`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE SOUTHERN DISTRICT OF ALABAMA
`MOBILE DIVISION
`
`
`
`
`TAMMY PHILLPS, LOUIS LUMPKIN
`and ANTONIA FOXWORTH,
`individually and on behalf of all others
`similarly situated,
`Plaintiffs,
`
`v.
`COASTAL FAMILY HEALTH
`CENTER,
`
`Defendant.
`
`
`Case No. ____________
`
`CLASS ACTION COMPLAINT
`JURY TRIAL DEMANDED
`
`
`
`
`CLASS ACTION COMPLAINT
`
`Plaintiffs, TAMMY PHILLIPS, LOUIS LUMPKIN and ANTONIA
`
`FOXWORTH (the “Plaintiffs”), individually and on behalf of all others similarly
`
`situated, brings this action against Defendant COASTAL FAMILY HEALTH
`
`CENTER (“Coastal Family” or “Defendant”) to obtain damages, restitution, and
`
`injunctive relief for the Class, as defined below, from Defendant. Plaintiffs make
`
`the following allegations upon information and belief, except as to her own actions,
`
`the investigation of her counsel, and the facts that are a matter of public record.
`
`NATURE OF THE ACTION
`
`
`
`1
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 2 of 62 PageID #: 2
`
`1.
`
`This class action arises out of the recent ransomware attack and data
`
`breach that was perpetrated against Defendant Coastal Family, a not-for-profit
`
`community health center servicing southern Mississippi (the “Data Breach”). The
`
`Data Breach resulted in unauthorized access and exfiltration of highly sensitive and
`
`personal information (the “Private Information”).
`
`2.
`
`As a result of the Data Breach, Plaintiffs and approximately 62,342
`
`Class Members1 suffered present injury and damages in the form of identity theft,
`
`out-of-pocket expenses and the value of the time reasonably incurred to remedy or
`
`mitigate the effects of the unauthorized access, exfiltration, and subsequent criminal
`
`misuse of their sensitive and highly personal information.
`
`3.
`
`The Private Information compromised in the Data Breach included
`
`names, addresses, Social Security numbers, health insurance information, and health
`
`and treatment information. The healthcare-specific data compromised is protected
`
`health information (“PHI”) as defined by the Health Insurance Portability and
`
`Accountability Act of 1996 (“HIPAA”), and information such as Plaintiff’s Social
`
`Security number is deemed personally identifiable information (“PII”).
`
`4.
`
`Plaintiffs bring this class action lawsuit on behalf of those similarly
`
`situated to address Defendant’s inadequate safeguarding of Class Members’ Private
`
`
`1 See Cases Currently Under Investigation, Office for Civil Rights, U.S. Dept. of Health and Human Services,
`https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited Sept. 15, 2021).
`2
`
`
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 3 of 62 PageID #: 3
`
`Information that it collected and maintained, and for failing to provide timely and
`
`adequate notice to Plaintiffs and other Class Members that their information had
`
`been subject to the unauthorized access of a third party.
`
`5.
`
`Upon information and belief, Defendant maintained the Private
`
`Information in a reckless manner. In particular, the Private Information was
`
`maintained on Defendant’s computer system and network in a condition vulnerable
`
`to cyberattacks.
`
`6.
`
`Upon information and belief, the mechanism of the cyberattack and
`
`potential for improper disclosure of Plaintiff’s and Class Members’ Private
`
`Information was a known risk to Defendant, and thus Defendant was on notice that
`
`failing to take steps necessary to secure the Private Information from the risk of a
`
`ransomware attack.
`
`7.
`
`Plaintiff’s and Class Members’ identities are now at considerable risk
`
`because of Defendant’s negligent conduct since the PII and PHI that Coastal Family
`
`collected and maintained is now in the hands of data thieves.
`
`8.
`
`Armed with the Private Information accessed in the Data Breach, data
`
`thieves can commit a variety of crimes, including but not limited to fraudulently
`
`applying for unemployment benefits, opening new financial accounts in Class
`
`Members’ names, taking out loans in Class Members’ names, using Class Members’
`
`names to obtain medical services, using Class Members’ health information to target
`
`
`
`3
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 4 of 62 PageID #: 4
`
`other phishing and hacking intrusions based on their individual health needs, using
`
`Class Members’
`
`information
`
`to obtain government benefits
`
`(including
`
`unemployment or COVID relief benefits), filing fraudulent tax returns using Class
`
`Members’ information, obtaining driver’s licenses in Class Members’ names but
`
`with another person’s photograph and providing false information to police during
`
`an arrest.
