EHR Vendor QRS Faces Lawsuit After Healthcare Cyberattack

January 07, 2022 - QRS, a healthcare technology company that provides EHR services, is now facing a lawsuit in the wake of an August 2021 cyberattack that impacted nearly 320,000 current and former patients.

In the filing, the plaintiff argued that QRS failed to adequately safeguard protected health information (PHI) and said that QRS took two months to notify impacted individuals of the data exposure. However, QRS followed procedure and complied with HIPAA by reporting the breach within 60 days of discovery.

Between August 23 and August 26, an unauthorized third party accessed one QRS dedicated patient portal server and potentially acquired sensitive information, including Social Security numbers, patient identification numbers, portal usernames, names, addresses, birth dates, and medical treatment information.

According to a notice on the EHR vendor’s website, QRS immediately took the server offline, notified law enforcement, and conducted an investigation. QRS said it began notifying patients on behalf of its clients on October 22, 2021.

The plaintiff, Kentucky resident Matthew Tincher, said he received a notice on October 22 that an unauthorized third party had gained access to his Social Security number, birth date, patient number, and portal username.

“Upon information and belief, based on the criminal hacking activity that targeted Plaintiff’s and Class Members’ Sensitive Information, the time frame of the breach over three days, and Plaintiff Tincher’s experience of actual identity theft shortly after the breach, it is more likely than not that his Sensitive Information was exfiltrated and stolen during the Data Breach,” the lawsuit alleged.

The suit argued that by entering into a HIPAA business associate agreement (BAA) with its clients, QRS knew or should have known that it was responsible for keeping the plaintiff’s information safe from cyberattacks.

The lawsuit listed numerous cybersecurity measures outlined by the Cybersecurity and Infrastructure Security Agency (CISA) and the Microsoft Threat Protection Intelligence Team, claiming that QRS should have implemented all off these measures in order to prevent a ransomware attack.

It is unclear what security measures QRS had in place prior to the breach. However, under a HIPAA BAA, vendors are held to the same standards for protecting PHI as covered entities.

The plaintiff also reasoned that QRS should have taken extra precautions to protect PHI given the number of cyberattacks targeted at the healthcare sector in recent years.

The lawsuit also explained Tincher and other potential class members expended energy and funds to mitigate the risks associated with the breach.

“As a result of the Data Breach notice, Plaintiff spent time dealing with the consequences of the Data Breach, which included time spent verifying the legitimacy of the Notice of the Data Breach and self-monitoring his accounts and credit statements,” the lawsuit stated.

“He has also spent time changing passwords and ordering new credit cards. This time has been lost forever and cannot be recaptured.”

In order to build a successful case, the class members will have to prove that they suffered concrete harm as a result of the data breach.