throbber

`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 1 of 56 Page ID #:1
`
`
`
`
`Alex R. Straus, SBN 321366
`MILBERG COLEMAN BRYSON
`
`PHILLIPS GROSSMAN PLLC
`
`280 S. Beverly Drive
`
`Beverly Hills, CA 90212
`
`(917) 471-1894 (phone)
`
`(615) 921-6501 (fax)
`
`astraus@milberg.com
`
`
`Plaintiffs’ Attorneys
`
`Additional attorneys on signature page
`
`
`
`
`
`UNITED STATES DISTRICT COURT
`
`CENTRAL DISTRICT OF CALIFORNIA
`
`
`
`
`
`
` Case No.
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`
`
`Demand for Jury Trial
`
`
`
`
`
`VICKEY ANGULO, individually
`and on behalf of themselves and
`all others similarly situated,
`
`
`
` Plaintiffs,
`
` v.
`
`
`
`SUPERCARE HEALTH, INC.,
`
` Defendant.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 1
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 2 of 56 Page ID #:2
`
`
`
`
`
` Plaintiff Vickey Angulo (“Plaintiff”) brings this Complaint against Defendant
`
`SuperCare Health, Inc. (“SCH”), individually and on behalf of all others similarly
`
`situated, and alleges upon personal knowledge as to her own actions and her counsel’s
`
`investigations, and upon information and belief as to all other matters, as follows:
`
`I. NATURE OF THE ACTION
`
`1.
`
`On or about March 25, 2022, SCH posted a notice, entitled Notice of Data
`
`Breach (hereinafter, the “Notice”), announcing publicly that an unauthorized actor
`
`accessed SCH’s files.
`
`2.
`
`According to SCH’s Notice, current and former patients’ personally
`
`identifiable information (“PII”) and protected health information (“PHI”) as defined by
`
`the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including,
`
`but not limited to, patients’ names, addresses, dates of birth, hospital or medical group,
`
`patient account numbers, medical record numbers, health insurance information,
`
`testing/diagnostic/treatment information, and other health-related information, as well as,
`
`for some, Social Security numbers and driver’s license numbers (collectively, the
`
`“Private Information”), were accessed and compromised by an unauthorized third party
`
`in the cybersecurity incident (the “Data Breach”).
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 2
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 3 of 56 Page ID #:3
`
`
`
`3.
`
`As detailed below, the Data Breach was a direct result of Defendant’s
`
`failure to implement adequate and reasonable cyber-security procedures and protocols
`
`necessary to protect Plaintiff’s and the Class Members’ Private Information despite the
`
`fact that data breach attacks against medical systems and healthcare providers are at an
`
`all-time high.
`
`4.
`
`This attack enabled an unauthorized third-party to access SCH’s computer
`
`systems and the highly sensitive and confidential data of thousands of current and former
`
`patients of SCH, including Plaintiff.
`
`5.
`
`Plaintiff received a notification letter from SCH informing her that the
`
`information accessed by the third-party actors included her electronic health records.
`
`6.
`
`SCH, despite professing to take the privacy and security of its patients’
`
`confidential and health information seriously, has not offered to provide affected
`
`individuals with adequate credit monitoring service or compensation for the damages
`
`they have suffered as a result of the Breach.
`
`7.
`
`As a consequence of the Data Breach, Plaintiff’s and Class members’
`
`Private Information has been released into the public domain and they have had to, and
`
`will continue to have to, spend time to protect themselves from fraud and identity theft.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 3
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 4 of 56 Page ID #:4
`
`
`
`8.
`
`Upon information and belief, the mechanism of the cyberattack and
`
`potential for improper disclosure of Plaintiff’s and Class Members’ Private Information
`
`was a known risk to Defendant, through frequent news reports and FBI warnings to the
`
`healthcare industry, and thus it was on notice that failing to take steps necessary to secure
`
`the Private Information from those risks left the property in a dangerous and vulnerable
`
`condition.
