Getty Images/iStockphoto
Rise Interactive Faces Class Action Lawsuit Over Healthcare Data Breach
The digital marketing firm faces a class action lawsuit over a 2022 data breach, alleging inadequate cybersecurity measures exposed the PHI of 54,509 Edgepark patients.
Rise Interactive Media & Analytics was hit with proposed a class action healthcare data breach lawsuit in the aftermath of a November 2022 breach.
The law firm Wolf Haldenstein, Adler Freeman & Herz claimed that insufficient cybersecurity measures left the digital marketing company vulnerable to a data security incident, which affected 54,509 Edgepark Medical Supplies patients whose data had been previously provided to Rise.
As reported previously, Rise learned that a hacker accessed parts of its system containing personal health information (PHI) on November 14, 2022. On December 2, Rise discovered that one of these files included sensitive information about Edgepark patients, such as names, email addresses, phone numbers, provider details, diagnoses, expected delivery dates, and health insurance information.
While Rise discovered Edgepark data had been comprised on December 2, 2022, the affected individuals were notified three months later on February 10, 2023.
“It took approximately three months for Defendant to notify patients of customers and to publicly reveal the breach,” the lawsuit alleged. “As a result, Plaintiff’s and class members’ SPI was in the hands of hackers for approximately three months before Defendant began notifying them of the Data Breach.”
According to the 25-page lawsuit, the complaint emphasized that the breach notification was inadequate, as it failed to offer consumers any protective measures for their patient data or assistance, such as credit monitoring services.
“This response is entirely inadequate to Plaintiff and Class members who now potentially face several years of a heightened risk from the theft of their SPI and who may have already incurred substantial out-of-pocket costs in responding to the Data Breach.,” the lawsuit stated.
“Defendant has offered no assistance to Plaintiff or Class members in the wake of the breach,” the plaintiff continued. “This response is entirely inadequate to Plaintiff and Class members who now potentially face several years of heightened risk from the theft of their SPI and who may have already incurred substantial out-of-pocket costs in responding to the Data Breach.”
According to the lawsuit, the plaintiff discovered that her information had already been sold on the dark web after an unknown individual fraudulently attempted to use her health insurance for a prescription.
The filing alleged that Rise had disclosed sensitive personal information without consent despite legal, contractual, and industry obligations to protect patient data.
Additionally, the plaintiff is seeking to understand the relevance of this provided patient data to the digital marketing services that the company offers, given Edgepark’s privacy policy stating that it “must obtain your permission before using your Protected Health Information for purposes that are considered marketing under the HIPAA privacy rules.”
“It is unclear from either Rise or Edgepark’s statements or websites how Rise was given access to Edgepark’s customers’ health insurance information and other SPI as part of its digital marketing efforts,” the plaintiff stated. “It is further unclear why Plaintiff and Class members’ health insurance information and SPI are necessary for Rise to engage in digital marketing on Edgepark’s behalf.”
Although settlements have not been specified in the lawsuit, they have become a common resolution for healthcare data breach cases, often resulting in significant payouts. A notable example is the UMass Memorial Health Center, which agreed to a $1.2 million settlement to resolve a lawsuit related to a healthcare data breach after a cyberattack in 2021.