Shields Health Care Group Sued Over Data Breach


Last Friday marked the filing of a class-action complaint in the District of Massachusetts by a patient against defendant Shields Health Care Group, Inc., alleging that the defendant acted negligently when handling the plaintiff’s protected health information (PHI) and personally identifying information (PII), particularly in light of the March 2022 data breach.

As stated in the complaint, healthcare providers handle both PHI and PII. The complaint explains that as handlers of the sensitive information, healthcare providers “owe a duty to the individuals to whom that data relates.”

In the event that the information is compromised, the plaintiff notes that the affected individuals will be subject to “a substantially increased and certainly impending risk of identity theft crimes compared to the rest of the population, potentially for the rest of their lives.”

The defendant is a healthcare provider that obtains both PII and PHI from individuals. In its privacy practice, Shields acknowledges its duty to maintain its patient’s sensitive information. On the dates between March 7, 2022, and March 28, 2022, Shields informed its patients that a data breach of its system occurred involving the managing and imaging services that it provides for 56 separate facility partners.

The plaintiff alleges that Shields became aware of the breach by March 28, 2022, yet failed to notify the plaintiff and the putative class members within 60 days, as is required by law.

Shields has made public statements that lead the plaintiff to believe that “a wide variety of PII and PHI was implicated in the breach, including full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information,” and more. The plaintiff asserts that the inadequate data security of the defendant has led to her PII and PHI being exposed to hackers and a number of unauthorized individuals.

The plaintiff explains that both she and the class members are at an increased risk of fraud, identity theft, misappropriation of health insurance benefits, intrusion of health privacy, and more as a result of the defendant’s breach of its duty to handle PII and PHI with reasonable care.

The complaint cites negligence, negligence per se, breach of fiduciary duty and declaratory judgment. The plaintiff is seeking class certification, favorable judgment on each count, damages, restitution, equitable monetary relief, declaratory and injunctive relief, litigation fees, pre and post-judgment interest, a trial by jury, and any other relief deemed proper by the court.

The plaintiff is represented by Block & Leviton LLP and Lynch Carpenter LLP.