`
`9.
`
`Defendant disregarded the rights of Plaintiff’s and Class Members (defined
`
`below) by, inter alia, intentionally, willfully, recklessly or negligently failing to take
`
`adequate and reasonable measures to ensure its data systems were protected against
`
`unauthorized intrusions; failing to disclose that it did not have adequately robust
`
`computer systems and security practices to safeguard patient Private Information; failing
`
`to take standard and reasonably available steps to prevent the Data Breach and failing to
`
`provide Plaintiff and Class Members accurate notice of the Data Breach.
`
`10. Plaintiff’s and Class Members’ identities are now at risk because of
`
`Defendant’s conduct since the Private Information that Defendant collected and
`
`maintained is now in the hands of data thieves.
`
`11. Armed with the Private Information accessed in the Data Breach, data
`
`thieves can commit a variety of crimes including, e.g., opening new financial accounts
`
`in Class Members’ names, taking out loans in Class Members’ names, using Class
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 4
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 5 of 56 Page ID #:5
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`Members’ information to obtain government benefits, filing fraudulent tax returns
`
`using Class Members’ information, obtaining driver’s licenses in Class Members’
`
`names but with another person’s photograph and/or giving false information to police
`
`during an arrest.
`
`12. As a result of the Data Breach, Plaintiff and Class Members have been
`
`exposed to a substantial and present risk of fraud and identity theft. Plaintiff and Class
`
`Members must now and in the future closely monitor their financial accounts to guard
`
`against identity theft.
`
`13. Plaintiff and Class Members may also incur out of pocket costs for, e.g.,
`
`purchasing credit monitoring services, credit freezes, credit reports or other protective
`
`measures to deter and detect identity theft.
`
`14. Plaintiff seeks to remedy these harms on behalf of herself and all
`
`similarly situated individuals whose Private Information was accessed during the Data
`
`14
`
`Breach.
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`15. Plaintiff seeks remedies including, but not limited to, compensatory
`
`damages, nominal damages, reimbursement of out-of-pocket costs, and injunctive relief
`
`including improvements to Defendant’s data security systems, future annual audits, and
`
`adequate credit monitoring services funded by Defendant.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 5
`
`
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 6 of 56 Page ID #:6
`
`
`
`II. JURISDICTION AND VENUE
`
`16. This Court has subject matter and diversity jurisdiction over this action
`
`under 28 U.S.C. § 1332(d) because this is a class action wherein the amount of
`
`controversy exceeds the sum or value of $5 million, exclusive of interest and costs, there
`
`are more than 100 members in the proposed class, and at least one other Class Member
`
`is a citizen of a state different from Defendant to establish minimal diversity.
`
`17. The Central District of California has personal jurisdiction over Defendant
`
`named in this action because Defendant is headquartered in this District and conducts
`
`substantial business in California and this District through its headquarters, offices, and
`
`affiliates.
`
`18. Venue is proper in this District under 28 U.S.C. §1391(b) because
`
`Defendant is headquartered in this District and has caused harm to Plaintiff and Class
`
`Members residing in this District.
`
`III. PARTIES
`
`19. Plaintiff Vickey Angulo is a resident and citizen of the State of California
`
`and intends to remain domiciled in and a citizen of the State of California. Plaintiff
`
`received Notice of the Data Breach on or about March 25, 2022. She was informed the
`
`following sensitive data she provided to SCH was compromised in the Data Breach:
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 6
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 7 of 56 Page ID #:7
`
`
`
`name, address, date of birth, patient account number, diagnostic information, and claim
`
`information.
`
`20. Defendant SuperCare Health, Inc. is a respiratory health company that is
`
`headquartered at 8345 Firestone Blvd., Suite 210, Downey, California 90241.
