QRS, a health IT and EHR software company, is facing a potential class-action lawsuit after it notified about 320,000 patients that their protected health information was exposed during an August cyberattack.
The lawsuit was filed Jan. 3 by Kentucky resident Matthew Tincher, who was one of the patients whose information was affected. In the complaint, he alleged that QRS failed to adequately protect patient data.
QRS reported the breach to HHS on Oct. 22, 2021. The EHR vendor said a hacker accessed one of its dedicated patient portal servers between Aug. 23 and Aug. 26, 2021.
In the complaint, Mr. Tincher said QRS "waited roughly two months" to notify affected individuals after learning of the breach. Under HIPAA, healthcare organizations have 60 days to inform affected patients of cyber incidents.
The hacker accessed, and may have acquired, files on the server containing patients' information, the company said. This information included patients' names, Social Security numbers, addresses, birthdates, patient ID numbers and diagnosis details.
QRS had not yet responded to Becker's request for comment at the time of publication.