Former Employee Sues Onix Over Stolen PII, PHI Risk After March Data Breach
Cybercriminals were able to “roam freely” in Onix’s computer systems during a March 20-27 data breach, alleges former Onix employee Angela Haynie in a Thursday privacy class action (docket 2:23-cv-02689) in U.S. District Court for Eastern Pennsylvania in Philadelphia. Onix…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
failed to protect plaintiff and the putative classes’ personally identifiable (PII) and personal health information (PHI), and failed to mitigate the harms of the breach, said the complaint. “Rather than immediately accepting responsibility” and warning plaintiff about the risks of her PII and PHI being stolen, Onix “opted to bury its head in the sand,” informing victims of the breach two months later, around May 26, it said. Onix’s “negligent conduct” is “illuminated further” by the fact that Haynie, a Newark, Delaware resident, is a former Onix employee who has not worked at the company for several years, said the complaint. “This means that Defendant also maintains an inadequate data deletion schedule,” because there is no reason why Onix should still be in possession of Haynie's PII and PHI, said the complaint. Haynie cited “glaring omissions” in the May letter, including whether Onix paid the ransomware demand in the data breach, leaving victims no way of knowing whether their data is still in Onix’s custody or control. Onix didn’t explain how long the investigation took or whether it knew immediately that PII and PHI had been compromised. The company also didn’t disclose remedial measures being taken to ensure the protection of PII and PHI still in its custody, the complaint said. The 12 months of identity theft monitoring services Onix offered victims of the data breach “fails to touch upon any true future harms,” said the complaint. Plaintiff and class members will need credit and identity theft monitoring for a minimum of five years to protect their identities due to the breach, the complaint said. The retail cost of such monitoring can run about $200 a year per class member; the costs are “reasonable and necessary” to protect class members from the risk of identity theft, it said. Haynie claims violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law, negligence and unjust enrichment; she seeks awards of actual, compensatory, statutory and nominal damages; statutory penalties; equitable and injunctive relief; and attorneys’ fees and costs.