Accounting Firm Faces Lawsuit Over Healthcare Data Breach

Chicago-based accounting firm Bansley and Kiener (B&K) allegedly failed to notify impacted individuals of a healthcare data breach until more than six months after the incident, a lawsuit filed on December 17 in the First Judicial Circuit Court of Cook County, Illinois stated.

B&K initially identified the data security incident in December 2020 when its systems were encrypted. It was not until May 24, 2021 that the CPA firm discovered that personally identifiable information (PII) and protected health information (PHI) had been exfiltrated.

“B&K cannot confirm specifically what information, if any, was viewed by the unauthorized person. However, on August 24, 2021, the investigation confirmed that the information present on our systems at the time of the incident included names and Social Security numbers,” a notice on the firm’s site stated.

However, the Office for Civil Rights (OCR) data breach portal states that the breach impacted the PHI of over 70,000 individuals. The data breach as a whole affected over 270,000 individuals, the lawsuit stated.

Plaintiff Gregg Nelson alleged that B&K failed to properly safeguard PII and failed to provide timely notice of the breach to impacted individuals. According to the filing, the CPA firm, which businesses retain to manage their payroll, pension, health insurance, and benefits, possessed unredacted and unencrypted PII, including Social Security numbers, tax identification numbers, and passport numbers.

B&K did not notify the proper government agencies until November 2021, almost a year after the breach was discovered.

“In December 2020, Bansley chose not to notify affected Participants or, upon information and belief, its Clients, of its data breach instead choosing to address the incident inhouse by making upgrades to some aspects of its computer security. It then simply resumed its normal business operations,” the lawsuit alleged.

“Over five months later, on May 24, 2021, Bansley learned that Class Members’ PII had been ‘exfiltrated’ from its network. Only then did Bansley finally retain a cyber security firm to investigate this Data Breach.”

The Plaintiff argued that the data breach notice, which he received on December 8, 2021, failed to explain why it took the firm over six months from the date that B&K determined that PII had been exposed to alert impacted clients.

“As a result of this delayed response, Plaintiff and Class Members were unaware that their PII had been compromised, and that they were, and continue to be, at significant risk to identity theft and various other forms of personal, social, and financial harm,” the lawsuit claimed.

The Plaintiff alleged that B&K intentionally, recklessly, willfully, or at the very least negligently failed to implement adequate security measures to prevent data breaches.

Despite these claims, the firm’s website states that “Information privacy and security are among our highest priorities.”

“We have strict security measures in place to protect information in our care. Upon learning of the incident, and to help prevent something like this from happening in the future, we took steps to confirm and further strengthen the security of our systems. We also continue to educate our employees on cyber security best practices.”