United States District Court for the Northern District of Georgia
Class Action Complaint
Case: 1:26-cv-03158-MHC
Bryson attorneys are furthering a complaint that ERMI, a medical device company, failed to secure and safeguard the personal identifiable information and protected health information of patients.
Background
ERMI is a medical device company that partners with healthcare professionals to provide patients with home-based rehabilitative devices and programs designed to restore joint mobility following surgery. ERMI collects, stores, and maintains the personal identifiable and protected health information of individuals. ERMI is required to implement reasonable safeguards to protect such information from unauthorized access and disclosure.
ERMI learned that an unauthorized actor may have gained access to a limited number of its employee email accounts, and accessed, and may have removed, files within company’s systems that may have contained the private information of patients.
ERMI notified affected individuals 15 months after the unauthorized access began, and 10 months after the incident was first discovered.
According to ERMI’s own notice of the data breach, the categories of private information involved in the incident included name, social security number, driver’s license number, financial account information, payment card information, date of birth, medical and diagnostic information, medical record number, patient number, dates of service, and health insurance information.
As a direct and proximate result of ERMI’s failure to implement and maintain reasonable data security, patients have suffered injury, including the loss of control over their private information, the present and continuing risk of identity theft and fraud, lost time responding to the data breach, diminution in the value of their private information, loss of privacy, and the costs of mitigation, and remain at heightened risk of harm for years to come.
Plaintiffs bring this action to recover damages and to obtain equitable relief, including injunctive and declaratory relief, requiring ERMI to adopt and maintain reasonable data-security measures, to provide adequate notice and identity-monitoring services, and to compensate plaintiffs and class members for the harm caused by the data breach.
Bryson attorney: Scott Harris