throbber
Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 1 of 62 PageID #: 1
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE SOUTHERN DISTRICT OF ALABAMA
`MOBILE DIVISION
`
`
`
`
`TAMMY PHILLPS, LOUIS LUMPKIN
`and ANTONIA FOXWORTH,
`individually and on behalf of all others
`similarly situated,
`Plaintiffs,
`
`v.
`COASTAL FAMILY HEALTH
`CENTER,
`
`Defendant.
`
`
`Case No. ____________
`
`CLASS ACTION COMPLAINT
`JURY TRIAL DEMANDED
`
`
`
`
`CLASS ACTION COMPLAINT
`
`Plaintiffs, TAMMY PHILLIPS, LOUIS LUMPKIN and ANTONIA
`
`FOXWORTH (the “Plaintiffs”), individually and on behalf of all others similarly
`
`situated, brings this action against Defendant COASTAL FAMILY HEALTH
`
`CENTER (“Coastal Family” or “Defendant”) to obtain damages, restitution, and
`
`injunctive relief for the Class, as defined below, from Defendant. Plaintiffs make
`
`the following allegations upon information and belief, except as to her own actions,
`
`the investigation of her counsel, and the facts that are a matter of public record.
`
`NATURE OF THE ACTION
`
`
`
`1
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 2 of 62 PageID #: 2
`
`1.
`
`This class action arises out of the recent ransomware attack and data
`
`breach that was perpetrated against Defendant Coastal Family, a not-for-profit
`
`community health center servicing southern Mississippi (the “Data Breach”). The
`
`Data Breach resulted in unauthorized access and exfiltration of highly sensitive and
`
`personal information (the “Private Information”).
`
`2.
`
`As a result of the Data Breach, Plaintiffs and approximately 62,342
`
`Class Members1 suffered present injury and damages in the form of identity theft,
`
`out-of-pocket expenses and the value of the time reasonably incurred to remedy or
`
`mitigate the effects of the unauthorized access, exfiltration, and subsequent criminal
`
`misuse of their sensitive and highly personal information.
`
`3.
`
`The Private Information compromised in the Data Breach included
`
`names, addresses, Social Security numbers, health insurance information, and health
`
`and treatment information. The healthcare-specific data compromised is protected
`
`health information (“PHI”) as defined by the Health Insurance Portability and
`
`Accountability Act of 1996 (“HIPAA”), and information such as Plaintiff’s Social
`
`Security number is deemed personally identifiable information (“PII”).
`
`4.
`
`Plaintiffs bring this class action lawsuit on behalf of those similarly
`
`situated to address Defendant’s inadequate safeguarding of Class Members’ Private
`
`
`1 See Cases Currently Under Investigation, Office for Civil Rights, U.S. Dept. of Health and Human Services,
`https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited Sept. 15, 2021).
`2
`
`
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 3 of 62 PageID #: 3
`
`Information that it collected and maintained, and for failing to provide timely and
`
`adequate notice to Plaintiffs and other Class Members that their information had
`
`been subject to the unauthorized access of a third party.
`
`5.
`
`Upon information and belief, Defendant maintained the Private
`
`Information in a reckless manner. In particular, the Private Information was
`
`maintained on Defendant’s computer system and network in a condition vulnerable
`
`to cyberattacks.
`
`6.
`
`Upon information and belief, the mechanism of the cyberattack and
`
`potential for improper disclosure of Plaintiff’s and Class Members’ Private
`
`Information was a known risk to Defendant, and thus Defendant was on notice that
`
`failing to take steps necessary to secure the Private Information from the risk of a
`
`ransomware attack.
`
`7.
`
`Plaintiff’s and Class Members’ identities are now at considerable risk
`
`because of Defendant’s negligent conduct since the PII and PHI that Coastal Family
`
`collected and maintained is now in the hands of data thieves.
`
`8.
`
`Armed with the Private Information accessed in the Data Breach, data
`
`thieves can commit a variety of crimes, including but not limited to fraudulently
`
`applying for unemployment benefits, opening new financial accounts in Class
`
`Members’ names, taking out loans in Class Members’ names, using Class Members’
`
`names to obtain medical services, using Class Members’ health information to target
`
`
`
`3
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 4 of 62 PageID #: 4
`
`other phishing and hacking intrusions based on their individual health needs, using
`
`Class Members’
`
`information
`
`to obtain government benefits
`
`(including
`
`unemployment or COVID relief benefits), filing fraudulent tax returns using Class
`
`Members’ information, obtaining driver’s licenses in Class Members’ names but
`
`with another person’s photograph and providing false information to police during
`
`an arrest.
