Pexels

Accounting Firm in US Faces Lawsuit Over Healthcare Data Breach

Chicago-based accounting firm Bansley and Kiener (B&K) allegedly failed to notify impacted individuals of a healthcare data breach until more than six months after the incident, a lawsuit filed on December 17 in the First Judicial Circuit Court of Cook County, Illinois stated.

B&K initially identified the data security incident in December 2020 when its systems were encrypted. It was not until May 24, 2021, that the CPA firm discovered that personally identifiable information (PII) and protected health information (PHI) had been exfiltrated.

“B&K cannot confirm specifically what information, if any, was viewed by the unauthorized person. However, on August 24, 2021, the investigation confirmed that the information present on our systems at the time of the incident included names and Social Security numbers,” 

notice on the firm’s site stated.

However, the Office for Civil Rights (OCR) data breach portal states that the breach impacted the PHI of over 70,000 individuals. The data breach as a whole affected over 270,000 individuals, the lawsuit stated.

Plaintiff Gregg Nelson alleged that B&K failed to properly safeguard PII and failed to provide timely notice of the breach to impacted individuals. According to the filing, the CPA firm, which businesses retain to manage their payroll, pension, health insurance, and benefits, possessed unredacted and unencrypted PII, including Social Security numbers, tax identification numbers, and passport numbers.

B&K did not notify the proper government agencies until November 2021, almost a year after the breach was discovered.

Plaintiff argued that the data breach notice he received on December 8, 2021, failed to explain why it took the firm over six months since B&K determined that PII had been exposed to alert impacted clients.

“As a result of this delayed response, Plaintiff and Class Members were unaware that their PII had been compromised, and that they were, and continue to be, at significant risk to identity theft and various other forms of personal, social, and financial harm,”

the lawsuit claimed.

Source: