Sav-Rx Faces Lawsuit Because of 2.8 Million-Record Data Breach

Medication benefits management service provider A&A Services, also known as Sav-Rx, is facing a class action lawsuit because of a data breach that occurred in October 2023 affecting 2.8 million people.

On or about October 3, 2023, hackers got access to the Sav-Rx system and extracted files that contain the protected health information (PHI) of workers and health plan members of Sav-Rx’s clients. Sav Rx discovered the breach on October 8, 2023 and confirmed through the file review the theft of names, contact details, birth dates, and Social Security numbers. Sav-Rx stated it got the file evaluation results on April 30, 2024, and the impacted persons were informed concerning the data breach on May 10, 2024. The service provider offered free identity theft protection and credit monitoring services.

On June 5, 2024, Rodney Hill filed a class action lawsuit in the U.S. District Court for the District of Nebraska because of the compromise of his protected health information during the cyberattack. The lawsuit asserts the defendant did not use reasonable and proper cybersecurity processes and protocols and kept sensitive information in a careless fashion. The lawsuit mentioned the inevitability of a cyberattack because Sav-Rx kept a lot of sensitive information that cybercriminals want. It also asserted that the attack and data breach could have been prevented. The lawsuit claims that Sav-Rx did not comply with its responsibilities under HIPAA, common law, contract law, Federal Trade Commission regulations, and industry criteria.

The lawsuit additionally claims Sav-Rx did not issue prompt notifications. Although specific data was given regarding the breach in the notification letters there were a few key omissions, for instance how the breach happened, the exploited vulnerabilities, the procedures that would be applied to avoid more data breaches. The lawsuit states the lacking details impacted the capability of the plaintiff and class members to abate the detrimental consequences of the data breach.

The lawsuit claims the plaintiff and class members had an increased and impending threat of identity theft and fraud, have suffered out-of-pocket costs, experienced a diminished worth of their personally identifiable information (PII), and other negative effects. The lawsuit claims negligence, unjust enrichment, and breach of third-party beneficiary contract, and wants a jury trial, class certification, damages, injunctive relief, and equitable relief, which includes a court order for the implementation of a number of measures to enhance security and stop more data breaches.

About Christine Garcia 1200 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA