`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 1 of 56 Page ID #:1
`
`
`
`
`Alex R. Straus, SBN 321366
`MILBERG COLEMAN BRYSON
`
`PHILLIPS GROSSMAN PLLC
`
`280 S. Beverly Drive
`
`Beverly Hills, CA 90212
`
`(917) 471-1894 (phone)
`
`(615) 921-6501 (fax)
`
`astraus@milberg.com
`
`
`Plaintiffs’ Attorneys
`
`Additional attorneys on signature page
`
`
`
`
`
`UNITED STATES DISTRICT COURT
`
`CENTRAL DISTRICT OF CALIFORNIA
`
`
`
`
`
`
` Case No.
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`
`
`Demand for Jury Trial
`
`
`
`
`
`VICKEY ANGULO, individually
`and on behalf of themselves and
`all others similarly situated,
`
`
`
` Plaintiffs,
`
` v.
`
`
`
`SUPERCARE HEALTH, INC.,
`
` Defendant.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 1
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 2 of 56 Page ID #:2
`
`
`
`
`
` Plaintiff Vickey Angulo (“Plaintiff”) brings this Complaint against Defendant
`
`SuperCare Health, Inc. (“SCH”), individually and on behalf of all others similarly
`
`situated, and alleges upon personal knowledge as to her own actions and her counsel’s
`
`investigations, and upon information and belief as to all other matters, as follows:
`
`I. NATURE OF THE ACTION
`
`1.
`
`On or about March 25, 2022, SCH posted a notice, entitled Notice of Data
`
`Breach (hereinafter, the “Notice”), announcing publicly that an unauthorized actor
`
`accessed SCH’s files.
`
`2.
`
`According to SCH’s Notice, current and former patients’ personally
`
`identifiable information (“PII”) and protected health information (“PHI”) as defined by
`
`the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including,
`
`but not limited to, patients’ names, addresses, dates of birth, hospital or medical group,
`
`patient account numbers, medical record numbers, health insurance information,
`
`testing/diagnostic/treatment information, and other health-related information, as well as,
`
`for some, Social Security numbers and driver’s license numbers (collectively, the
`
`“Private Information”), were accessed and compromised by an unauthorized third party
`
`in the cybersecurity incident (the “Data Breach”).
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 2
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 3 of 56 Page ID #:3
`
`
`
`3.
`
`As detailed below, the Data Breach was a direct result of Defendant’s
`
`failure to implement adequate and reasonable cyber-security procedures and protocols
`
`necessary to protect Plaintiff’s and the Class Members’ Private Information despite the
`
`fact that data breach attacks against medical systems and healthcare providers are at an
`
`all-time high.
`
`4.
`
`This attack enabled an unauthorized third-party to access SCH’s computer
`
`systems and the highly sensitive and confidential data of thousands of current and former
`
`patients of SCH, including Plaintiff.
`
`5.
`
`Plaintiff received a notification letter from SCH informing her that the
`
`information accessed by the third-party actors included her electronic health records.
`
`6.
`
`SCH, despite professing to take the privacy and security of its patients’
`
`confidential and health information seriously, has not offered to provide affected
`
`individuals with adequate credit monitoring service or compensation for the damages
`
`they have suffered as a result of the Breach.
`
`7.
`
`As a consequence of the Data Breach, Plaintiff’s and Class members’
`
`Private Information has been released into the public domain and they have had to, and
`
`will continue to have to, spend time to protect themselves from fraud and identity theft.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 3
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 4 of 56 Page ID #:4
`
`
`
`8.
`
`Upon information and belief, the mechanism of the cyberattack and
`
`potential for improper disclosure of Plaintiff’s and Class Members’ Private Information
`
`was a known risk to Defendant, through frequent news reports and FBI warnings to the
`
`healthcare industry, and thus it was on notice that failing to take steps necessary to secure
`
`the Private Information from those risks left the property in a dangerous and vulnerable
`
`condition.
`
`9.
`
`Defendant disregarded the rights of Plaintiff’s and Class Members (defined
`
`below) by, inter alia, intentionally, willfully, recklessly or negligently failing to take
`
`adequate and reasonable measures to ensure its data systems were protected against
`
`unauthorized intrusions; failing to disclose that it did not have adequately robust
`
`computer systems and security practices to safeguard patient Private Information; failing
`
`to take standard and reasonably available steps to prevent the Data Breach and failing to
`
`provide Plaintiff and Class Members accurate notice of the Data Breach.
