BioPlus Specialty Pharmacy Faces Lawsuit Over Healthcare Data Breach

January 17, 2022 - Two patients are seeking class-action status in a lawsuit against BioPlus Specialty Pharmacy over its handling of an October 2021 data breach that impacted 350,000 individuals. Plaintiffs alleged that the Florida-based pharmacy failed to adequately safeguard its patients’ personally identifiable information (PII) and failed to notify patients in a timely manner.

A December 10 notice on BioPlus Specialty Pharmacy’s website stated that the pharmacy determined that an unauthorized party gained access to its IT network between October 25 and November 11. The unauthorized party accessed files containing PII, including some Social Security numbers.

BioPlus said it could not rule out the possibility that the information of all current and former BioPlus patients were subject to the breach. The pharmacy immediately isolated its network and launched an investigation after discovering the intrusion on November 11, the notice said.

The breach notification describes the incident as “unauthorized access.” However, the lawsuit alleged that the impacted patients’ PII was “stolen by cybercriminals,” which raised questions about the nature of the breach.

The lawsuit also noted that BioPlus did not notify the victims until December 2021. However, BioPlus was compliant with HIPAA’s 60-day breach notification rule.

“Defendant’s security failures enabled the hackers to steal the Private Information of Plaintiffs and other members of the class,” the lawsuit stated.

“These failures put Plaintiffs’ and other Class Members’ Private Information at a serious, immediate, and ongoing risk. Additionally, Defendant’s failures caused costs and expenses associated with the time spent and the loss of productivity from taking time to address and attempt to ameliorate the release of personal data, as well as emotional grief associated with constant monitoring of personal banking and credit accounts.”

Plaintiffs also alleged that they suffered a “loss of property value of their private information when it was acquired by cyber thieves in the data breach.”

In addition, the lawsuit said that the Plaintiffs had not received any assurance that all the impacted personal data had been recovered or destroyed.

One Plaintiff, New Jersey resident Wendy Bryan, alleged in the lawsuit that BioPlus’ offering of a year of free credit monitoring was insufficient because “Experian credit monitoring would have shared Ms. Bryan’s information with third parties and could not guarantee complete privacy of her sensitive PII.”

“In the months and years following the Data Breach, Ms. Bryan and the other Class Members will experience a slew of harms as a result of Defendant’s ineffective data security measures,” the lawsuit claimed.

“Some of these harms will include fraudulent charges, medical procedures ordered in patients’ names without their permission, and targeted advertising without patient consent.”

The lawsuit also told the story of another plaintiff, Connecticut resident Patricia White, whose information was entered into BioPlus Specialty Pharmacy’s systems due to a clerical error that caused her prescription information to be sent to BioPlus rather than her designated pharmacy.

“Ms. White corrected the clerical error and canceled the service from BioPlus, but her information remained in Defendant’s systems, vulnerable to misuse, until the data breach occurred in November of 2021,” the lawsuit continued.

White also said she received a notification from her credit monitoring service on November 30, notifying her that her information had been found on the dark web.

Other organizations, including EHR vendor QRS and Eskenazi Health, are facing similar lawsuits following healthcare data breaches.