BioPlus faces lawsuit over recent data breach
by Sara Uzer
BioPlus Specialty Pharmacy Services is facing a class-action lawsuit, following the disclosure of a recent data breach that led to the unauthorized access of patient information. The lawsuit claims that the incident was caused by the company’s insufficient security measures.
Keep reading to learn more about the impact of the breach, what the lawsuit says, and how HIPAA compliant email can help you steer clear of future threats.
The initial breach
BioPlus first identified suspicious activity within its IT network on November 11. Upon discovering the incident, the company immediately isolated its systems, initiated an investigation with a third-party forensic firm, and alerted law enforcement.
The investigation determined that a hacker had gained access to BioPlus’ network between October 25 and November 11 and may have acquired files with patients’ personally identifiable information (PII) and protected health information (PHI). Potentially compromised data includes dates of birth, health plan member IDs, diagnoses, prescription information, and Social Security numbers.
BioPlus sent notification letters to all affected patients on December 10, which was approximately one month after the breach was identified. The company also offered free credit monitoring and identity protection services to those whose Social Security number were exposed.
What is in the lawsuit?
Two BioPlus patients filed a class-action lawsuit against the company in late December. The lawsuit alleges negligence for the failure to “maintain reasonable data security safeguards, implement industry-standard security practices, and exercise reasonable care in the hiring and supervision of its employees and agents.”
Furthermore, the lawsuit states that BioPlus failed to detect the breach, remove sensitive data from its network, and disclose important details about the attack such as how many patients were impacted and whether the data was encrypted.
Although the company technically met the 60-day deadline for reporting a data breach, the plaintiffs note that BioPlus offered no explanation for the delay between the incident discovery and formal notice and may have exposed patients to further harm.
Seeking to cover all individuals whose private information was compromised, the lawsuit claims that the plaintiff and class members have suffered “numerous actual and imminent injuries” as a direct result of the incident including “the theft of PII and PHI, emotional distress, future risks of financial fraud, and incurring costs to manage the consequences.”
Stay protected with Paubox
When it comes to data breaches in the healthcare space, the potential repercussions go well beyond HIPAA fines and reputational damage. Providers can also be sued for failing to take the necessary measures to keep sensitive information secure.
Covered entities can stay one step ahead of future security threats by conducting regular employee awareness training, maintaining data backups, and creating a business continuity plan. With email serving as the number one threat vector, it is also especially crucial to make stronger email security a priority.
Designed to conveniently integrate with your current email platform such as Google Workspace or Microsoft 365, Paubox Email Suite sends HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages directly in their inbox without having to navigate any separate passwords or portals.
Paubox Email Suite’s Plus and Premium plan levels also include advanced inbound email security tools for further protection. Our patent-pending Zero Trust Email feature uses email AI to confirm an email’s legitimacy, while patented ExecProtect quickly intercepts display name spoofing attempts.