MRI provider sued over March data breach

A man who got an MRI at a Shields Health Care center in Winchester has the company for a March data breach that may have let a cyberthief access the personal information of more than 2 million people, including their Social Security numbers, birth dates, e-mail addresses and health information.

In his suit, filed yesterday in US District Court in Boston, William Biscan of Haverhill says he and other Shields patients suffered "a diminution in the value of their private and confidential information" and now have to spend time and money making sure their information isn't used for illicit purposes. He is hoping to become the lead plaintiff in a class-action suit against Shields.

As a direct and proximate result of the Data Breach and subsequent exposure of their Private Information, Plaintiff and Class Members have suffered and will continue to suffer damages and economic losses in the form of lost time needed to take appropriate measures to avoid unauthorized and fraudulent charges, putting alerts on their credit files, and dealing with spam messages and e-mails received as a result of the Data Breach. Plaintiff and Class Members have suffered and will continue to suffer an invasion of their property interest in their own PII [personally identifiable information] and PHI [personal health information] such that they are entitled to damages from Defendant for unauthorized access to, theft of, and misuse of their PII and PHI. These harms are ongoing, and Plaintiff and Class Members will suffer from future damages associated with the unauthorized use and misuse of their PII and PHI as thieves will continue to use the information to obtain money and credit in their names for several years

Shields itself says:

On March 28, 2022, Shields was alerted to suspicious activity that may have involved data compromise. Shields immediately launched an investigation into this issue and worked with subject matter specialists to determine the full nature and scope of the event.

This investigation determined that an unknown actor gained access to certain Shields systems from March 7, 2022 to March 21, 2022. Furthermore, the investigation revealed that certain data was acquired by the unknown actor within that time frame.

The complaint alleges Shields "failed to properly implement basic data security practices widely known throughout the industry."