Medical Imaging Firm Faces 2 Class Actions in 2022 BreachMassachusetts Citizens Excluded From Feds' Case Against Shields Health Care Group
Shields Health Care Group, a prominent Massachusetts-based medical imaging services provider, is facing proposed class action lawsuits in federal and state court stemming from a 2022 breach that affected 2 million individuals.
The federal lawsuit is a consolidation of seven class action lawsuits filed against the company last year.
The proposed class members in the federal case are individuals who were affected by the breach - with the exception of Massachusetts residents, who are being represented in state court litigation.
Shields has more than 40 locations in New England, in outpatient testing facilities and in hospitals, and most of its locations are clustered in Massachusetts. Quincy, Massachusetts-based Shields Health Care on its website touts itself as the "official" provider of MRIs and related medical imaging services to several professional sports teams, including the New England Patriots, the Boston Celtics and the Boston Bruins.
The U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website shows that Shields reported the incident as a business associate and as a hacking incident involving a network server and affecting 2 million individuals.
The Shields incident ranks among the five largest health data breaches reported to HHS OCR in 2022 (see: Analysis: Third-Party Health Data Breaches Dominated in 2022).
Both lawsuits allege an array of similar claims against Shields, including negligence and recklessness in failing to protect sensitive information, breach of contract, invasion of privacy and violations of various state laws.
Both lawsuits also allege that Shields failed to notify affected individuals in a timely manner, putting class members and plaintiffs at higher risk for fraud.
Under HIPAA, covered entities must report to HHS a breach affecting 500 or more individuals no later than 60 days following a breach. Notification to individuals affected by a breach must also be provided no later than 60 days following the discovery of a breach. Exceptions exist, such as for a police investigation.
Shields in a breach notification statement says that on March 28, 2022, it detected suspicious activity that may have involved data compromise, and that the investigation into the incident determined that "an unknown actor" had gained access to certain Shields systems for the two-week period last year between March 7 and March 21.
The investigation also determined that hackers had "acquired" data including full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID and other medical or treatment information.
Both lawsuits seek similar relief, including an injunctive order prohibiting Shields from "engaging in the unlawful acts, omissions, and practices" related to data security and privacy, as well as monetary damages.
Attorneys representing plaintiffs and class members in each of the cases declined ISMG's request for comment on the lawsuits. Shields did not respond to Information Security Media Group's request for comment.