`
`9.
`
`As a result of the Data Breach, Plaintiffs and Class Members have been
`
`exposed to a heightened and imminent risk of fraud and identity theft. As a result of
`
`Defendant’s actions and inactions, as set forth herein, Plaintiffs and Class Members
`
`must now and in the future closely monitor their financial and medical accounts and
`
`information to guard against identity theft, among other issues.
`
`10. Plaintiffs and Class Members have and may in the future incur actual
`
`monetary costs, including but not limited to the cost of purchasing credit monitoring
`
`services, credit freezes, credit reports or other protective measures to deter and detect
`
`identity theft.
`
`11. Plaintiffs and Class Members have and may in the future expend time
`
`spent mitigating the effects of the Data Breach, including time spent dealing with
`
`actual or attempted fraud and identity theft.
`
`
`
`4
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 5 of 62 PageID #: 5
`
`12. By their Complaint, Plaintiffs seek to remedy these harms on behalf of
`
`himself and all similarly situated individuals whose PII and PHI was accessed during
`
`the Data Breach.
`
`13. Plaintiffs seek remedies including, but not limited to, compensatory
`
`damages, nominal damages, exemplary damages, reimbursement of out-of-pocket
`
`costs, and injunctive relief including improvements to Defendant’s data security
`
`systems, future annual audits and adequate credit monitoring services funded by
`
`Defendant.
`
`14. As a result of the Data Breach, Plaintiffs and Class Members have been
`
`exposed to a heightened and imminent risk of fraud and identity theft. Plaintiffs and
`
`Class Members must now and in the future closely monitor their financial accounts
`
`to guard against identity theft.
`
`15. Plaintiffs seek remedies including, but not limited to, compensatory
`
`damages, reimbursement of out-of-pocket costs, and injunctive relief including
`
`improvements to Defendant’s data security systems, future annual audits, and
`
`adequate credit monitoring services funded by Defendant.
`
`16. Accordingly, Plaintiffs bring this action against Defendant seeking
`
`redress for its unlawful conduct and asserts a claim for negligence.
`
`PARTIES
`
`5
`
`
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 6 of 62 PageID #: 6
`
`17. Plaintiff TAMMY PHILLIPS is, and at all times mentioned herein
`
`was, an individual citizen of the State of Alabama residing in the City of
`
`Citronelle in Mobile County.
`
`18. Plaintiff LOUIS LUMPKIN is, and at all times mentioned herein
`
`was, an individual citizen of the State of Mississippi residing in the City of
`
`Gulfport in Harrison County.
`
`19. Plaintiff ANTONIA FOXWORTH is, and at all times mentioned
`
`herein was, an individual citizen of the State of Mississippi residing in the City
`
`of Gulfport in Harrison County.
`
`20. Defendant Coastal Family is a federally qualified community health
`
`center established in 1976 as a 501c private, not-for-profit corporation with its
`
`principal place of business at 1046 Division Street, Biloxi, Mississippi 39530.
`
`JURISDICTION AND VENUE
`
`21. This Court has subject matter jurisdiction over this action under the
`
`Class Action Fairness Act, 28 U.S.C. § 1332(d)(2). There are at least 100 putative
`
`Class Members, the aggregated claims of the individual Class Members exceed the
`
`sum or value of $5,000,000 exclusive of interest and costs, and members of the
`
`proposed Class are citizens of states different from Defendant.
`
`22. This Court has personal jurisdiction over Defendant Coastal Family as
`
`it regularly engages in business with citizens of Alabama, communicates through the
`
`
`
`6
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 7 of 62 PageID #: 7
`
`United States Postal Service in Alabama with them about their healthcare,
`
`communicates through the United States Postal Service with them in Alabama about
`
`the data breach described herein, and places phone calls to citizens of Alabama,
`
`rendering the exercise of personal jurisdiction by this Court proper and necessary.
`
`23. Venue is proper because a substantial part of the events and omissions
`
`giving rise to these claims occurred in this District.
