2 Data Breach Class Actions Cite Md. Ophthalmology Firm for Negligence

On Dec. 22, Maryland-based RGW issued data breach notices to individuals whose information was believed to have been accessed in the incident, saying it discovered Dec. 8 that some sensitive private information “may have been impacted,” said the complaint.

Plaintiffs Shalane Vance of Chevy Chase, Maryland, a former RGW patient, and Sharon Jenkins of Washington, D.C., a current patient, allege the provider failed to fulfill its obligations to safeguard patients’ PII and PHI and prevent unauthorized third parties from accessing “vast quantities” of information belonging to them and class members, the complaint said.

The breach occurred because RGW “inexcusably failed to implement reasonable security protections to safeguard its information systems and databases,” said the complaint. RGW “failed to inform the public that its data security practices were deficient and inadequate”; had it done so, plaintiffs would not have provided their private information to the company, it said.

RGW offered affected individuals one year of complimentary credit monitoring, which plaintiffs deem “woefully inadequate” to address a “life-long heightened risk of identity theft,” the complaint said. Both plaintiffs experienced a “dramatic increase” in spam phone calls and emails since the breach, the complaint said. RGW’s notice said their Social Security and driver’s license numbers, addresses, phone numbers, and demographic, health and insurance information were compromised in the breach.

Vance and Jenkins assert claims of negligence, breach of implied contract, unjust enrichment, intrusion upon seclusion and violation of Maryland’s Consumer Protection Act. They seek injunctive relief to prohibit RGW from engaging in the unlawful acts described; compensatory, consequential, general and statutory damages, plus punitive or exemplary damages; and attorneys’ fees and legal costs, the complaint said.

A second data breach class action vs. RGW, filed Wednesday in U.S. District Court for Maryland in Baltimore, said plaintiff Natalia Girard was unaware of the breach until she received the Dec. 22 letter from RGW. The letter said her PHI and PII, plus financial information, were involved in the breach, said the complaint (docket 1:24-cv-00082). Some 456,000 people were affected owing to RGW’s “failure to implement appropriate security safeguards,” it said.

Girard recently was notified of potential fraudulent activity from her credit card companies, including a note from CreditWise saying her email was exposed on the dark web from Dec. 4, the complaint said. “As this information was among those accessed in the Data Breach, it is very likely more of her information -- including highly sensitive material like Social Security numbers -- are now also on the dark web,” the complaint said.

The New Market, Maryland, resident requested a copy of her medical record from RGW “to determine the extent of compromised data” but has not yet received it, the complaint said. She learned it may take a month to process her record, which is “wholly unacceptable given the already delayed nature of the Data Breach notification,” the complaint said. Girard has a continuing interest in ensuring her PII, PHI and financial information is safeguarded since it “remains backed up” in RGW’s possession, the complaint said.

Since receiving the security notice, Girard was injured in the form of lost time dealing with the consequences of the breach, “material risk to future harm” and damages and diminution in the value of her PHI and PII “being placed in the hands of unauthorized third parties/criminals,” the complaint said.

Girard asserts claims of negligence; breach of implied contract and implied covenant of good faith and fair dealing; and unjust enrichment. She seeks orders enjoining RGW from engaging in unlawful activities described and requests awards of actual, nominal and consequential damages; prejudgment interest; and attorneys’ fees and legal costs.