On July 20, 2022, Zenith American Solutions, Inc. reported a data breach with the U.S. Department of Health and Human Services Office for Civil Rights that impacted 37,146 individuals. According to Zenith American, the breach resulted in the Social Security numbers of certain employees being compromised. The company’s most recent data breach letter was addressed to employees of Sound Health and Wellness Trust. After confirming the breach and identifying all affected parties, on July 8, 2022, Zenith American Solutions began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Zenith American Solutions data breach, please see our recent piece on the topic here.
What We Know About the Zenith American Solutions Data Breach
The information about the Zenith American Solutions, Inc. data breach comes from the company’s filing with the U.S. Department of Health and Human Services Office for Civil Rights. Evidently, Zenith American is a third-party administrator for employee benefits. In this capacity, Zenith American obtains the sensitive information of certain employees, including those of Sound Health and Wellness Trust.
According to the most recently available information, on June 24, 2022, Zenith American sent out letters to employees asking them to complete a Personal Health Assessment or Health Profile to enroll in the 2023 Health Reimbursement Account. However, on June 28, 2022, Zenith American learned that, due to an error in the printing process, the address used in this letter contained employees’ Social Security numbers. The exterior address also included affected parties’ names, addresses, and unique ID numbers.
On July 8, 2022, Zenith American Solutions sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Zenith American Solutions, Inc.
Based in Tampa, Florida, Zenith American Solutions, Inc. is a third-party administrator of employee benefits. The company provides banking and financial services, as well as health claim processing, pension and retirement administration, managed care, COBRA administration, eligibility accounting, and flexible spending accounts. Zenith American Solutions employs more than 1,491 people and generates approximately $315 million in annual revenue.
What Are a Company’s Duties to Protect Consumer Data?
Under the United States data breach and consumer protection laws, companies that store or maintain consumer data have a duty to ensure they preserve the privacy and safety of the information. These same laws also permit victims of a data breach to hold a company responsible for leaking their information in certain cases. Of course, just because a business exposes your personal information doesn’t mean that it is financially liable for any resulting damages—the question is whether the company’s negligence played a role in the breach.
The basic framework of a negligence analysis requires the victim of a breach to prove the following:
The company owed the consumer a duty of care;
The company violated the duty of care owed to the consumer;
The company’s negligent actions caused or contributed to the data breach; and
The consumer suffered legally recognizable harms as a result of the breach.
When it comes to storing, transmitting and using consumer data, companies can be negligent in a number of ways. Below are some of the most common examples of how a company’s negligence may lead to a data breach.
An organization’s data security system is inadequate, either because it was not properly maintained, outdated or otherwise insufficient for the size and scope of the business;
An employee carelessly transmits consumer information to an unauthorized or unknown party;
The company fails to provide a system for encrypting and storing sensitive consumer data, or;
An employee responds to a phishing attack, either by clicking on a link or providing sensitive information to an unauthorized party.
While it is too early to tell if Zenith American was negligent, it would appear that sending out letters with consumers’ Social Security numbers visible on the exterior of the envelope could be considered negligence. Data breach victims who want to learn more about their rights and whether they may be able to bring a data breach class action lawsuit should reach out to a data breach attorney for assistance.