`
`10. Plaintiff’s and Class Members’ identities are now at risk because of
`
`Defendant’s conduct since the Private Information that Defendant collected and
`
`maintained is now in the hands of data thieves.
`
`11. Armed with the Private Information accessed in the Data Breach, data
`
`thieves can commit a variety of crimes including, e.g., opening new financial accounts
`
`in Class Members’ names, taking out loans in Class Members’ names, using Class
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 4
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 5 of 56 Page ID #:5
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`Members’ information to obtain government benefits, filing fraudulent tax returns
`
`using Class Members’ information, obtaining driver’s licenses in Class Members’
`
`names but with another person’s photograph and/or giving false information to police
`
`during an arrest.
`
`12. As a result of the Data Breach, Plaintiff and Class Members have been
`
`exposed to a substantial and present risk of fraud and identity theft. Plaintiff and Class
`
`Members must now and in the future closely monitor their financial accounts to guard
`
`against identity theft.
`
`13. Plaintiff and Class Members may also incur out of pocket costs for, e.g.,
`
`purchasing credit monitoring services, credit freezes, credit reports or other protective
`
`measures to deter and detect identity theft.
`
`14. Plaintiff seeks to remedy these harms on behalf of herself and all
`
`similarly situated individuals whose Private Information was accessed during the Data
`
`14
`
`Breach.
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`15. Plaintiff seeks remedies including, but not limited to, compensatory
`
`damages, nominal damages, reimbursement of out-of-pocket costs, and injunctive relief
`
`including improvements to Defendant’s data security systems, future annual audits, and
`
`adequate credit monitoring services funded by Defendant.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 5
`
`
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 6 of 56 Page ID #:6
`
`
`
`II. JURISDICTION AND VENUE
`
`16. This Court has subject matter and diversity jurisdiction over this action
`
`under 28 U.S.C. § 1332(d) because this is a class action wherein the amount of
`
`controversy exceeds the sum or value of $5 million, exclusive of interest and costs, there
`
`are more than 100 members in the proposed class, and at least one other Class Member
`
`is a citizen of a state different from Defendant to establish minimal diversity.
`
`17. The Central District of California has personal jurisdiction over Defendant
`
`named in this action because Defendant is headquartered in this District and conducts
`
`substantial business in California and this District through its headquarters, offices, and
`
`affiliates.
`
`18. Venue is proper in this District under 28 U.S.C. §1391(b) because
`
`Defendant is headquartered in this District and has caused harm to Plaintiff and Class
`
`Members residing in this District.
`
`III. PARTIES
`
`19. Plaintiff Vickey Angulo is a resident and citizen of the State of California
`
`and intends to remain domiciled in and a citizen of the State of California. Plaintiff
`
`received Notice of the Data Breach on or about March 25, 2022. She was informed the
`
`following sensitive data she provided to SCH was compromised in the Data Breach:
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 6
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 7 of 56 Page ID #:7
`
`
`
`name, address, date of birth, patient account number, diagnostic information, and claim
`
`information.
`
`20. Defendant SuperCare Health, Inc. is a respiratory health company that is
`
`headquartered at 8345 Firestone Blvd., Suite 210, Downey, California 90241.
`
`IV. FACTUAL ALLEGATIONS
`
`DEFENDANT’S BUSINESS
`
`21. According to Defendant’s website, “SuperCare Health is the leading
`
`post-acute, in-home respiratory care provider in the western U.S. that has been serving
`
`the healthcare needs of our ever-growing patient population for nearly 50 years.”
`
`22. As part of promoting its business, Defendant boasts “[consumer] privacy is
`
`important to [SuperCare Health].”
`
`23. Pursuant to Defendant’s Privacy Policy, it collects the following sensitive
`
`information from consumers:
`
`a. Name
`
`b. Date of Birth
`
`c. SuperCare Health Account ID
`
`d. Medical diagnosis
`
`e. Home or work address
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 7
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 8 of 56 Page ID #:8
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`f. Telephone number
`
`g. Zip code
`
`h. Age
`
`i. Gender
`
`24. On information and belief, and, as indicated in Defendant’s Notice of Data
`
`Breach, Defendant also collects Social Security numbers and driver’s license numbers –
`
`which were compromised for a number of victims of the Data Breach.
