American Vision Partners Kept Data Breach Secret for 3 Months: Class Action

class action Tuesday (docket 2:24-cv-00463) in U.S. District Court for Arizona in Phoenix. American Vision determined on Dec. 6 that hackers had compromised its patients' PII and PHI, affecting some 2 million individuals, but only first publicly disclosed the breach to the Department of Health and Human Services on Feb. 6; it then began issuing data breach notices to affected patients, the complaint said. Plaintiffs Ralph Gallegos of El Paso County, Texas, and James Drews of Pinal County, Arizona, received notices dated Feb. 15 from American Vision, informing them their PII and PHI were compromised in the data breach. As a result, both plaintiffs will be forced to invest “significant time” monitoring their accounts to detect and reduce the consequences of “likely identity fraud,” the complaint said. American Vision had numerous statutory, regulatory, contractual and common law duties and obligations to patients to keep their PII and PHI confidential, secure and protected from unauthorized access, the complaint said. The data exposed in the breach -- including Social Security numbers, medical records, and health and insurance data -- indicates plaintiffs and class members have suffered “irreparable harm,” it said. The defendant “failed to use reasonable security procedures" appropriate to the nature of the private information it maintained for the plaintiffs, it said. Causes of action include negligence and negligence per se, breach of implied contract, invasion of privacy, unjust enrichment and violation of the Arizona Consumer Fraud Act, it said. Plaintiffs seek statutory damages, prejudgment interest and an order of restitution. American Vision didn't comment Wednesday.