A management firm serving nursing homes in four states has avoided a class-action lawsuit related to a 2021 data breach.
A federal judge ruled this week that NHS Management wasn’t subject to a federal class action suit initiated by a former employee because she didn’t prove other plaintiffs would be citizens of multiple states.
Both lead plaintiff Shymikka Griggs and NHS are based in Alabama. Without other claimants who are citizens of other states, US District Court Judge R. David Proctor of the US District Court for the Northern District of Alabama ruled that his court did not have jurisdiction.
Without being asked, he tossed the case and it will not advance unless Grigg can produce new claimants from other states by July 21.
The case hinges on a February 2021 data breach that affected more than 500 people, Griggs among them. She was notified, along with employees, vendors and residents in other states. But the court said that fact wasn’t enough to make a leap as to their citizenship or their willingness to sign on to Griggs’ suit.
“The mere fact that NHS serves facilities in states other than Alabama or Delaware [where it is incorporated] is insufficient to establish the citizenship of any putative class member, especially when Plaintiff has not specifically identified any putative plaintiffs,” Proctor wrote. He said Griggs had “not met her burden to establish the existence of subject matter jurisdiction” under the Class Action Fairness Act.
NHS reported the breach after it was discovered in May 2021, calling the unauthorized access “a sophisticated cyberattack.” A third-party forensic team hired by the company investigated and found someone had entered more than one system and accessed information stored there.
A voicemail seeking comment from an NHS executive was not returned by deadline.
The company previously said a full review determined that “certain personal information,” such as medical history, Social Security numbers, birthdates and more, was included in documents affected by the breach. But the company said hackers had not been able to access its electronic medical records database used for patients.
It notified potential victims, including Griggs, in April 2022.
Griggs took legal action the next month, claiming NHS was responsible for the data breach “because of its failure to follow industry standard practices for securing sensitive Information. She alleged that NHS “inadequately trains its employees on cybersecurity policies, fails to enforce those policies, or maintains unreasonable or inadequate security practices and systems.”
Griggs had expected the value of class-action claims to surpass $5 million, according to Proctor’s ruling.
