Electrostim Medical Services, a Florida-based medical device company, has announced a large data breach impacting up to 543,000 patients.
What happened
Electrostim, operating as EMSI, provides garments, devices, and braces for pain management and physical rehabilitation. The company currently employs around 400 individuals and currently serves over 70,000 patients.
Recently, they released a data breach notification and sent a letter to approximately 543,000 potentially impacted patients.
In the notice, EMSI stated they first noticed suspicious activity on May 13th, 2023. Upon discovery, they immediately began an investigation, discovering an unknown actor had accessed their network between April 27th and May 13th. They stated the investigation was extensive, delaying notification letters to impacted patients. EMSI said that exposed data may have included individuals’ names, addresses, email addresses, phone numbers, diagnoses, insurance information, subscriber information, and products prescribed and billed.
While the company has not found any evidence of misuse of information, they strongly recommend individuals monitor their credit.
What’s new
It’s only been a short time since notification letters have gone out, but EMSI is now facing a class action lawsuit. The suit's members claim the breach was “foreseeable and preventable.” The lawsuit also states that EMSI was negligent and failed to oversee its data security obligations properly. The lawsuit further alleges that EMSI wrongly waited over six months to notify impacted patients and left out critical information regarding the incident, which could have helped patients mitigate the impact.
What was said
In the breach notification letter, EMSI said, “The confidentiality, privacy, and security of information in our care is among our highest priorities. Upon discovering the suspicious activity, we immediately commenced an investigation to confirm the nature and scope of the incident.”
The class action lawsuit claimed EMSI’s past efforts were insufficient. The lawsuit read, “Defendant could have prevented this data breach by properly securing and encrypting the files and file servers containing the private information.”
Why it matters
The case is a stark reminder of the importance of prioritizing data security. Any organization, no matter how big or small, that is required to be HIPAA compliant must ensure that protected health data is as secure as possible.
In this case, the lawsuit claimed that the breach could have been prevented if proper measures had been taken, mainly if encryption had been utilized.
The big picture
With many breaches occurring in the healthcare sector, organizations must do everything possible to prevent breaches. If organizations are found that they could have done more, it could lead to devastating legal implications.
The majority of breaches are caused by malicious emails and are preventable. By utilizing a robust email system like Paubox, healthcare companies can feel more confident in their security and ability to protect patient data.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