`
`9.
`
`As a result of the Data Breach, Plaintiffs and Class Members have been
`
`exposed to a heightened and imminent risk of fraud and identity theft. As a result of
`
`Defendant’s actions and inactions, as set forth herein, Plaintiffs and Class Members
`
`must now and in the future closely monitor their financial and medical accounts and
`
`information to guard against identity theft, among other issues.
`
`10. Plaintiffs and Class Members have and may in the future incur actual
`
`monetary costs, including but not limited to the cost of purchasing credit monitoring
`
`services, credit freezes, credit reports or other protective measures to deter and detect
`
`identity theft.
`
`11. Plaintiffs and Class Members have and may in the future expend time
`
`spent mitigating the effects of the Data Breach, including time spent dealing with
`
`actual or attempted fraud and identity theft.
`
`
`
`4
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 5 of 62 PageID #: 5
`
`12. By their Complaint, Plaintiffs seek to remedy these harms on behalf of
`
`himself and all similarly situated individuals whose PII and PHI was accessed during
`
`the Data Breach.
`
`13. Plaintiffs seek remedies including, but not limited to, compensatory
`
`damages, nominal damages, exemplary damages, reimbursement of out-of-pocket
`
`costs, and injunctive relief including improvements to Defendant’s data security
`
`systems, future annual audits and adequate credit monitoring services funded by
`
`Defendant.
`
`14. As a result of the Data Breach, Plaintiffs and Class Members have been
`
`exposed to a heightened and imminent risk of fraud and identity theft. Plaintiffs and
`
`Class Members must now and in the future closely monitor their financial accounts
`
`to guard against identity theft.
`
`15. Plaintiffs seek remedies including, but not limited to, compensatory
`
`damages, reimbursement of out-of-pocket costs, and injunctive relief including
`
`improvements to Defendant’s data security systems, future annual audits, and
`
`adequate credit monitoring services funded by Defendant.
`
`16. Accordingly, Plaintiffs bring this action against Defendant seeking
`
`redress for its unlawful conduct and asserts a claim for negligence.
`
`PARTIES
`
`5
`
`
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 6 of 62 PageID #: 6
`
`17. Plaintiff TAMMY PHILLIPS is, and at all times mentioned herein
`
`was, an individual citizen of the State of Alabama residing in the City of
`
`Citronelle in Mobile County.
`
`18. Plaintiff LOUIS LUMPKIN is, and at all times mentioned herein
`
`was, an individual citizen of the State of Mississippi residing in the City of
`
`Gulfport in Harrison County.
`
`19. Plaintiff ANTONIA FOXWORTH is, and at all times mentioned
`
`herein was, an individual citizen of the State of Mississippi residing in the City
`
`of Gulfport in Harrison County.
`
`20. Defendant Coastal Family is a federally qualified community health
`
`center established in 1976 as a 501c private, not-for-profit corporation with its
`
`principal place of business at 1046 Division Street, Biloxi, Mississippi 39530.
`
`JURISDICTION AND VENUE
`
`21. This Court has subject matter jurisdiction over this action under the
`
`Class Action Fairness Act, 28 U.S.C. § 1332(d)(2). There are at least 100 putative
`
`Class Members, the aggregated claims of the individual Class Members exceed the
`
`sum or value of $5,000,000 exclusive of interest and costs, and members of the
`
`proposed Class are citizens of states different from Defendant.
`
`22. This Court has personal jurisdiction over Defendant Coastal Family as
`
`it regularly engages in business with citizens of Alabama, communicates through the
`
`
`
`6
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 7 of 62 PageID #: 7
`
`United States Postal Service in Alabama with them about their healthcare,
`
`communicates through the United States Postal Service with them in Alabama about
`
`the data breach described herein, and places phone calls to citizens of Alabama,
`
`rendering the exercise of personal jurisdiction by this Court proper and necessary.
`
`23. Venue is proper because a substantial part of the events and omissions
`
`giving rise to these claims occurred in this District.