`
`THE RANSOMWARE ATTACK AND DATA BREACH
`
`24. A ransomware attack is a type of malicious software that blocks access
`
`to a computer system or data, usually by encrypting it, until the victim pays a fee to
`
`the attacker.2
`
`25. On or about June 4, 2021, Defendant learned that an unauthorized actor
`
`had attempted to deploy ransomware to encrypt its system and copied files.3
`
`26. Defendant engaged a forensic investigation firm to determine the nature
`
`and scope of this incident.
`
`27. Defendant determined that the ransomware was introduced by an
`
`unknown individual or individuals outside of its organization who gained access to
`
`
`2 See What is Ransomware?, Proofpoint, https://www.proofpoint.com/us/threat-reference/ransomware (last accessed
`Aug. 9, 2021).
`3 Data Security Incident, Coastal Family, https://coastalfamilyhealth.org/patient-data-breach-notice/
`(last accessed Sept. 15, 2021).
`
`
`
`7
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 8 of 62 PageID #: 8
`
`part of its network where Defendant stored files that contained employee
`
`information and the confidential patient information of its patients.4
`
`28. Defendant’s investigation further determined that, as a result of this
`
`incident, certain personal or protected health information was compromised,
`
`including names, addresses, Social Security numbers, health insurance information,
`
`and health and treatment information.5
`
`29. The investigation revealed that 62,342 individuals were impacted by
`
`the Data Breach.6
`
`30. Defendant openly admits that the PII and PHI of Plaintiffs and Class
`
`Members that was accessed without authorization.7
`
`31. Due to Defendant’s incompetent security measures, Plaintiffs and the
`
`Class Members now face an increased risk of fraud and identity theft and must deal
`
`with that threat forever.
`
`32. Defendant has obligations created by HIPAA, industry standards and
`
`common law, to keep Class Members’ Private Information confidential and to
`
`protect it from unauthorized access and disclosure.
`
`4 Id.
`5 Id.
`6 Supra, note 1.
`7 Supra, note 3.
`
`
`
`
`
`8
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 9 of 62 PageID #: 9
`
`33. Defendant’s data security obligations were particularly important given
`
`the substantial increase in ransomware attacks and/or data breaches in the healthcare
`
`industry preceding the date of the breach.
`
`34.
`
`Indeed, ransomware attacks, such as the one experienced by Defendant
`
`have become so notorious that the Federal Bureau of Investigation (“FBI”) and U.S.
`
`Secret Service have issued a warning to potential targets so they are aware of, and
`
`prepared for, a potential attack.
`
`35. Therefore, the increase in such attacks, and attendant risk of future
`
`attacks, was widely known to the public and to anyone in Defendant’s industry,
`
`including Defendant.
`
`36. Defendant breached its obligations to Plaintiffs and Class Members
`
`and/or was otherwise negligent and reckless because it failed to properly maintain
`
`and safeguard its computer systems and the data. Defendant’s unlawful conduct
`
`includes, but is not limited to, the following acts and/or omissions:
`
`a. Failing to maintain an adequate data security system to reduce the
`
`risk of data breaches and cyber-attacks;
`
`b. Failing to adequately protect the Private Information of its
`
`employees and the confidential patient information of its clients;
`
`c. Failing to properly monitor its own data security systems for
`
`existing intrusions;
`
`9
`
`
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 10 of 62 PageID #: 10
`
`d. Failing to ensure that vendors with access to Coastal Family’s
`
`protected health data employed reasonable security procedures;
`
`e. Failing to ensure the confidentiality and integrity of electronic PHI
`
`it created, received, maintained, and/or transmitted, in violation of
`
`45 C.F.R. § 164.306(a)(1);
`
`f. Failing to implement technical policies and procedures for
`
`electronic information systems that maintain electronic PHI to allow
`
`access only to those persons or software programs that have been
`
`granted access rights in violation of 45 C.F.R. § 164.312(a)(1);
`
`g. Failing to implement policies and procedures to prevent, detect,
`
`contain, and correct security violations in violation of 45 C.F.R. §
`
`164.308(a)(1)(i);
`
`h. Failing to implement procedures to review records of information
`
`system activity regularly, such as audit logs, access reports, and
`
`security incident tracking reports in violation of 45 C.F.R. §
`
`164.308(a)(1)(ii)(D);
`
`i. Failing to protect against reasonably anticipated threats or hazards
`
`to the security or integrity of electronic PHI in violation of 45 C.F.R.
