Maxim Healthcare Data Breach Subject of Milberg Lawsuit

Class action attorneys for Milberg Coleman Bryson Phillips Grossman PLLC (Milberg) have filed a lawsuit over a 2021 Maxim Healthcare Services, Inc. data breach that exposed the private information of more than 65,000 individuals.

The lawsuit alleges that the data breach was not only preventable—and resulted directly from Maxim’s failure to implement adequate and reasonable cybersecurity measures—but also that Maxim waited nearly a year to notify data breach victims. It seeks a range of damages, including compensatory damages for identity theft and fraud, and the establishment of a California class.

2021 Data Breach Exposed Records of 65,000+ Patients

Maxim is a national healthcare provider offering skilled nursing, physical rehabilitation, companion care, respite care, and behavioral care for individuals with chronic and acute illnesses and disabilities. The Maryland corporation has 147 locations across the country and has been in business for more than 30 years.

After failing to determine the source of the data breach, Maxim waited at least 335 days before beginning to send notification letters to affected individuals and notifying regulatory authorities of the breach.

In December 2020, Maxim “became aware of unusual activity related to several employees’ email accounts,” the company said in a Notice of Data Privacy Incident posted on its website. An internal investigation revealed that, between October 1, 2020 and December 4, 2020, some of its employees’ email accounts were “accessed without authorization.” Maxim then hired outside forensic experts to further investigate the incident. However, investigators were unable to determine the exact source of the unauthorized access.

Upon further review, Maxim determined that the personal information of 65,267 individuals “may have been accessible to an unauthorized actor,” including the following information:

• Name, address, and date of birth
• Contact information
• Medical history
• Medical condition/treatment information
• Medical record number
• Diagnosis code
• Patient account number
• Medicare/Medicaid number
• Username/password
• Social Security number

Maxim Failed to Protect Patients’ Private Information, Suit Claims

Maxim had a legal duty to keep the private information of its patients confidential and protect that information from unauthorized access and disclosure—a duty that it disregarded, claims Milberg’s class action lawsuit filed in California Superior Court for the County of San Diego.

Maxim states on its website that it “takes the security of personal information very seriously.” But Maxim’s privacy statements and representations are at odds with its actual conduct in regards to the safeguarding of personal information it was trusted with.

As a direct and proximate result of Defendant’s conduct, Plaintiff and Class Members have been placed at an imminent, immediate, and continuing increased risk of harm from fraud and medical identity theft, states Milberg’s lawsuit.

Milberg makes the case in its complaint that Maxim failed to implement rudimentary industry-standard cybersecurity measures, including keeping the private information that it handled in unencrypted form and not using multi-factor authentication for employee email accounts. These security failures are especially glaring given that the healthcare sector faces a higher threat of security breaches due to the high value of medical information to cybercriminals.

“Defendant knew or should have known its security systems were inadequate, particularly in light of the prior data breaches experienced by similar companies, and yet Defendant failed to take reasonable precautions to safeguard Plaintiff’s and Class Members’ Private Information,” states the complaint.

In addition, Maxim waited at least 335 days before beginning to send notification letters to affected individuals and notifying regulatory authorities of the data breach, in violation of its legal data breach notification duties.

“As a direct and proximate result of Defendant’s conduct, Plaintiff and Class Members have been placed at an imminent, immediate, and continuing increased risk of harm from fraud and medical identity theft,” the complaint adds.

California Class, Compensatory Damages Sought

The lead plaintiff in the case is a San Diego resident who has received in-home care from Maxim since 2015 and received notification of the data breach in November 2021. He and other victims of the breach now face increased and ongoing risk of harm from fraud and medical identify theft, states Milberg’s lawsuit, which proposes a class consisting of:

All persons residing in the State of California whose Private Information was compromised, accessed, or viewed in the data breach first announced by Maxim on or about November 4, 2021.

Plaintiff and the class members seek remedies that include:

• Statutory and nominal damages
• Compensatory damages (for identity theft, fraud, and time spent monitoring their financial and medical accounts)
• Reimbursement of out-of-pocket costs
• Credit monitoring services
• Injunctive relief (addressing improvements to Maxim’s data security system and practices)
• Attorneys’ fees and litigation expenses

Milberg: A National Leader in Consumer Protection

More than 50 years ago, Milberg pioneered class action litigation and set a new standard for standing up to corporate power. Today, the firm remains a national leader in class action and data breach lawsuits, with a track record of successfully defending consumers’ data and privacy rights against companies like Anthem, Capital One, Equifax, Facebook, Google, and Yahoo.

To keep up with this case and all firm news, follow us on Facebook and Twitter. To discuss a possible violation of your data privacy rights, please contact us.