`
`THE RANSOMWARE ATTACK AND DATA BREACH
`
`24. A ransomware attack is a type of malicious software that blocks access
`
`to a computer system or data, usually by encrypting it, until the victim pays a fee to
`
`the attacker.2
`
`25. On or about June 4, 2021, Defendant learned that an unauthorized actor
`
`had attempted to deploy ransomware to encrypt its system and copied files.3
`
`26. Defendant engaged a forensic investigation firm to determine the nature
`
`and scope of this incident.
`
`27. Defendant determined that the ransomware was introduced by an
`
`unknown individual or individuals outside of its organization who gained access to
`
`
`2 See What is Ransomware?, Proofpoint, https://www.proofpoint.com/us/threat-reference/ransomware (last accessed
`Aug. 9, 2021).
`3 Data Security Incident, Coastal Family, https://coastalfamilyhealth.org/patient-data-breach-notice/
`(last accessed Sept. 15, 2021).
`
`
`
`7
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 8 of 62 PageID #: 8
`
`part of its network where Defendant stored files that contained employee
`
`information and the confidential patient information of its patients.4
`
`28. Defendant’s investigation further determined that, as a result of this
`
`incident, certain personal or protected health information was compromised,
`
`including names, addresses, Social Security numbers, health insurance information,
`
`and health and treatment information.5
`
`29. The investigation revealed that 62,342 individuals were impacted by
`
`the Data Breach.6
`
`30. Defendant openly admits that the PII and PHI of Plaintiffs and Class
`
`Members that was accessed without authorization.7
`
`31. Due to Defendant’s incompetent security measures, Plaintiffs and the
`
`Class Members now face an increased risk of fraud and identity theft and must deal
`
`with that threat forever.
`
`32. Defendant has obligations created by HIPAA, industry standards and
`
`common law, to keep Class Members’ Private Information confidential and to
`
`protect it from unauthorized access and disclosure.
`
`4 Id.
`5 Id.
`6 Supra, note 1.
`7 Supra, note 3.
`
`
`
`
`
`8
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 9 of 62 PageID #: 9
`
`33. Defendant’s data security obligations were particularly important given
`
`the substantial increase in ransomware attacks and/or data breaches in the healthcare
`
`industry preceding the date of the breach.
`
`34.
`
`Indeed, ransomware attacks, such as the one experienced by Defendant
`
`have become so notorious that the Federal Bureau of Investigation (“FBI”) and U.S.
`
`Secret Service have issued a warning to potential targets so they are aware of, and
`
`prepared for, a potential attack.
`
`35. Therefore, the increase in such attacks, and attendant risk of future
`
`attacks, was widely known to the public and to anyone in Defendant’s industry,
`
`including Defendant.
`
`36. Defendant breached its obligations to Plaintiffs and Class Members
`
`and/or was otherwise negligent and reckless because it failed to properly maintain
`
`and safeguard its computer systems and the data. Defendant’s unlawful conduct
`
`includes, but is not limited to, the following acts and/or omissions:
`
`a. Failing to maintain an adequate data security system to reduce the
`
`risk of data breaches and cyber-attacks;
`
`b. Failing to adequately protect the Private Information of its
`
`employees and the confidential patient information of its clients;
`
`c. Failing to properly monitor its own data security systems for
`
`existing intrusions;
`
`9
`
`
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 10 of 62 PageID #: 10
`
`d. Failing to ensure that vendors with access to Coastal Family’s
`
`protected health data employed reasonable security procedures;
`
`e. Failing to ensure the confidentiality and integrity of electronic PHI
`
`it created, received, maintained, and/or transmitted, in violation of
`
`45 C.F.R. § 164.306(a)(1);
`
`f. Failing to implement technical policies and procedures for
`
`electronic information systems that maintain electronic PHI to allow
`
`access only to those persons or software programs that have been
`
`granted access rights in violation of 45 C.F.R. § 164.312(a)(1);
`
`g. Failing to implement policies and procedures to prevent, detect,
`
`contain, and correct security violations in violation of 45 C.F.R. §
`
`164.308(a)(1)(i);
`
`h. Failing to implement procedures to review records of information
`
`system activity regularly, such as audit logs, access reports, and
`
`security incident tracking reports in violation of 45 C.F.R. §
`
`164.308(a)(1)(ii)(D);
`
`i. Failing to protect against reasonably anticipated threats or hazards
`
`to the security or integrity of electronic PHI in violation of 45 C.F.R.