`
`25.
`
`In the ordinary course of transacting with Defendant, consumers are
`
`required to provide – and Plaintiff did so provide – Defendant with extremely sensitive
`
`and personal PII and PHI.
`
`26. Additionally, Defendant may receive private and personal information from
`
`other individuals and/or organizations that are part of a patient’s “circle of care,” such as
`
`referring physicians, patients’ other doctors, patients’ health plan(s), close friends and/or
`
`family members.
`
`27. As current and former patients at SCH, Plaintiff and Class members relied
`
`on SDCA to keep their highly sensitive information confidential and securely maintained.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 8
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 9 of 56 Page ID #:9
`
`
`
`28. On information and belief, Defendant provides each of its patients,
`
`including Plaintiff, with a HIPAA compliant notice of its privacy practices (the “Privacy
`
`Notice”) in respect to how it handles patients’ sensitive and confidential information.
`
`29. Due to the highly sensitive and personal nature of the information
`
`Defendant acquires and stores with respect to its patients, Defendant promises to maintain
`
`the confidentiality of patients’ health, financial, and non-public personal information,
`
`ensure compliance with federal and state laws and regulations, and not to use or disclose
`
`patients’ health information for any reasons other than those expressly listed in the
`
`Privacy Notice without written authorization.
`
`30. As a condition of receiving medical care and treatment from Defendant,
`
`Defendant requires that its patients, including Plaintiff and Class Members, entrust it with
`
`highly sensitive personal information.
`
`31. Prior to receiving medical care and treatment from Defendant, Plaintiff gave
`
`(and was required to give) her highly sensitive Private Information to Defendant.
`
`32. By obtaining, collecting, using, and deriving a benefit from Plaintiff’s and
`
`Class members’ PII and PHI, Defendant assumed legal and equitable duties and knew or
`
`should have known that it was responsible for protecting Plaintiff’s and Class members’
`
`PII and PHI from unauthorized disclosure.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 9
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 10 of 56 Page ID #:10
`
`
`
`33. Plaintiff and the Class members have taken reasonable steps to maintain the
`
`confidentiality of their PII and PHI.
`
`34. Plaintiff and the Class members relied on Defendant to keep their PII and
`
`PHI confidential and securely maintained, to use this information for business and health
`
`purposes only, and to make only authorized disclosures of this information.
`
`THE BREACH
`
`35. On or about March 25, 2022, SCH began informing affected individuals,
`
`including Plaintiff, that its computer network had been accessed by an unauthorized third
`
`party actor by way of a cyberattack and resulting data breach.
`
`36. Although the notification letter states that SCH was the victim of a data
`
`security incident on or about July 23, 2021 – July 27, 2021, it provides scant detail about
`
`the nature, severity or duration of the attack. Even worse, SCH did not inform their
`
`patients of the data breach until over six months after the data breach occurred.
`
`37. But what’s clear from the Notice is that cybercriminals did, in fact, access
`
`and view Plaintiff’s and Class members’ PII and PHI during the time period in which the
`
`cybercriminals had unfettered access to Defendant’s IT network, as that is the modus
`
`operandi of cybercriminals who commit such attacks.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 10
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 11 of 56 Page ID #:11
`
`
`
`38. According to SCH, the attack compromised a wide range of PII and PHI,
`
`including but not limited to patients’ names, addresses, dates of birth, hospital or medical
`
`group, patient account numbers, medical record numbers, health insurance information,
`
`testing/diagnostic/treatment information, and other health-related information, as well as,
`
`for some, Social Security numbers and driver’s license numbers.
`
`39. Simply put, SCH could have prevented this Data Breach.
`
`40. SCH did not implement or maintain adequate measures to protect its
`
`patients’ PII and PHI.
`
`41. On information and belief, the PII and PHI compromised in the files
`
`accessed by hackers was not encrypted.
`
`42. Moreover, the removal of PHI and other PII and PHI from Defendant’s
`
`system, including, but not limited to, names, dates of birth, Social Security Numbers
`
`(which are the keys to identity theft and fraud), and other health information —
`
`demonstrates that this cyberattack was targeted due to Defendant’s status as a healthcare
`
`facility that houses sensitive PII and PHI.
