What Happened
In August 2021, QRS Inc., a Tennessee-based healthcare technology vendor providing electronic health record services and patient portals, suffered a cyberattack where an unauthorized actor accessed a dedicated patient portal server from August 23 to 26, potentially stealing protected health information (PHI) of 319,778 patients across U.S. and Canadian healthcare providers. The exposed data varied by individual but included names, addresses, dates of birth, Social Security numbers, patient identification numbers, portal usernames, medical treatments, and diagnoses; the breach was isolated to that server, with no impact on other QRS or client systems. QRS discovered the incident on August 26, immediately took the server offline, notified law enforcement, and engaged forensic experts, later reporting it to HHS on October 22 and beginning patient notifications with free identity theft protection for those with compromised SSNs. The event prompted class-action lawsuits alleging negligence in security measures, unencrypted data storage, and delayed notifications.