`
`§ 164.306(a)(2);
`
`
`
`10
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 11 of 62 PageID #: 11
`
`j. Failing to protect against reasonably anticipated uses or disclosures
`
`of electronic PHI that are not permitted under the privacy rules
`
`regarding individually identifiable health information in violation of
`
`45 C.F.R. § 164.306(a)(3);
`
`k. Failing to ensure compliance with HIPAA security standard rules by
`
`Defendant’s workforce in violation of 45 C.F.R. § 164.306(a)(4);
`
`l. Failing to train all members of Defendant’s workforce effectively
`
`on the policies and procedures regarding PHI as necessary and
`
`appropriate for the members of its workforce to carry out their
`
`functions and to maintain security of PHI, in violation of 45 C.F.R.
`
`§ 164.530(b); and/or
`
`m. Failing to render the electronic PHI it maintained unusable,
`
`unreadable, or indecipherable to unauthorized individuals, as it had
`
`not encrypted the electronic PHI as specified in the HIPAA Security
`
`Rule by “the use of an algorithmic process to transform data into a
`
`form in which there is a low probability of assigning meaning
`
`without use of a confidential process or key” (45 CFR 164.304
`
`definition of encryption).
`
`n. Failing to comply with FTC guidelines for cybersecurity, in
`
`violation of Section 5 of the FTC Act, and;
`
`
`
`11
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 12 of 62 PageID #: 12
`
`o. Failing to adhere to industry standards for cybersecurity.
`
`37. As the result of computer systems in need of security upgrading,
`
`inadequate procedures for handling emails containing ransomware or other
`
`malignant computer code, and inadequately trained employees who opened files
`
`containing the ransomware virus, Defendant negligently and unlawfully failed to
`
`safeguard Plaintiff’s and Class Members’ Private Information.
`
`38. Accordingly, as outlined below, Plaintiff’s and Class Members’ daily
`
`lives were severely disrupted. What’s more, they now face an increased risk of fraud
`
`and identity theft.
`
`RANSOMWARE ATTACKS AND DATA BREACHES CAUSE
`DISRUPTION AND PUT CONSUMERS AT AN INCREASED RISK OF
`FRAUD AND IDENTIFY THEFT
`
`39. Ransomware attacks such as this one are especially problematic
`
`because of the disruption they cause to the overall daily lives of victims affected by
`
`the attack.
`
`40. Ransomware attacks also constitute data breaches in the traditional
`
`sense. For example, in a ransomware attack on the Florida city of Pensacola, and
`
`while the City was still recovering from the ransomware attack, hackers released
`
`2GB of data files from the total 32GB of data that they claimed was stolen prior to
`
`encrypting the City’s network with the maze ransomware. In the statement given to
`
`
`
`12
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 13 of 62 PageID #: 13
`
`a news outlet, the hackers said, “This is the fault of mass media who writes that we
`
`don’t exfiltrate data….”8
`
`41. Also, in a ransomware advisory, the Department of Health and
`
`Human Services informed entities covered by HIPAA that “when electronic
`
`protected health information (ePHI) is encrypted as the result of a
`
`ransomware attack, a breach has occurred because the ePHI encrypted by the
`
`ransomware was acquired (i.e., unauthorized individuals have taken
`
`possession or control of the information).”9
`
`42. Ransomware attacks are also considered a breach under the HIPAA
`
`Rules because there is an access of PHI not permitted under the HIPAA Privacy
`
`Rule:
`
`A breach under the HIPAA Rules is defined as, “...the acquisition,
`access, use, or disclosure of PHI in a manner not permitted under the
`[HIPAA Privacy Rule] which compromises the security or privacy of
`the PHI.” See 45 C.F.R. 164.40.
`
`43. Other security experts agree that when a ransomware attack occurs, a
`
`data breach does as well, because such an attack represents a loss of control of the
`
`data within a network.10
`
`
`8 Pensacola Ransomware: Hackers Release 2GB Data as a Proof, Cisomag (Dec. 27, 2019),
`https://www.cisomag.com/pensacola-ransomware-hackers-release-2gb-data-as-a-proof/.
`9 See Fact Sheet: Ransomware and HIPAA, Health and Human Services,
`https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf (last accessed August 9, 2021).
