Advanced Data Processing, Inc. and Intermedix Corp. were sued in federal court in Florida last week for violating the Health Insurance Portability and Accountability Act (HIPAA) for failing to protect the health information of “potentially millions” of individuals.

Plaintiffs allege that for several months in 2012, an employee of Intermedix viewed health information of patients that used ambulances without authorization. This information, including patients names, dates of birth, Social Security numbers and health insurance information was then given or sold to others who used the stolen information to file fraudulent tax returns with the IRS and obtain refunds.

Significantly, plaintiffs allege that they were not told of the incident, and that Intermedix merely posted a notice about the incident on its website in 2014 that was not prominent on the website. Plaintiffs allege this did not constitute notice as most of the members of the proposed class did not have a relationship with Intermedix, which processes claims for health care providers. The named plaintiff was taken by an ambulance to a hospital in California in 2012, but did not learn of the incident until April of 2015. He alleges that he has been the victim of identity theft as a result of the incident.

Plaintiffs immediately moved to certify the class and the Judge denied the Motion the next day saying it was premature.