Onix Group, a Pennsylvania-based company that operates in commercial real estate and provides management and consulting services, is facing a class action lawsuit over a data breach that occurred in March 2023. The breach impacted 319,500 individuals and has led to serious allegations about the company's data security practices.
Details of the breach
On March 27, 2023, Onix Group discovered that an unauthorized party had accessed its network for seven days. During this period, the intruder corrupted systems and removed files, causing a significant disruption to the company's operations. The compromised files contained sensitive information, including names, Social Security numbers, scheduling, billing, and clinical information, as well as human resources data.
The breach impacted several of Onix Group's healthcare affiliates, including Addiction Recovery Systems, Cadia Healthcare, Physician's Mobile X-Ray, and Onix Hospitality Group.
The breach is one of the most significant in recent times, affecting a large number of individuals and exposing a wide range of sensitive information. The incident has raised serious questions about the company's data security practices and its ability to protect the sensitive information it holds.
The lawsuit
In the wake of the breach, a class action complaint was filed in the United States District Court for the Eastern District of Pennsylvania. The lawsuit alleges that Onix Group failed to safeguard the private information of the affected individuals and was negligent in its duty to protect sensitive information.
The plaintiffs claim that they suffered losses in out-of-pocket expenses and time used to mitigate the effects of the breach.
The lawsuit also alleges that Onix Group failed to notify affected individuals promptly about the breach, thereby depriving them of the opportunity to take immediate steps to protect themselves. The plaintiffs are seeking compensation for their losses, as well as changes to Onix Group's data security practices.
Onix Group's response
In response to the incident, Onix Group has taken several measures to secure its systems and prevent future breaches. The company engaged a specialized cybersecurity firm to conduct a forensic investigation into the breach and has since disabled access to the compromised systems. Onix Group has also promised to strengthen the security of its systems further to protect against future breaches.
Onix Group reported the breach to the Department of Health and Human Services (HHS) on May 26, which appears to be within the required 60-day time frame of when it discovered the breach in late March. The company is also offering complimentary credit monitoring and identity theft protection services to individuals whose social security and driver's license numbers were impacted.
The bottom line
The lawsuit against Onix Group underscores the legal and reputational risks that companies face in the event of a data breach. As the lawsuit progresses, it will be crucial for Onix Group to demonstrate its commitment to data security and regain the trust of its clients.
Related: HIPAA Compliant Email: The Definitive Guide
Dean Levitt