`
`IV. FACTUAL ALLEGATIONS
`
`DEFENDANT’S BUSINESS
`
`21. According to Defendant’s website, “SuperCare Health is the leading
`
`post-acute, in-home respiratory care provider in the western U.S. that has been serving
`
`the healthcare needs of our ever-growing patient population for nearly 50 years.”
`
`22. As part of promoting its business, Defendant boasts “[consumer] privacy is
`
`important to [SuperCare Health].”
`
`23. Pursuant to Defendant’s Privacy Policy, it collects the following sensitive
`
`information from consumers:
`
`a. Name
`
`b. Date of Birth
`
`c. SuperCare Health Account ID
`
`d. Medical diagnosis
`
`e. Home or work address
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 7
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 8 of 56 Page ID #:8
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`f. Telephone number
`
`g. Zip code
`
`h. Age
`
`i. Gender
`
`24. On information and belief, and, as indicated in Defendant’s Notice of Data
`
`Breach, Defendant also collects Social Security numbers and driver’s license numbers –
`
`which were compromised for a number of victims of the Data Breach.
`
`25.
`
`In the ordinary course of transacting with Defendant, consumers are
`
`required to provide – and Plaintiff did so provide – Defendant with extremely sensitive
`
`and personal PII and PHI.
`
`26. Additionally, Defendant may receive private and personal information from
`
`other individuals and/or organizations that are part of a patient’s “circle of care,” such as
`
`referring physicians, patients’ other doctors, patients’ health plan(s), close friends and/or
`
`family members.
`
`27. As current and former patients at SCH, Plaintiff and Class members relied
`
`on SDCA to keep their highly sensitive information confidential and securely maintained.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 8
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 9 of 56 Page ID #:9
`
`
`
`28. On information and belief, Defendant provides each of its patients,
`
`including Plaintiff, with a HIPAA compliant notice of its privacy practices (the “Privacy
`
`Notice”) in respect to how it handles patients’ sensitive and confidential information.
`
`29. Due to the highly sensitive and personal nature of the information
`
`Defendant acquires and stores with respect to its patients, Defendant promises to maintain
`
`the confidentiality of patients’ health, financial, and non-public personal information,
`
`ensure compliance with federal and state laws and regulations, and not to use or disclose
`
`patients’ health information for any reasons other than those expressly listed in the
`
`Privacy Notice without written authorization.
`
`30. As a condition of receiving medical care and treatment from Defendant,
`
`Defendant requires that its patients, including Plaintiff and Class Members, entrust it with
`
`highly sensitive personal information.
`
`31. Prior to receiving medical care and treatment from Defendant, Plaintiff gave
`
`(and was required to give) her highly sensitive Private Information to Defendant.
`
`32. By obtaining, collecting, using, and deriving a benefit from Plaintiff’s and
`
`Class members’ PII and PHI, Defendant assumed legal and equitable duties and knew or
`
`should have known that it was responsible for protecting Plaintiff’s and Class members’
`
`PII and PHI from unauthorized disclosure.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 9
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 10 of 56 Page ID #:10
`
`
`
`33. Plaintiff and the Class members have taken reasonable steps to maintain the
`
`confidentiality of their PII and PHI.
`
`34. Plaintiff and the Class members relied on Defendant to keep their PII and
`
`PHI confidential and securely maintained, to use this information for business and health
`
`purposes only, and to make only authorized disclosures of this information.
`
`THE BREACH
`
`35. On or about March 25, 2022, SCH began informing affected individuals,
`
`including Plaintiff, that its computer network had been accessed by an unauthorized third
`
`party actor by way of a cyberattack and resulting data breach.
`
`36. Although the notification letter states that SCH was the victim of a data
`
`security incident on or about July 23, 2021 – July 27, 2021, it provides scant detail about
`
`the nature, severity or duration of the attack. Even worse, SCH did not inform their
`
`patients of the data breach until over six months after the data breach occurred.
