Multiple class-action lawsuits had been filed against Gryphon Healthcare based in Houston, TX, a revenue cycle management and medical billing solutions provider to healthcare companies. The lawsuits are associated with a data breach in August 2024 involving unauthorized access to almost 400,000 individuals’ protected health information (PHI). The breached data contained names, contact data, Social Security numbers, diagnosis and treatment facts, medical record numbers, and medical insurance data. The attack happened through an IT service provider.
Gryphon Healthcare is facing at least seven lawsuits filed by people who were advised about the disclosure of their PHI. The plaintiffs claim that Gryphon Healthcare did not use reasonable and proper cybersecurity procedures to safeguard the sensitive data it kept and also did not track its system for unauthorized actions. The lawsuits insist that if Gryphon Healthcare implemented the proper protection and followed industry standards, the data incident could have been avoided. With a proper system monitoring in place, the attack can be identified much more quickly.
The lawsuits have the same claims, which include a violation of the Health Insurance Portability and Accountability Act (HIPAA), the Federal Trade Commission (FTC) Act, and the contract law. The plaintiffs claim that the stealing of their personal data and PHI led to injuries such as financial harm caused by the misuse of their data, the loss or diminished value of their personal data, and lost time for the discovery and avoidance of identity theft and fraud.
The plaintiffs have the following claims: negligence, negligence per se, breach of confidence, invasion of privacy, breach of fiduciary duty, unjust enrichment, breach of third-party beneficiary contract, and breach of implied contract. The lawsuits were submitted in Texas federal court and want a jury trial, class action certification for individuals impacted by the data breach, injunctive relief, and actual, compensatory, statutory, and punitive damages, including a court order requiring Gryphon Healthcare to apply different security measures to protect the personal data and PHI kept by the company.