Consumer Electronics Daily was a Warren News publication.
'Ascertainable Losses'

Intellihartx Waited 4 Months to Tell Consumers About Data Breach, Alleges Complaints

Healthcare payment services company Intellihartx (ITx) waited four months after discovering a data breach to notify patients their personally identifiable information may have been compromised, said two Tuesday class actions in U.S. District Court for Northern Ohio in Toledo.

ITx allowed a cyberattacker to access and obtain the personally identifiable information (PII) and personal health information of over 480,000 patients, alleged (docket 3:23-cv-01452) plaintiff Nicholas Timmons, a Cape Girardeau, Missouri, resident. The company failed to notify Timmons and class members of the incident within 60 days "as required by law," said his complaint. An unknown criminal actor gained access to the ITx network Feb. 2 after its secure file transfer protocol provider, Fortra, was subject to a data breach that “potentially impacted certain medical providers’ information,” including CoxHealth patient information, said a complaint (docket 3:23-cv-01439) brought by Arizona resident Jose Cabrales.

ITx “immediately launched” an investigation after the breach and completed the initial review March 24; a “comprehensive review” was completed May 19, said a letter sent to plaintiffs Timmons and Cabrales and other class members June 9. Compromised information includes name, date of birth, Social Security number, address, health insurance information, medical history, and other data provided to ITx, said the complaint. The letter instructed victims to “remain vigilant against incidents of identity theft and fraud by reviewing your account statements and monitoring your free credit reports for suspicious activity.”

There are “serious issues” with ITx’s data breach, and the “deficiencies” in its notification letter “exacerbate the circumstances” for data breach victims, said Cabrales' complaint, citing the four months that passed between breach and notification. “This information is vital to victims of a data breach, let alone a data breach of this magnitude, due to the sensitivity and wide array of information compromised” in the breach, the complaint said. The PII “was not encrypted prior to the data breach,” it said.

As a result, Cabrales and class members suffered “injury and ascertainable losses in the form of the present and imminent threat of fraud and identity theft, loss of the benefit of their bargain, out-of-pocket expenses, loss of value of their time reasonably incurred to remedy or mitigate the effects of the attack, and the loss of, and diminution in, value of their personal information,” the complaint said.

Cabrales' and class members’ PII, which was entrusted to ITx, was “compromised and unlawfully accessed” due to the breach, said his complaint. It was taken by unauthorized third parties and remains in the hands of ITx, “and without additional safeguards and independent review and oversight, remains vulnerable to future cyberattacks and theft." The breach was a direct result of the company’s “failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect victims’ PII," it said. Despite publicized announcements of data breach and data security compromises, and despite ITx's own acknowledgment of its duties to keep PII private and secure, the company “failed to take appropriate steps” to prevent the PII of Cabrales and the proposed class from being compromised, the complaint said.

The suit claims negligence, breach of implied contract, intrusion upon seclusion and unjust enrichment. Cabrales seeks for himself and the class equitable relief enjoining ITx from engaging in the wrongful conduct alleged, an order requiring ITx to use appropriate methods and policies for data collection, storage and safety, “and to disclose with specificity the type of PII compromised” in the breach. He also seeks restitution and disgorgement of the revenue wrongfully retained; lifetime credit monitoring services; and awards of actual, compensatory, punitive, and statutory damages and penalties, plus attorneys’ fees and legal costs.

At least four similar privacy cases were filed since June -- in the same court and one in Tennessee -- involving the February data breach. In a June 21 complaint (docket 3:23-cv-01224), plaintiff Lauren Perrone, a New Jersey resident, cited a report from cybersecurity expert Brian Krebs saying Fortra disclosed to its customers, including ITx, a “remote code injection exploit” affecting GoAnywhere MFT, Fortra’s widely used file transfer application.

Hackers used “remote code injection exploits” to remotely execute malicious code on their targets’ computer systems, said Perrone’s complaint. Russia-linked ransomware group Clop claimed responsibility for attacks on GoAnywhere MFT, and to have stolen data exposed by the software from over 130 organizations during the preceding 10 days, including ITx, the complaint said.

In a July 10 complaint, Thomas Kelly of Napoleon, Ohio, alleged (docket 3:23-cv-01338), he experienced fraudulent charges to his Fifth Third Bank account around March involving the data breach. Kelly said his private information is being “disseminated on the dark web," according to Experian, and he experienced an increase in spam calls, texts and emails. In June, plaintiff Robert Terwilliger, a Missouri resident, and Edwin Rodriguez of Massachusetts, filed a related privacy class action (docket 2:23-cv-00074) against ITx and Fortra in U.S. District Court for Eastern Tennessee in Greeneville.

The ITx website says data breach victims can "further educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or your state Attorney General." The security notice said consumers who want to place a credit freeze should contact one of the three major credit reporting bureaus. ITx didn't comment.