`
`37. But what’s clear from the Notice is that cybercriminals did, in fact, access
`
`and view Plaintiff’s and Class members’ PII and PHI during the time period in which the
`
`cybercriminals had unfettered access to Defendant’s IT network, as that is the modus
`
`operandi of cybercriminals who commit such attacks.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 10
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 11 of 56 Page ID #:11
`
`
`
`38. According to SCH, the attack compromised a wide range of PII and PHI,
`
`including but not limited to patients’ names, addresses, dates of birth, hospital or medical
`
`group, patient account numbers, medical record numbers, health insurance information,
`
`testing/diagnostic/treatment information, and other health-related information, as well as,
`
`for some, Social Security numbers and driver’s license numbers.
`
`39. Simply put, SCH could have prevented this Data Breach.
`
`40. SCH did not implement or maintain adequate measures to protect its
`
`patients’ PII and PHI.
`
`41. On information and belief, the PII and PHI compromised in the files
`
`accessed by hackers was not encrypted.
`
`42. Moreover, the removal of PHI and other PII and PHI from Defendant’s
`
`system, including, but not limited to, names, dates of birth, Social Security Numbers
`
`(which are the keys to identity theft and fraud), and other health information —
`
`demonstrates that this cyberattack was targeted due to Defendant’s status as a healthcare
`
`facility that houses sensitive PII and PHI.
`
`43. Due to Defendant’s incompetent security measures, Plaintiff and the Class
`
`Members now face a present and substantial risk of fraud and identity theft and must deal
`
`with that threat forever.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 11
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 12 of 56 Page ID #:12
`
`
`
`44. Despite widespread knowledge of the dangers of identity theft and fraud
`
`associated with cyberattacks and unauthorized disclosure of PII and PHI, SCH provided
`
`unreasonably deficient protections prior to the Breach, including, but not limited to a lack
`
`of security measures for storing and handling patients’ PII and PHI and inadequate
`
`employee training regarding how to access, handle and safeguard this information.
`
`45. SCH failed to adequately adopt and train its employees on even the most
`
`basic of information security protocols, including:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a. storing, locking encrypting and limiting access to patients’ highly
` sensitive PHI;
`
`b. implementing guidelines for accessing, maintaining and
` communicating sensitive PHI, and
`
`c. protecting patients’ sensitive PHI by implementing protocols on
` how to utilize such information.
`
`46. SCH’s failures caused the unpermitted disclosure of Plaintiff’s and Class
`
`members’ Private Information to an unauthorized third party and put Plaintiff and the
`
`Class at serious, immediate and continuous risk of identity theft and fraud.
`
`47. The Breach that exposed Plaintiff’s and Class members’ PHI was caused by
`
`SCH’s violation of its obligations to abide by best practices and industry standards
`
`concerning its information security practices and processes.
`
`48. SCH failed to comply with security standards or to implement security
`
`measures that could have prevented or mitigated the Breach.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 12
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 13 of 56 Page ID #:13
`
`
`
`49. SCH failed to ensure that all personnel with access to its patients’ PII and
`
`PHI were properly trained in retrieving, handling, using and distributing sensitive
`
`information.
`
`THE BREACH WAS FORSEEABLE
`
`50. Defendant had obligations created by HIPAA, contract, industry standards,
`
`common law and its own promises and representations made to Plaintiff and Class
`
`Members to keep their PII and PHI confidential and to protect it from unauthorized access
`
`and disclosure.
`
`51. Plaintiff and Class members provided their PII and PHI to Defendant with
`
`the reasonable expectation and mutual understanding that Defendant would comply with
`
`its obligations to keep such information confidential and secure from unauthorized
`
`access.
`
`52. Defendant’s data security obligations were particularly important given the
`
`substantial increase in ransomware attacks and/or data breaches in the healthcare industry
`
`preceding the date of the breach.
`
`53. Data breaches, including those perpetrated against the healthcare sector of
`
`the economy, have become extremely widespread.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 13
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 14 of 56 Page ID #:14
`
`
`
`54.
