Recently, Omnicell, Inc. confirmed that the company experienced a data breach after following what the company has characterized as a ransomware attack. The company only recently learned of the ransomware attack, which it disclosed in a May 9, 2022, 10-Q filing with the Securities and Exchange Commission. More details are expected to emerge in the coming weeks.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Omnicell data breach, please see our recent piece on the topic here.
What We Know About the Omnicell Data Breach
Very little is known about the Omnicell breach at this point because the company only learned of the ransomware attack leading to the breach on May 4, 2022. However, five days later, in the company’s quarterly 10-Q filing, Omnicell reports that “Our IT systems and third-party cloud services are potentially vulnerable to cyber-attacks, including ransomware, or other data security incidents, by employees or others, which may expose sensitive data to unauthorized persons. On May 4, 2022, we determined that certain of our information technology systems were affected by ransomware impacting certain internal systems.”
The company goes on to explain the potential impact of the breach: “Data security incidents could lead to the loss of trade secrets or other intellectual property, or to the public exposure of sensitive and confidential information of our employees, customers, suppliers, and others.”
As of May 15, 2022, it does not appear as though Omnicell has posted official notice of the breach on its website. However, as the company learns more about the incident through its investigation, more information about the Omnicell breach should be made available.
Omnicell, Inc. is a healthcare technology company based in Mountain View, California. The company develops automated systems for medication management in various healthcare settings, as well as medication adherence packaging and patient engagement software that is used by retail pharmacies. Omnicell’s products are marketed under the brand names Omnicell and EnlivenHealth. Omnicell employs more than 3,800 people and generates approximately $1 billion in annual revenue.
Are Companies Required to Report Data Breaches?
Yes, all 50 states and the District of Columbia have laws on the books requiring companies to provide notice of a data breach to those whose information was compromised in a breach. However, not every data breach falls within these notification laws. For example, most states’ laws only require companies to disclose breaches that affect consumers’ personally identifiable information.
Notably, however, there is not currently a federal data breach notification law. Thus, whether a company must report a breach depends on the state where they operate. This can cause confusion about when a company needs to report a breach because every state is able to define what constitutes “personally identifiable information” under its laws. Thus, a breach that must be reported in one state may not need to be reported in another.
Typically, the goal of a data breach notification requirement is twofold. First, providing a data breach notification letter to an individual whose information was compromised gives them the opportunity to mitigate the potential harms associated with the breach. In most cases, this includes identity theft and other frauds.
The second goal of data breach notification laws is to encourage companies to take data security seriously. The argument goes, companies that know they must report a data breach are more likely to take the necessary steps to prevent a breach in the first place.
If you were impacted by a recent data breach and want to learn more about your rights and potential remedies, reach out to a data breach lawyer for assistance.
