On August 24, 2022, Gifted Healthcare reported a data breach with several state attorney general offices. According to Gifted Healthcare, the breach resulted in the names, addresses, Social Security numbers, financial information and medical information of certain individuals being compromised. After confirming the breach and identifying all affected parties, Gifted Healthcare began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Gifted Healthcare data breach, please see our recent piece on the topic here.
What We Know About the Gifted Healthcare Data Breach
The information about the Gifted Healthcare data breach comes from official filings with the state attorney general offices of Montana and Texas. According to the most current information, Gifted Healthcare recently detected suspicious activity with an employee email account. In response, the company secured its systems and began working with outside cybersecurity specialists to investigate the incident.
The company’s investigation revealed that three employee email accounts were subject to unauthorized access between August 25, 2021 and December 10, 2021. The investigation also confirmed that some of the files contained in the affected employee email accounts contained sensitive information belonging to certain patients.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Gifted Healthcare began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. Gifted Healthcare completed its review of the files on July 25, 2022. While the breached information varies depending on the individual, it may include your name, address, Social Security number, financial information and medical information.
On August 24, 2022, Gifted Healthcare sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Gifted Healthcare
Founded in 2006, Gifted Healthcare is a healthcare staffing business specializing in providing temporary nursing employees to healthcare practices across the country. Gifted Healthcare maintains a primary focus on LTAC nurse staffing solutions and government contracting. The company also heavily recruits qualified candidates as travel nurses. Gifted Healthcare employs more than 1,994 people and generates approximately $1 billion in annual revenue.
When Is a Company Financially Liable for a Data Breach Victim’s Harms?
The Gifted Healthcare data breach is relatively recent news, and more information about the incident is expected to come out in the near future. However, at this point, it appears as though the Gifted Healthcare breach involved unauthorized access to the company’s IT network, which granted the unauthorized party access to the sensitive data of individuals.
In a situation such as this one, determining whether a company is liable for a data breach can be complex, and consumers whose information was leaked may not know who to look to for recourse.
As a general rule, any company that maintains, stores, transmits or receives consumer data has a legal obligation to the consumer. It is generally irrelevant how the company came into possession of a consumer’s information—the question is whether the party who leaked the information was negligent.
In the data breach context, a victim can prove a company was negligent by establishing the following elements:
-
The organization owed the victim a duty of care;
-
The organization breached the duty it owed to the victim;
-
The organization’s negligence caused or contributed to the victim’s harms (i.e., identity theft); and
-
The victim suffered economic or non-economic injury as a result.
While this sounds straightforward, proving these elements can be challenging, especially when there is a significant delay between the date of the incident and the date when the company provided notice to consumers. While there may be good reasons for a delayed data breach letter, as a general rule, companies should try to provide notice to affected individuals as quickly as possible because this enables them to take remedial measures to reduce the risk of fraud. An experienced data breach lawyer can assist victims of the Gifted Healthcare data breach in assessing their options and determining whether they may have a legal claim against the company.