`
`§ 164.306(a)(2);
`
`
`
`10
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 11 of 62 PageID #: 11
`
`j. Failing to protect against reasonably anticipated uses or disclosures
`
`of electronic PHI that are not permitted under the privacy rules
`
`regarding individually identifiable health information in violation of
`
`45 C.F.R. § 164.306(a)(3);
`
`k. Failing to ensure compliance with HIPAA security standard rules by
`
`Defendant’s workforce in violation of 45 C.F.R. § 164.306(a)(4);
`
`l. Failing to train all members of Defendant’s workforce effectively
`
`on the policies and procedures regarding PHI as necessary and
`
`appropriate for the members of its workforce to carry out their
`
`functions and to maintain security of PHI, in violation of 45 C.F.R.
`
`§ 164.530(b); and/or
`
`m. Failing to render the electronic PHI it maintained unusable,
`
`unreadable, or indecipherable to unauthorized individuals, as it had
`
`not encrypted the electronic PHI as specified in the HIPAA Security
`
`Rule by “the use of an algorithmic process to transform data into a
`
`form in which there is a low probability of assigning meaning
`
`without use of a confidential process or key” (45 CFR 164.304
`
`definition of encryption).
`
`n. Failing to comply with FTC guidelines for cybersecurity, in
`
`violation of Section 5 of the FTC Act, and;
`
`
`
`11
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 12 of 62 PageID #: 12
`
`o. Failing to adhere to industry standards for cybersecurity.
`
`37. As the result of computer systems in need of security upgrading,
`
`inadequate procedures for handling emails containing ransomware or other
`
`malignant computer code, and inadequately trained employees who opened files
`
`containing the ransomware virus, Defendant negligently and unlawfully failed to
`
`safeguard Plaintiff’s and Class Members’ Private Information.
`
`38. Accordingly, as outlined below, Plaintiff’s and Class Members’ daily
`
`lives were severely disrupted. What’s more, they now face an increased risk of fraud
`
`and identity theft.
`
`RANSOMWARE ATTACKS AND DATA BREACHES CAUSE
`DISRUPTION AND PUT CONSUMERS AT AN INCREASED RISK OF
`FRAUD AND IDENTIFY THEFT
`
`39. Ransomware attacks such as this one are especially problematic
`
`because of the disruption they cause to the overall daily lives of victims affected by
`
`the attack.
`
`40. Ransomware attacks also constitute data breaches in the traditional
`
`sense. For example, in a ransomware attack on the Florida city of Pensacola, and
`
`while the City was still recovering from the ransomware attack, hackers released
`
`2GB of data files from the total 32GB of data that they claimed was stolen prior to
`
`encrypting the City’s network with the maze ransomware. In the statement given to
`
`
`
`12
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 13 of 62 PageID #: 13
`
`a news outlet, the hackers said, “This is the fault of mass media who writes that we
`
`don’t exfiltrate data….”8
`
`41. Also, in a ransomware advisory, the Department of Health and
`
`Human Services informed entities covered by HIPAA that “when electronic
`
`protected health information (ePHI) is encrypted as the result of a
`
`ransomware attack, a breach has occurred because the ePHI encrypted by the
`
`ransomware was acquired (i.e., unauthorized individuals have taken
`
`possession or control of the information).”9
`
`42. Ransomware attacks are also considered a breach under the HIPAA
`
`Rules because there is an access of PHI not permitted under the HIPAA Privacy
`
`Rule:
`
`A breach under the HIPAA Rules is defined as, “...the acquisition,
`access, use, or disclosure of PHI in a manner not permitted under the
`[HIPAA Privacy Rule] which compromises the security or privacy of
`the PHI.” See 45 C.F.R. 164.40.
`
`43. Other security experts agree that when a ransomware attack occurs, a
`
`data breach does as well, because such an attack represents a loss of control of the
`
`data within a network.10
`
`
`8 Pensacola Ransomware: Hackers Release 2GB Data as a Proof, Cisomag (Dec. 27, 2019),
`https://www.cisomag.com/pensacola-ransomware-hackers-release-2gb-data-as-a-proof/.
`9 See Fact Sheet: Ransomware and HIPAA, Health and Human Services,
`https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf (last accessed August 9, 2021).