`
`In 2019, a record 1,473 data breaches occurred, resulting in approximately
`
`164,683,455 sensitive records being exposed, a 17% increase from 2018.
`
`55. Of the 1,473 recorded data breaches, 525 of them, or 35.64%, were in the
`
`medical or healthcare industry.
`
`56. Defendant was aware of the risk of data breaches because such breaches
`
`have dominated the headlines in recent years.
`
`57.
`
`In light of recent high profile cybersecurity incidents at other healthcare
`
`partner and provider companies, including, American Medical Collection Agency (25
`
`million patients, March 2019) University of Washington Medicine (974,000 patients,
`
`December 2018), Florida Orthopedic Institute (640,000 patients, July 2020), Wolverine
`
`Solutions Group (600,000 patients, September 2018), Oregon Department of Human
`
`Services (645,000 patients, March 2019), Elite Emergency Physicians (550,000 patients,
`
`June 2020), Magellan Health (365,000 patients, April 2020), BJC Health System
`
`(286,876 patients, March 2020), Defendant knew or should have known that its electronic
`
`records would be targeted by cybercriminals.
`
`58.
`
`In 2021 alone there were over 220 data breach incidents.
`
`59. These approximately 220 data breach incidents have impacted nearly 15
`
`million individuals.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 14
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 15 of 56 Page ID #:15
`
`
`
`60.
`
`Indeed, cyberattacks have become so notorious that the Federal Bureau of
`
`Investigation (“FBI”) and U.S. Secret Service have issued a warning to potential targets
`
`so they are aware of, and prepared for, a potential attack. As one report explained,
`
`“[e]ntities like smaller municipalities and hospitals are attractive to ransomware
`
`criminals… because they often have lesser IT defenses and a high incentive to regain
`
`access to their data quickly.”
`
`61.
`
`In fact, according to the cybersecurity firm Mimecast, 90% of healthcare
`
`organizations experienced cyberattacks in the past year.
`
`62. As one report explained, “[e]ntities like smaller municipalities and hospitals
`
`are attractive to ransomware criminals…because they often have lesser IT defenses and
`
`a high incentive to regain access to their data quickly.”
`
`63. According to the 2019 Health Information Management Systems Society,
`
`Inc. (“HIMMS”) Cybersecurity Survey, “[a] pattern of cybersecurity threats and
`
`experiences is discernable across U.S. healthcare organizations. Significant security
`
`incidents are a near-universal experience in U.S. healthcare organizations with many of
`
`the incidents initiated by bad actors, leveraging e-mail as a means to compromise the
`
`integrity of their targets.”
`
`64. PII and PHI is of great value to hackers and cybercriminals, and the data
`
`compromised in the Breach can be used in a variety of unlawful manners.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 15
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 16 of 56 Page ID #:16
`
`
`
`65. PII and PHI can be used to distinguish, identify or trace an individual’s
`
`identity, such as their name, Social Security Number and medical records.
`
`66. This can be accomplished alone or in combination with other personal or
`
`identifying information that is connected or linked to an individual, such as their
`
`birthdate, birthplace and mother’s maiden name.
`
`67. Given the nature of this Data Breach, it is foreseeable that the compromised
`
`PII and PHI can be used by hackers and cybercriminals in a variety of different ways.
`
`68.
`
`Indeed, the cybercriminals who possess the Class members’ PII and PHI
`
`can readily obtain Class members’ tax returns or open fraudulent credit card accounts in
`
`the Class members’ names.
`
`69. Therefore, the increase in such attacks, and attendant risk of future attacks,
`
`was widely known to the public and to anyone in Defendant’s industry, including, upon
`
`information and good faith belief, SCH.
`
`DEFENDANT FAILED TO FOLLOW FTC GUIDELINES
`
`70. The Federal Trade Commission (“FTC”) has promulgated numerous guides
`
`for businesses which highlight the importance of implementing reasonable data security
`
`practices.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 16
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 17 of 56 Page ID #:17
`
`
`
`71. According to the FTC, the need for data security should be factored into all
`
`business decision-making.