`
`43. Due to Defendant’s incompetent security measures, Plaintiff and the Class
`
`Members now face a present and substantial risk of fraud and identity theft and must deal
`
`with that threat forever.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 11
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 12 of 56 Page ID #:12
`
`
`
`44. Despite widespread knowledge of the dangers of identity theft and fraud
`
`associated with cyberattacks and unauthorized disclosure of PII and PHI, SCH provided
`
`unreasonably deficient protections prior to the Breach, including, but not limited to a lack
`
`of security measures for storing and handling patients’ PII and PHI and inadequate
`
`employee training regarding how to access, handle and safeguard this information.
`
`45. SCH failed to adequately adopt and train its employees on even the most
`
`basic of information security protocols, including:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a. storing, locking encrypting and limiting access to patients’ highly
` sensitive PHI;
`
`b. implementing guidelines for accessing, maintaining and
` communicating sensitive PHI, and
`
`c. protecting patients’ sensitive PHI by implementing protocols on
` how to utilize such information.
`
`46. SCH’s failures caused the unpermitted disclosure of Plaintiff’s and Class
`
`members’ Private Information to an unauthorized third party and put Plaintiff and the
`
`Class at serious, immediate and continuous risk of identity theft and fraud.
`
`47. The Breach that exposed Plaintiff’s and Class members’ PHI was caused by
`
`SCH’s violation of its obligations to abide by best practices and industry standards
`
`concerning its information security practices and processes.
`
`48. SCH failed to comply with security standards or to implement security
`
`measures that could have prevented or mitigated the Breach.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 12
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 13 of 56 Page ID #:13
`
`
`
`49. SCH failed to ensure that all personnel with access to its patients’ PII and
`
`PHI were properly trained in retrieving, handling, using and distributing sensitive
`
`information.
`
`THE BREACH WAS FORSEEABLE
`
`50. Defendant had obligations created by HIPAA, contract, industry standards,
`
`common law and its own promises and representations made to Plaintiff and Class
`
`Members to keep their PII and PHI confidential and to protect it from unauthorized access
`
`and disclosure.
`
`51. Plaintiff and Class members provided their PII and PHI to Defendant with
`
`the reasonable expectation and mutual understanding that Defendant would comply with
`
`its obligations to keep such information confidential and secure from unauthorized
`
`access.
`
`52. Defendant’s data security obligations were particularly important given the
`
`substantial increase in ransomware attacks and/or data breaches in the healthcare industry
`
`preceding the date of the breach.
`
`53. Data breaches, including those perpetrated against the healthcare sector of
`
`the economy, have become extremely widespread.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 13
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 14 of 56 Page ID #:14
`
`
`
`54.
`
`In 2019, a record 1,473 data breaches occurred, resulting in approximately
`
`164,683,455 sensitive records being exposed, a 17% increase from 2018.
`
`55. Of the 1,473 recorded data breaches, 525 of them, or 35.64%, were in the
`
`medical or healthcare industry.
`
`56. Defendant was aware of the risk of data breaches because such breaches
`
`have dominated the headlines in recent years.
`
`57.
`
`In light of recent high profile cybersecurity incidents at other healthcare
`
`partner and provider companies, including, American Medical Collection Agency (25
`
`million patients, March 2019) University of Washington Medicine (974,000 patients,
`
`December 2018), Florida Orthopedic Institute (640,000 patients, July 2020), Wolverine
`
`Solutions Group (600,000 patients, September 2018), Oregon Department of Human
`
`Services (645,000 patients, March 2019), Elite Emergency Physicians (550,000 patients,
`
`June 2020), Magellan Health (365,000 patients, April 2020), BJC Health System
`
`(286,876 patients, March 2020), Defendant knew or should have known that its electronic
`
`records would be targeted by cybercriminals.
`
`58.
`
`In 2021 alone there were over 220 data breach incidents.
`
`59. These approximately 220 data breach incidents have impacted nearly 15
`
`million individuals.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 14
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 15 of 56 Page ID #:15
`
`
`
`60.
`
`Indeed, cyberattacks have become so notorious that the Federal Bureau of
`
`Investigation (“FBI”) and U.S. Secret Service have issued a warning to potential targets
`
`so they are aware of, and prepared for, a potential attack. As one report explained,
`
`“[e]ntities like smaller municipalities and hospitals are attractive to ransomware
`
`criminals… because they often have lesser IT defenses and a high incentive to regain
`
`access to their data quickly.”
`
`61.