`10 See Sung J. Choi et al., Data Breach Remediation Efforts and Their Implications for Hospital Quality, 54 Health
`Services Research 971, 971-980 (2019). Available at https://onlinelibrary.wiley.com/doi/full/10.1111/1475-
`6773.13203.
`
`
`
`13
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 14 of 62 PageID #: 14
`
`44. Ransomware attacks are also Security Incidents under HIPAA because
`
`they impair both the integrity (data is not interpretable) and availability (data is not
`
`accessible) of patient health information:
`
`The presence of ransomware (or any malware) on a covered entity’s
`or business associate’s computer systems is a security incident under
`the HIPAA Security Rule. A security incident is defined as the
`attempted
`or
`successful
`unauthorized
`access, use, disclosure, modification, or destruction of information
`or interference with system operations in an information system. See
`the definition of security incident at 45 C.F.R. 164.304. Once the
`ransomware is detected, the covered entity or business associate
`must initiate its security incident and response and reporting
`procedures. See 45 C.F.R.164.308(a)(6).11
`
`
`Defendant Fails to Comply with FTC Guidelines
`
`45. The Federal Trade Commission (“FTC”) has promulgated numerous
`
`guides for businesses which highlight the importance of implementing reasonable
`
`data security practices. According to the FTC, the need for data security should be
`
`factored into all business decision-making.
`
`46.
`
`In 2016, the FTC updated its publication, Protecting Personal
`
`Information: A Guide for Business, which established cyber-security guidelines for
`
`businesses. These guidelines note that businesses should protect the personal
`
`customer information that they keep; properly dispose of personal information that
`
`is no longer needed; encrypt information stored on computer networks; understand
`
`11 Supra, note 13.
`
`
`
`
`
`14
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 15 of 62 PageID #: 15
`
`their network’s vulnerabilities; and implement policies to correct any security
`
`problems.12
`
`47. The guidelines also recommend that businesses use an intrusion
`
`detection system to expose a breach as soon as it occurs; monitor all incoming
`
`traffic for activity indicating someone is attempting to hack the system; watch for
`
`large amounts of data being transmitted from the system; and have a response plan
`
`ready in the event of a breach.13
`
`48. The FTC further recommends that companies not maintain PII longer
`
`than is needed for authorization of a transaction; limit access to sensitive data;
`
`require complex passwords to be used on networks; use industry-tested methods for
`
`security; monitor for suspicious activity on the network; and verify that third-party
`
`service providers have implemented reasonable security measures.
`
`49. The FTC has brought enforcement actions against businesses for failing
`
`to adequately and reasonably protect customer data, treating the failure to employ
`
`reasonable and appropriate measures to protect against unauthorized access to
`
`confidential consumer data as an unfair act or practice prohibited by Section 5 of
`
`the Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45. Orders resulting
`
`
`12 Protecting Personal Information: A Guide for Business, Federal Trade Commission (2016). Available at
`(last
`https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-information.pdf
`visited Aug. 9, 2021).
`13 Id.
`
`
`
`15
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 16 of 62 PageID #: 16
`
`from these actions further clarify the measures businesses must take to meet their
`
`data security obligations.
`
`50. These FTC enforcement actions include actions against healthcare
`
`entities like Defendant. See, e.g., In the Matter of LabMD, Inc., A Corp, 2016-2
`
`Trade Cas. (CCH) ¶ 79708, 2016 WL 4128215, at *32 (MSNET July 28, 2016)
`
`(“[T]he Commission concludes that LabMD’s data security practices were
`
`unreasonable and constitute an unfair act or practice in violation of Section 5 of the
`
`FTC Act.”)
`
`51. Defendant failed to properly implement basic data security practices.
`
`52. Defendant’s failure to employ reasonable and appropriate measures to
`
`protect against unauthorized access to the patient PII and PHI of its medical practice
`
`customers constitutes an unfair act or practice prohibited by Section 5 of the FTC
`
`Act, 15 U.S.C. § 45.
`
`53. Upon information and belief, Defendant was at all times fully aware of
`
`its obligation to protect the patient PII and PHI of its medical practice customers.
`
`Defendant was also aware of the significant repercussions that would result from its
`
`failure to do so.
`
`Defendant Fails to Comply with Industry Standards
`
`
`
`16
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 17 of 62 PageID #: 17
`
`54. As noted above, experts studying cyber security routinely identify
`
`healthcare providers as being particularly vulnerable to cyberattacks because of the
`
`value of the PII and PHI which they collect and maintain.