`
`72.
`
`In 2016, the FTC updated its publication, Protecting Personal Information:
`
`A Guide for Business, which established cyber-security guidelines for businesses.
`
`73. The guidelines note that businesses should protect the personal patient
`
`information that they keep; properly dispose of personal information that is no longer
`
`needed; encrypt information stored on computer networks; understand their network’s
`
`vulnerabilities; and implement policies to correct any security problems.
`
`74. The guidelines also recommend that businesses use an intrusion detection
`
`system to expose a breach as soon as it occurs; monitor all incoming traffic for activity
`
`indicating someone is attempting to hack the system; watch for large amounts of data
`
`being transmitted from the system; and have a response plan ready in the event of a
`
`breach.
`
`75. The FTC further recommends that companies not maintain PII longer than
`
`is needed for authorization of a transaction; limit access to sensitive data; require complex
`
`passwords to be used on networks; use industry-tested methods for security; monitor for
`
`suspicious activity on the network; and verify that third-party service providers have
`
`implemented reasonable security measures.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 17
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 18 of 56 Page ID #:18
`
`
`
`76. The FTC has brought enforcement actions against businesses for failing to
`
`adequately and reasonably protect patient data, treating the failure to employ reasonable
`
`and appropriate measures to protect against unauthorized access to confidential consumer
`
`data as an unfair act or practice prohibited by Section 5 of the Federal Trade Commission
`
`Act (“FTCA”), 15 U.S.C. § 45. Orders resulting from these actions further clarify the
`
`measures businesses must take to meet their data security obligations.
`
`77. These FTC enforcement actions include actions against healthcare
`
`providers like Defendant. See, e.g., In the Matter of Labmd, Inc., A Corp, 2016-2 Trade
`
`Cas. (CCH) ¶ 79708, 2016 WL 4128215, at *32 (MSNET July 28, 2016) (“[T]he
`
`Commission concludes that LabMD’s data security practices were unreasonable and
`
`constitute an unfair act or practice in violation of Section 5 of the FTC Act.”).
`
`78. Defendant failed to properly implement basic data security practices.
`
`79. Defendant’s failure to employ reasonable and appropriate measures to
`
`protect against unauthorized access to patients’ PII and PHI constitutes an unfair act or
`
`practice prohibited by Section 5 of the FTC Act, 15 U.S.C. § 45.
`
`80. Defendant was at all times fully aware of its obligation to protect the PII
`
`and PHI of its patients. Defendant was also aware of the significant repercussions that
`
`would result from its failure to do so.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 18
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 19 of 56 Page ID #:19
`
`
`
`DEFENDANT FAILED TO MEET INDUSTRY STANDARDS
`
`81. As shown above, experts studying cyber security routinely identify
`
`healthcare providers as being particularly vulnerable to cyberattacks because of the value
`
`of the PII and PHI which they collect and maintain.
`
`82. Several best practices have been identified that a minimum should be
`
`implemented by healthcare providers like Defendant, including but not limited to:
`
`educating all employees; strong passwords; multi-layer security, including firewalls, anti-
`
`virus, and anti-malware software; encryption, making data unreadable without a key;
`
`multi-factor authentication; backup data, and; limiting which employees can access
`
`sensitive data.
`
`83. Other best cybersecurity practices that are standard in the healthcare
`
`industry include installing appropriate malware detection software; monitoring and
`
`limiting the network ports; protecting web browsers and email management systems;
`
`setting up network systems such as firewalls, switches and routers; monitoring and
`
`protection of physical security systems; protection against any possible communication
`
`system; training staff regarding critical points.