`10 See Sung J. Choi et al., Data Breach Remediation Efforts and Their Implications for Hospital Quality, 54 Health
`Services Research 971, 971-980 (2019). Available at https://onlinelibrary.wiley.com/doi/full/10.1111/1475-
`6773.13203.
`
`
`
`13
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 14 of 62 PageID #: 14
`
`44. Ransomware attacks are also Security Incidents under HIPAA because
`
`they impair both the integrity (data is not interpretable) and availability (data is not
`
`accessible) of patient health information:
`
`The presence of ransomware (or any malware) on a covered entity’s
`or business associate’s computer systems is a security incident under
`the HIPAA Security Rule. A security incident is defined as the
`attempted
`or
`successful
`unauthorized
`access, use, disclosure, modification, or destruction of information
`or interference with system operations in an information system. See
`the definition of security incident at 45 C.F.R. 164.304. Once the
`ransomware is detected, the covered entity or business associate
`must initiate its security incident and response and reporting
`procedures. See 45 C.F.R.164.308(a)(6).11
`
`
`Defendant Fails to Comply with FTC Guidelines
`
`45. The Federal Trade Commission (“FTC”) has promulgated numerous
`
`guides for businesses which highlight the importance of implementing reasonable
`
`data security practices. According to the FTC, the need for data security should be
`
`factored into all business decision-making.
`
`46.
`
`In 2016, the FTC updated its publication, Protecting Personal
`
`Information: A Guide for Business, which established cyber-security guidelines for
`
`businesses. These guidelines note that businesses should protect the personal
`
`customer information that they keep; properly dispose of personal information that
`
`is no longer needed; encrypt information stored on computer networks; understand
`
`11 Supra, note 13.
`
`
`
`
`
`14
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 15 of 62 PageID #: 15
`
`their network’s vulnerabilities; and implement policies to correct any security
`
`problems.12
`
`47. The guidelines also recommend that businesses use an intrusion
`
`detection system to expose a breach as soon as it occurs; monitor all incoming
`
`traffic for activity indicating someone is attempting to hack the system; watch for
`
`large amounts of data being transmitted from the system; and have a response plan
`
`ready in the event of a breach.13
`
`48. The FTC further recommends that companies not maintain PII longer
`
`than is needed for authorization of a transaction; limit access to sensitive data;
`
`require complex passwords to be used on networks; use industry-tested methods for
`
`security; monitor for suspicious activity on the network; and verify that third-party
`
`service providers have implemented reasonable security measures.
`
`49. The FTC has brought enforcement actions against businesses for failing
`
`to adequately and reasonably protect customer data, treating the failure to employ
`
`reasonable and appropriate measures to protect against unauthorized access to
`
`confidential consumer data as an unfair act or practice prohibited by Section 5 of
`
`the Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45. Orders resulting
`
`
`12 Protecting Personal Information: A Guide for Business, Federal Trade Commission (2016). Available at
`(last
`https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-information.pdf
`visited Aug. 9, 2021).
`13 Id.
`
`
`
`15
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 16 of 62 PageID #: 16
`
`from these actions further clarify the measures businesses must take to meet their
`
`data security obligations.
`
`50. These FTC enforcement actions include actions against healthcare
`
`entities like Defendant. See, e.g., In the Matter of LabMD, Inc., A Corp, 2016-2
`
`Trade Cas. (CCH) ¶ 79708, 2016 WL 4128215, at *32 (MSNET July 28, 2016)
`
`(“[T]he Commission concludes that LabMD’s data security practices were
`
`unreasonable and constitute an unfair act or practice in violation of Section 5 of the
`
`FTC Act.”)
`
`51. Defendant failed to properly implement basic data security practices.
`
`52. Defendant’s failure to employ reasonable and appropriate measures to
`
`protect against unauthorized access to the patient PII and PHI of its medical practice
`
`customers constitutes an unfair act or practice prohibited by Section 5 of the FTC
`
`Act, 15 U.S.C. § 45.
`
`53. Upon information and belief, Defendant was at all times fully aware of
`
`its obligation to protect the patient PII and PHI of its medical practice customers.
`
`Defendant was also aware of the significant repercussions that would result from its
`
`failure to do so.
`
`Defendant Fails to Comply with Industry Standards
`
`
`
`16
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 17 of 62 PageID #: 17
`
`54. As noted above, experts studying cyber security routinely identify
`
`healthcare providers as being particularly vulnerable to cyberattacks because of the
`
`value of the PII and PHI which they collect and maintain.