`
`55. Several best practices have been identified that at a minimum should be
`
`implemented by healthcare providers like Defendant, including but not limited to:
`
`educating all employees; strong passwords; multi-layer security, including firewalls,
`
`anti-virus, and anti-malware software; encryption, making data unreadable without
`
`a key; multi-factor authentication; backup data and limiting which employees can
`
`access sensitive data. Defendant failed to follow these industry best practices,
`
`including a failure to implement multi-factor authentication.
`
`56. Other best cybersecurity practices that are standard in the healthcare
`
`industry include installing appropriate malware detection software; monitoring and
`
`limiting the network ports; protecting web browsers and email management systems;
`
`setting up network systems such as firewalls, switches and routers; monitoring and
`
`protection of physical security systems; protection against any possible
`
`communication system; training staff regarding critical points. Defendant failed to
`
`follow these cybersecurity best practices, including failure to train staff.
`
`57. Defendant failed to meet the minimum standards of any of the
`
`following frameworks: the NIST Cybersecurity Framework Version 1.1 (including
`
`without limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7,
`
`
`
`17
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 18 of 62 PageID #: 18
`
`PR.AT-1, PR.DS-1, PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7,
`
`DE.CM-8, and RS.CO-2), and the Center for Internet Security’s Critical Security
`
`Controls (CIS CSC), which are all established standards in reasonable cybersecurity
`
`readiness.
`
`58. These foregoing frameworks are existing and applicable industry
`
`standards in the healthcare industry, and Defendant failed to comply with these
`
`accepted standards thereby opening the door to the cyber incident and causing the
`
`data breach.
`
`Defendant’s Conduct Violates HIPAA and Evidences Its Insufficient Data
`
`Security
`
`59. HIPAA requires covered entities and the business associates of covered
`
`entities to protect against reasonably anticipated threats to the security of sensitive
`
`patient health information.
`
`60. Defendant Coastal Family is a business associate of a “covered entity”
`
`under HIPAA. Business associates of covered entities must implement safeguards
`
`to ensure the confidentiality, integrity, and availability of PHI. Safeguards must
`
`include physical, technical and administrative components.
`
`61. Title II of HIPAA contains what are known as the Administrative
`
`Simplification provisions. 42 U.S.C. §§ 1301, et seq. These provisions require,
`
`among other things, that the Department of Health and Human Services (“HHS”)
`
`
`
`18
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 19 of 62 PageID #: 19
`
`create rules to streamline the standards for handling PII like the data Defendant left
`
`unguarded. The HHS subsequently promulgated multiple regulations under
`
`authority of the Administrative Simplification provisions of HIPAA. These rules
`
`include 45 C.F.R. § 164.306(a)(1-4); 45 C.F.R. § 164.312(a)(1); 45 C.F.R. §
`
`164.308(a)(1)(i); 45 C.F.R. § 164.308(a)(1)(ii)(D), and 45 C.F.R. § 164.530(b).
`
`62. A Data Breach such as the one Defendant experienced, is considered a
`
`breach under the HIPAA Rules because there is an access of PHI not permitted under
`
`the HIPAA Privacy Rule:
`
`A breach under the HIPAA Rules is defined as, “...the
`acquisition, access, use, or disclosure of PHI in a manner
`not permitted under the [HIPAA Privacy Rule] which
`compromises the security or privacy of the PHI.” See 45
`C.F.R. 164.40.
`
`63. Defendant’s Data Breach
`
`resulted
`
`from a combination of
`
`insufficiencies that demonstrate Coastal Family failed to comply with safeguards
`
`mandated by HIPAA regulations.
`
`Cyberattacks and Data Breaches Cause Disruption and
`Put Consumers at an Increased Risk of Fraud and Identity Theft
`
`64. Cyberattacks and data breaches at business associates of healthcare
`
`providers, like Defendant, are especially problematic because they can negatively
`
`impact the overall daily lives of individuals affected by the attack.
