A class action lawsuit has been filed against Phreesia, Inc., accusing the software company of failing to protect sensitive patient data, resulting in a significant data breach.
The complaint was filed on December 16, 2024, in the U.S. District Court for the Eastern District of New York by Martin Gerber, representing the estate of Phyllis Gerber and others similarly affected.
The lawsuit alleges that Phreesia, a healthcare software provider, neglected its duty to safeguard personal identifiable information (PII) and protected health information (PHI) collected through its subsidiary ConnectOnCall.com.
This negligence allegedly led to a breach between February and May 2024 when cybercriminals accessed and locked down servers using ransomware. The breach exposed sensitive data, including legal names, demographic details, and health information of patients nationwide.
Despite detecting unusual activity on May 12, 2024, Phreesia reportedly took over ten months to notify affected individuals.
Gerber claims the breach has caused significant harm, including loss of PII value, time spent addressing the breach’s consequences, potential identity theft risks, and other damages. He seeks actual damages, punitive damages, restitution, and statutory damages under New York General Business Law §349 for deceptive practices.
Additionally, Gerber demands injunctive relief requiring Phreesia to strengthen its cybersecurity protocols and provide three years of identity theft protection for affected individuals.
Gerber is represented by attorneys Jason P. Sultzer and Scott E. Silberfein from Sultzer & Lipari PLLC, along with Jeffrey K. Brown and Blake Hunter Yagman from Leeds Brown Law PC. The case is being heard under Case ID 2:24-cv-08585.