`
`55. Several best practices have been identified that at a minimum should be
`
`implemented by healthcare providers like Defendant, including but not limited to:
`
`educating all employees; strong passwords; multi-layer security, including firewalls,
`
`anti-virus, and anti-malware software; encryption, making data unreadable without
`
`a key; multi-factor authentication; backup data and limiting which employees can
`
`access sensitive data. Defendant failed to follow these industry best practices,
`
`including a failure to implement multi-factor authentication.
`
`56. Other best cybersecurity practices that are standard in the healthcare
`
`industry include installing appropriate malware detection software; monitoring and
`
`limiting the network ports; protecting web browsers and email management systems;
`
`setting up network systems such as firewalls, switches and routers; monitoring and
`
`protection of physical security systems; protection against any possible
`
`communication system; training staff regarding critical points. Defendant failed to
`
`follow these cybersecurity best practices, including failure to train staff.
`
`57. Defendant failed to meet the minimum standards of any of the
`
`following frameworks: the NIST Cybersecurity Framework Version 1.1 (including
`
`without limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7,
`
`
`
`17
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 18 of 62 PageID #: 18
`
`PR.AT-1, PR.DS-1, PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7,
`
`DE.CM-8, and RS.CO-2), and the Center for Internet Security’s Critical Security
`
`Controls (CIS CSC), which are all established standards in reasonable cybersecurity
`
`readiness.
`
`58. These foregoing frameworks are existing and applicable industry
`
`standards in the healthcare industry, and Defendant failed to comply with these
`
`accepted standards thereby opening the door to the cyber incident and causing the
`
`data breach.
`
`Defendant’s Conduct Violates HIPAA and Evidences Its Insufficient Data
`
`Security
`
`59. HIPAA requires covered entities and the business associates of covered
`
`entities to protect against reasonably anticipated threats to the security of sensitive
`
`patient health information.
`
`60. Defendant Coastal Family is a business associate of a “covered entity”
`
`under HIPAA. Business associates of covered entities must implement safeguards
`
`to ensure the confidentiality, integrity, and availability of PHI. Safeguards must
`
`include physical, technical and administrative components.
`
`61. Title II of HIPAA contains what are known as the Administrative
`
`Simplification provisions. 42 U.S.C. §§ 1301, et seq. These provisions require,
`
`among other things, that the Department of Health and Human Services (“HHS”)
`
`
`
`18
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 19 of 62 PageID #: 19
`
`create rules to streamline the standards for handling PII like the data Defendant left
`
`unguarded. The HHS subsequently promulgated multiple regulations under
`
`authority of the Administrative Simplification provisions of HIPAA. These rules
`
`include 45 C.F.R. § 164.306(a)(1-4); 45 C.F.R. § 164.312(a)(1); 45 C.F.R. §
`
`164.308(a)(1)(i); 45 C.F.R. § 164.308(a)(1)(ii)(D), and 45 C.F.R. § 164.530(b).
`
`62. A Data Breach such as the one Defendant experienced, is considered a
`
`breach under the HIPAA Rules because there is an access of PHI not permitted under
`
`the HIPAA Privacy Rule:
`
`A breach under the HIPAA Rules is defined as, “...the
`acquisition, access, use, or disclosure of PHI in a manner
`not permitted under the [HIPAA Privacy Rule] which
`compromises the security or privacy of the PHI.” See 45
`C.F.R. 164.40.
`
`63. Defendant’s Data Breach
`
`resulted
`
`from a combination of
`
`insufficiencies that demonstrate Coastal Family failed to comply with safeguards
`
`mandated by HIPAA regulations.
`
`Cyberattacks and Data Breaches Cause Disruption and
`Put Consumers at an Increased Risk of Fraud and Identity Theft
`
`64. Cyberattacks and data breaches at business associates of healthcare
`
`providers, like Defendant, are especially problematic because they can negatively
`
`impact the overall daily lives of individuals affected by the attack.
`
`65. The United States Government Accountability Office released a report
`
`in 2007 regarding data breaches (“GAO Report”) in which it noted that victims of
`19
`
`
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 20 of 62 PageID #: 20
`
`identity theft will face “substantial costs and time to repair the damage to their good
`
`name and credit record.”14
`
`66. That is because any victim of a data breach is exposed to serious
`
`ramifications regardless of the nature of the data. Indeed, the reason criminals steal
`
`personally identifiable information is to monetize it. They do this by selling the
`
`spoils of their cyberattacks on the black market to identity thieves who desire to
`
`extort and harass victims, take over victims’ identities in order to engage in illegal
`
`financial transactions under the victims’ names.