`
`65. The United States Government Accountability Office released a report
`
`in 2007 regarding data breaches (“GAO Report”) in which it noted that victims of
`19
`
`
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 20 of 62 PageID #: 20
`
`identity theft will face “substantial costs and time to repair the damage to their good
`
`name and credit record.”14
`
`66. That is because any victim of a data breach is exposed to serious
`
`ramifications regardless of the nature of the data. Indeed, the reason criminals steal
`
`personally identifiable information is to monetize it. They do this by selling the
`
`spoils of their cyberattacks on the black market to identity thieves who desire to
`
`extort and harass victims, take over victims’ identities in order to engage in illegal
`
`financial transactions under the victims’ names.
`
`67. Because a person’s identity is akin to a puzzle, the more accurate pieces
`
`of data an identity thief obtains about a person, the easier it is for the thief to take on
`
`the victim’s identity or otherwise harass or track the victim. For example, armed
`
`with just a name and date of birth, a data thief can utilize a hacking technique referred
`
`to as “social engineering” to obtain even more information about a victim’s identity,
`
`such as a person’s login credentials or Social Security number. Social engineering
`
`is a form of hacking whereby a data thief uses previously acquired information to
`
`manipulate
`
`individuals
`
`into disclosing additional confidential or personal
`
`information through means such as spam phone calls and text messages or phishing
`
`emails.
`
`
`14 See U.S. Gov. Accounting Office, GAO-07-737, Personal Information: Data Breaches Are Frequent, but Evidence
`the Full Extent Is Unknown (2007). Available at
`of Resulting Identity Theft Is Limited; However,
`https://www.gao.gov/new.items/d07737.pdf.
`
`
`
`20
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 21 of 62 PageID #: 21
`
`68. The FTC recommends that identity theft victims take several steps to
`
`protect their personal and financial information after a data breach, including
`
`contacting one of the credit bureaus to place a fraud alert (consider an extended fraud
`
`alert that lasts for 7 years if someone steals their identity), reviewing their credit
`
`reports, contacting companies to remove fraudulent charges from their accounts,
`
`placing a credit freeze on their credit and correcting their credit reports.15
`
`69.
`
`Identity thieves use stolen personal information such as Social Security
`
`numbers for a variety of crimes, including credit card fraud, phone or utilities fraud
`
`and bank/finance fraud.
`
`70.
`
`Identity thieves can also use Social Security numbers to obtain a
`
`driver’s license or official identification card in the victim’s name but with the thief’s
`
`picture; use the victim’s name and Social Security number to obtain government
`
`benefits or file a fraudulent tax return using the victim’s information.
`
`71.
`
`In addition, identity thieves may obtain a job using the victim’s Social
`
`Security number, rent a house or receive medical services in the victim’s name, and
`
`may even give the victim’s personal information to police during an arrest resulting
`
`in an arrest warrant being issued in the victim’s name.
`
`72. A study by Identity Theft Resource Center shows the multitude of
`
`
`15 See IdentityTheft.gov, Federal Trade Commission, https://www.identitytheft.gov/Steps (last visited Aug. 9, 2021).
`21
`
`
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 22 of 62 PageID #: 22
`
`harms caused by fraudulent use of personal and financial information:16
`
`
`
`73. Moreover, theft of Private Information is gravely serious; PII and PHI
`
`is an extremely valuable property right.17
`
`74.
`
`Its value is axiomatic, considering the value of “big data” in corporate
`
`America and the fact that the consequences of cyber thefts include heavy prison
`
`sentences. Even this obvious risk to reward analysis illustrates beyond doubt that
`
`Private Information has considerable market value.
`
`
`16 See Jason Steele, Credit Card and ID Theft Statistics, CreditCards.com (Oct. 23, 2020)
`https://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-1276.php.
`
`17 See, e.g., John T. Soma, et al, Corporate Privacy Trend: The “Value” of Personally Identifiable Information (“PII”)
`Equals the “Value" of Financial Assets, 15 Rich. J.L. & Tech. 11, at *3-4 (2009) (“PII, which companies obtain at
`little cost, has quantifiable value that is rapidly reaching a level comparable to the value of traditional financial
`assets.”) (citations omitted).
`
`
`
`22
`
`

`

`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 23 of 62 PageID #: 23
`
`75. Theft of PHI, in particular, is gravely serious: “[a] thief may use your
`
`name or health insurance numbers to see a doctor, get prescription drugs, file claims
`
`with your insurance provider, or get other care. If the thief’s health information is
`
`mixed with yours, your treatment, insurance and payment records, and credit report
`
`may be affected.”18
`
`76. Drug manufacturers, me

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket