer Value-Based Care – reported to the HHS’ Office for Civil Rights as affecting 20,642 individuals – the lawsuit also states that another Conifer entity, Conifer Revenue Cycle Solutions, experienced a similar breach around the same time, which was reported to the HHS’ Office for Civil Rights as affecting 134,948 individuals, further indicating the failure of the defendants to protect sensitive data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit alleges the plaintiff and class members face imminent and impending injury from the increased risk of identity theft and fraud. The plaintiff has had to spend time dealing with the consequences of the breach, has experienced an increase in spam text and phone calls since the breach, and has spent increased time monitoring her accounts for misuse of her personal data. In addition, the plaintiff suffered diminution of the value of her sensitive data, anxiety, and emotional distress.
The lawsuit alleges negligence, negligence per se, invasion of privacy, unjust enrichment, and violations of the California Confidentiality of Medical Information Act, California Consumer Records Act, and California Unfair Competition Law. The lawsuit seeks class action status, a jury trial, declaratory and other equitable relief, injunctive relief, compensatory, exemplary, punitive damages, and statutory damages, and attorneys’ fees and legal costs.