`
`84. Defendant failed to meet the minimum standards of any of the following
`
`frameworks: the NIST Cybersecurity Framework Version 1.1 (including without
`
`limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1,
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 19
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 20 of 56 Page ID #:20
`
`
`
`PR.DS-1, PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and
`
`RS.CO-2), and the Center for Internet Security’s Critical Security Controls (CIS CSC),
`
`which are all established standards in reasonable cybersecurity readiness.
`
`85. These foregoing frameworks are existing and applicable industry standards
`
`in the healthcare industry, and Defendant failed to comply with these accepted standards,
`
`thereby opening the door to and causing the Breach.
`
`
`
`DEFENDANT VIOLATES HIPAA
`AND EVIDENCES INSUFFICIENT DATA SECURITY
`
`
`86. HIPAA requires covered entities to protect against reasonably anticipated
`
`threats to the security of sensitive patient health information.
`
`87. Covered entities must implement safeguards to ensure the confidentiality,
`
`integrity, and availability of PHI. Safeguards must include physical, technical, and
`
`administrative components.
`
`88. Title II of HIPAA contains what are known as the Administrative
`
`Simplification provisions. These provisions require, among other things, that the
`
`Department of Health and Human Services (“HHS”) create rules to streamline the
`
`standards for handling PHI and PII like the data Defendant left unguarded.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 20
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 21 of 56 Page ID #:21
`
`
`
`89. The HHS subsequently promulgated multiple regulations under authority of
`
`the Administrative Simplification provisions of HIPAA. These rules include 45 C.F.R. §
`
`164.306(a)(1-4); 45 C.F.R. § 164.312(a)(1); 45 C.F.R. § 164.308(a)(1)(i); 45 C.F.R. §
`
`164.308(a)(1)(ii)(D) and 45 C.F.R. § 164.530(b).
`
`A data breach such as the one Defendant experienced, is also considered a
`breach under the HIPAA Rules because there is an access of PHI not
`permitted under the HIPAA Privacy Rule: A breach under the HIPAA Rules
`is defined as, “...the acquisition, access, use, or disclosure of PHI in a manner
`not permitted under the [HIPAA Privacy Rule] which compromises the
`security or privacy of the PHI.” See 45 C.F.R. 164.40
`
`90. Data breaches are Security Incidents under HIPAA because they impair
`
`both the integrity (data is not interpretable) and availability (data is not accessible) of
`
`patient health information:
`
`The presence of ransomware (or any malware) on a covered entity’s or
`business associate’s computer systems is a security incident under the
`HIPAA Security Rule. A security incident is defined as the attempted or
`successful unauthorized access, use, disclosure, modification, or
`destruction of information or interference with system operations in an
`information system. See the definition of security incident at 45 C.F.R.
`164.304. Once the ransomware is detected, the covered entity or business
`associate must initiate its security incident and response and reporting
`procedures. See 45 C.F.R.164.308(a)(6).
`
`91.
`
`91. Defendant’s Breach resulted from a combination of insufficiencies that
`
`demonstrate it failed to comply with safeguards mandated by HIPAA regulations.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 21
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`

`

`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 22 of 56 Page ID #:22
`
`
`
`DEFENDANT’S BREACH
`
`92. Defendant breached its obligations to Plaintiff and the Class members
`
`and/or was otherwise negligent and reckless because it failed to properly maintain and
`
`safeguard its computer systems, network and data.
`
`93. Defendant’s unlawful conduct includes, but is not limited to, the following
`
`acts and/or omissions:
`
`a. Failing to maintain an adequate data security system to reduce the
`risk of data breaches and cyber-attacks;
`
`
`
`
`
`
`
`
`
`
`
`b. Failing to adequately protect patients’ PHI and other PII and PHI;
`
`c. Failing to properly monitor its own data security systems for existing
`intrusions, brute-force attempts and clearing of event logs;
`
`d. Failing to apply all available security updates;
`
`e. Failing to install the latest software patches, update its firewalls,
`check user account privileges, or ensure proper security pra

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket