ESO Systems Waited 3 Months to Notify Data Breach Victims, Alleges Class Action
ESO Solutions, a supplier of data management software to hospitals and first responders, waited three months to notify affected individuals about a data breach it learned of Sept. 28, alleged a class action Thursday (docket 1:23-cv-01557) in U.S. District Court for Western Texas in Austin.
Plaintiff Essie Jones of Jackson, Mississippi, is one of about 2.7 million individuals whose personally identifiable information (PII) and personal health information (PHI) was affected by the breach, which occurred on about Sept. 17 when an unauthorized actor gained access to the software company's network and computer systems, the complaint said. ESO notified Jones of the breach Dec. 12 but “neglected to quickly and appropriately notify all affected individuals” until Dec. 19, it said.
ESO informed Jones that the compromised data may have included her name, phone number, date of birth, medical treatment information and Social Security number, the complaint said. Jones had taken steps to protect her PII prior to the breach and has not knowingly transmitted the sensitive data over unsecured or unencrypted internet connections, it said.
ESO breached its duties and obligations by failing to implement and maintain reasonable safeguards, including failing to comply with standard data security practices and federal and state laws and regulations governing data security, to properly train its employees on data security measures and protocols, and to timely recognize and detect unauthorized third parties accessing its system and stealing “substantial amounts of data,” it said.
Jones has suffered actual damages and is at “imminent, impending, and substantial risk for identity theft and future economic harm due to the highly sensitive nature of the information” targeted and stolen in the breach, the complaint said. Since learning of the incident, Jones has spent “uncompensated time taking the necessary preventative measures in an effort to mitigate the risk" of any potential instances of identity theft or fraud and to review financial statements and identity theft reports, it said.
The Health Insurance Portability and Accountability Act requires covered entities to protect against “reasonably anticipated threats” to the security of sensitive patient health information, the complaint said. Safeguards must include physical, technical and administrative components, it said.
ESO has offered a year of free credit-monitoring services to individuals involved in the data breach, the complaint said. But plaintiffs have spent and will continue to spend “significant amounts of uncompensated time” to monitor their financial and medical accounts, sensitive information, credit scores and records for misuse, it said. They also must live with the “anxiety and fear” that their PII could be disclosed “to the entire world,” denying them any right to privacy, it said.
Jones asserts claims of negligence; unjust enrichment; and breaches of implied contract, fiduciary duty and implied covenant of good faith and fair dealing, the complaint said. She seeks a declaration that ESO must comply with contractual obligations, including maintaining reasonable security measures, purchasing credit monitoring services for Jones and class members for 10 years and educating them about the threats they face as a result of the loss of their PII to third parties. She seeks awards of compensatory, statutory, nominal and punitive damages; restitution and disgorgement of revenues wrongfully retained as a result of ESO’s “wrongful conduct”; and reasonable attorneys’ fees and legal costs.