EHR Vendor Breach Lawsuit Seeks Security Improvements -

"Patient portal hacking incident last summer affected nearly 320,000."

Why this is important: On October 22, 2021, QRS Inc., a medical practice management system and electronic health record vendor, provided a HIPAA breach notification to the Department of Health and Human Services. QRS informed DHHS that over a three-day period in late August 2021, its patient portal was breached. The result of this breach was the potential exposure of 320,000 patients' personal health information. A putative class action lawsuit was filed in federal court in Tennessee alleging that the putative class representative and class members suffered damages related to actual identity theft as a result of the breach. In addition to damages, the putative class is seeking injunctive relief that would require QRS to implement a wide range of security improvements, including barring QRS from maintaining personal health information on a cloud-based database. This class action is based on the fact that QRS failed to implement "government-recommended" security measures and not statutory and regulatory mandated security measures. Therefore, complying with governmental mandates is not enough to avoid litigation in the event of a breach. However, it is yet to be seen whether failing to implement recommended, but not required, security measures will result in the finding of liability.