`
`67. Because a person’s identity is akin to a puzzle, the more accurate pieces
`
`of data an identity thief obtains about a person, the easier it is for the thief to take on
`
`the victim’s identity or otherwise harass or track the victim. For example, armed
`
`with just a name and date of birth, a data thief can utilize a hacking technique referred
`
`to as “social engineering” to obtain even more information about a victim’s identity,
`
`such as a person’s login credentials or Social Security number. Social engineering
`
`is a form of hacking whereby a data thief uses previously acquired information to
`
`manipulate
`
`individuals
`
`into disclosing additional confidential or personal
`
`information through means such as spam phone calls and text messages or phishing
`
`emails.
`
`
`14 See U.S. Gov. Accounting Office, GAO-07-737, Personal Information: Data Breaches Are Frequent, but Evidence
`the Full Extent Is Unknown (2007). Available at
`of Resulting Identity Theft Is Limited; However,
`https://www.gao.gov/new.items/d07737.pdf.
`
`
`
`20
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 21 of 62 PageID #: 21
`
`68. The FTC recommends that identity theft victims take several steps to
`
`protect their personal and financial information after a data breach, including
`
`contacting one of the credit bureaus to place a fraud alert (consider an extended fraud
`
`alert that lasts for 7 years if someone steals their identity), reviewing their credit
`
`reports, contacting companies to remove fraudulent charges from their accounts,
`
`placing a credit freeze on their credit and correcting their credit reports.15
`
`69.
`
`Identity thieves use stolen personal information such as Social Security
`
`numbers for a variety of crimes, including credit card fraud, phone or utilities fraud
`
`and bank/finance fraud.
`
`70.
`
`Identity thieves can also use Social Security numbers to obtain a
`
`driver’s license or official identification card in the victim’s name but with the thief’s
`
`picture; use the victim’s name and Social Security number to obtain government
`
`benefits or file a fraudulent tax return using the victim’s information.
`
`71.
`
`In addition, identity thieves may obtain a job using the victim’s Social
`
`Security number, rent a house or receive medical services in the victim’s name, and
`
`may even give the victim’s personal information to police during an arrest resulting
`
`in an arrest warrant being issued in the victim’s name.
`
`72. A study by Identity Theft Resource Center shows the multitude of
`
`
`15 See IdentityTheft.gov, Federal Trade Commission, https://www.identitytheft.gov/Steps (last visited Aug. 9, 2021).
`21
`
`
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 22 of 62 PageID #: 22
`
`harms caused by fraudulent use of personal and financial information:16
`
`
`
`73. Moreover, theft of Private Information is gravely serious; PII and PHI
`
`is an extremely valuable property right.17
`
`74.
`
`Its value is axiomatic, considering the value of “big data” in corporate
`
`America and the fact that the consequences of cyber thefts include heavy prison
`
`sentences. Even this obvious risk to reward analysis illustrates beyond doubt that
`
`Private Information has considerable market value.
`
`
`16 See Jason Steele, Credit Card and ID Theft Statistics, CreditCards.com (Oct. 23, 2020)
`https://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-1276.php.
`
`17 See, e.g., John T. Soma, et al, Corporate Privacy Trend: The “Value” of Personally Identifiable Information (“PII”)
`Equals the “Value" of Financial Assets, 15 Rich. J.L. & Tech. 11, at *3-4 (2009) (“PII, which companies obtain at
`little cost, has quantifiable value that is rapidly reaching a level comparable to the value of traditional financial
`assets.”) (citations omitted).
`
`
`
`22
`
`
`
`Case 1:21-cv-00404-KD-M Document 1 Filed 09/20/21 Page 23 of 62 PageID #: 23
`
`75. Theft of PHI, in particular, is gravely serious: “[a] thief may use your
`
`name or health insurance numbers to see a doctor, get prescription drugs, file claims
`
`with your insurance provider, or get other care. If the thief’s health information is
`
`mixed with yours, your treatment, insurance and payment records, and credit report
`
`may be affected.”18
`
`76. Drug manufacturers, me