Emmanuel College Waited 9 Months to Notify Data Breach Victims: Class Action
Elizabeth Parchinskya first learned Jan. 31 that her private information was exposed in an April 27 data breach of Emmanuel College’s information network, said her class action Thursday (docket 1:24-cv-10314) in U.S. District Court for Massachusetts in Boston. The breach was discovered on Jan. 16, said a notice posted by the Maine Attorney General’s office.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Parchinskya, a Boston resident, is suing Emmanuel College's trustees for failing to protect her personal health (PHI) and personally identifiable information (PII) it had acquired, collected and stored, the complaint said. Some 89,064 individuals were affected by the breach, in which third-party criminals gained access to her and class members’ PHI and PII that the college hosted, it said, citing the Maine AG’s notice.
The notice Parchinskya received had basic details of the breach, the defendant’s “recommended next steps,” and its claims that it “completed its investigation" of the incident Jan. 16 “but tellingly did not announce when they discovered” the breach, which occurred “early in 2023,” the complaint said.
The defendants “disregarded the rights” of Parchinskya and class members by “intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures” to safeguard their PHI and PII, the complaint said. They failed to follow required and appropriate protocols, policies and procedures regarding data encryption, it said. Exposed information includes full names, Social Security numbers, government identification, financial account, and health insurance and medical information, it said.
Parchinskya and her class members were injured in the form of lost time dealing with the consequences of the data breach, including time spent verifying the legitimacy and impact of the breach, exploring credit monitoring and identity theft insurance options, self-monitoring their accounts with heightened scrutiny and seeking legal counsel for remedying or mitigating the effects of the breach, the complaint said.
As a result of the breach, Parchinskya has increased anxiety for her loss of privacy and over the impact of cybercriminals accessing, using and selling her PHI, PII and financial information, the complaint said. Parchinskya and class members remain “in the dark” about what data was stolen, which malware was used and what steps the trustees are taking to secure plaintiff’s and class members' private information, it said.
The four-count complaint includes claims for negligence, breach of implied contract and implied covenant of good faith and fair dealing, plus unjust enrichment. Parchinskya seeks for herself and the class awards of actual, nominal and consequential damages and orders requiring the defendant to cease its unlawful activities, encrypt all data collected through the course of business according to laws and industry standards and implement a comprehensive information security program. She seeks prejudgment interest and attorneys’ fees and costs.