Another Fraud Class Action Filed Against Onix Group Over March Data Breach

The Onix Group failed to secure and safeguard about 320,000 individuals’ personally identifiable information (PII) and personal health information (PHI) during a March data breach in its healthcare business, said plaintiffs Thomas Jones and Leah Simione in a class action (docket 2:23-cv-02621) Friday in U.S. District Court for Eastern Pennsylvania in Philadelphia. It's the fourth fraud complaint filed against Onix in less than a month.

An Onix notice said a March 27 ransomware incident by an unauthorized third party affected its internal computer system March 20-27, resulting in unauthorized access to private information in the Addiction Recovery Systems, Cadia Healthcare, Physician’s Mobile X-ray, Onix Group and Onix Hospitality Group units, it said. Compromised information included names, social security numbers, birthdates, scheduling and billing information, direct deposit information and health plan enrollment information, it said.

Onix hasn’t disclosed publicly the identity of the unauthorized third party, nor has it said whether a ransomware demand was made or paid, said the complaint. The company “did not offer any assurances or evidence that all impacted Private Information or copies thereof have been recovered or destroyed,” it said.

New Jersey plaintiffs Jones and Simione were notified via a May 26 letter that their data was compromised in the breach, said the complaint. Onix failed to explain why it waited over two months after first becoming aware of the incident to provide notice of the breach, it said. The company said it has since strengthened the security of its systems, it said. Its notice of the breach says “vaguely” that the company “took immediate action to secure systems and launched an investigation with help from cybersecurity experts," the complaint said.

Plaintiffs claim on behalf of themselves and the class negligence, negligence per se, breach of implied contract, unjust enrichment and breach of fiduciary duty. They seek remedies including compensatory, treble and punitive damages, reimbursement of out-of-pocket costs, and declaratory and injunctive relief including improvements to Onix’s data security systems, future annual audits, and adequate credit monitoring services funded by Onix. The company didn’t comment.

The same court will hear motions from three plaintiffs who filed similar class actions related to the March data breach, said a Thursday order. Plaintiffs Eric Meyers (docket 23-2288) and Donald Owens and Aida Wimbush (docket 23-2301) will meet and confer with plaintiff Ashlea Bernard (docket 23-2556) to discuss positions on their motion to consolidate the related actions, appoint lead counsel and set a schedule for filing a consolidated amended complaint, it said. Plaintiffs are due to file a supplemental briefing with Bernard’s position no later than Wednesday, with a status hearing slated for Monday.