`
`In fact, according to the cybersecurity firm Mimecast, 90% of healthcare
`
`organizations experienced cyberattacks in the past year.
`
`62. As one report explained, “[e]ntities like smaller municipalities and hospitals
`
`are attractive to ransomware criminals…because they often have lesser IT defenses and
`
`a high incentive to regain access to their data quickly.”
`
`63. According to the 2019 Health Information Management Systems Society,
`
`Inc. (“HIMMS”) Cybersecurity Survey, “[a] pattern of cybersecurity threats and
`
`experiences is discernable across U.S. healthcare organizations. Significant security
`
`incidents are a near-universal experience in U.S. healthcare organizations with many of
`
`the incidents initiated by bad actors, leveraging e-mail as a means to compromise the
`
`integrity of their targets.”
`
`64. PII and PHI is of great value to hackers and cybercriminals, and the data
`
`compromised in the Breach can be used in a variety of unlawful manners.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 15
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 16 of 56 Page ID #:16
`
`
`
`65. PII and PHI can be used to distinguish, identify or trace an individual’s
`
`identity, such as their name, Social Security Number and medical records.
`
`66. This can be accomplished alone or in combination with other personal or
`
`identifying information that is connected or linked to an individual, such as their
`
`birthdate, birthplace and mother’s maiden name.
`
`67. Given the nature of this Data Breach, it is foreseeable that the compromised
`
`PII and PHI can be used by hackers and cybercriminals in a variety of different ways.
`
`68.
`
`Indeed, the cybercriminals who possess the Class members’ PII and PHI
`
`can readily obtain Class members’ tax returns or open fraudulent credit card accounts in
`
`the Class members’ names.
`
`69. Therefore, the increase in such attacks, and attendant risk of future attacks,
`
`was widely known to the public and to anyone in Defendant’s industry, including, upon
`
`information and good faith belief, SCH.
`
`DEFENDANT FAILED TO FOLLOW FTC GUIDELINES
`
`70. The Federal Trade Commission (“FTC”) has promulgated numerous guides
`
`for businesses which highlight the importance of implementing reasonable data security
`
`practices.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 16
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 17 of 56 Page ID #:17
`
`
`
`71. According to the FTC, the need for data security should be factored into all
`
`business decision-making.
`
`72.
`
`In 2016, the FTC updated its publication, Protecting Personal Information:
`
`A Guide for Business, which established cyber-security guidelines for businesses.
`
`73. The guidelines note that businesses should protect the personal patient
`
`information that they keep; properly dispose of personal information that is no longer
`
`needed; encrypt information stored on computer networks; understand their network’s
`
`vulnerabilities; and implement policies to correct any security problems.
`
`74. The guidelines also recommend that businesses use an intrusion detection
`
`system to expose a breach as soon as it occurs; monitor all incoming traffic for activity
`
`indicating someone is attempting to hack the system; watch for large amounts of data
`
`being transmitted from the system; and have a response plan ready in the event of a
`
`breach.
`
`75. The FTC further recommends that companies not maintain PII longer than
`
`is needed for authorization of a transaction; limit access to sensitive data; require complex
`
`passwords to be used on networks; use industry-tested methods for security; monitor for
`
`suspicious activity on the network; and verify that third-party service providers have
`
`implemented reasonable security measures.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 17
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 18 of 56 Page ID #:18
`
`
`
`76. The FTC has brought enforcement actions against businesses for failing to
`
`adequately and reasonably protect patient data, treating the failure to employ reasonable
`
`and appropriate measures to protect against unauthorized access to confidential consumer
`
`data as an unfair act or practice prohibited by Section 5 of the Federal Trade Commission
`
`Act (“FTCA”), 15 U.S.C. § 45. Orders resulting from these actions further clarify the
`
`measures businesses must take to meet their data security obligations.
`
`77. These FTC enforcement actions include actions against healthcare
`
`providers like Defendant. See, e.g., In the Matter of Labmd, Inc., A Corp, 2016-2 Trade
`
`Cas. (CCH) ¶ 79708, 2016 WL 4128215, at *32 (MSNET July 28, 2016) (“[T]he
`
`Commission concludes that LabMD’s data security practices were unreasonable and
`
`constitute an unfair act or practice in violation of Section 5 of the FTC Act.”).
`
`78. Defendant failed to properly implement basic data security practices.
`
`79. Defendant’s failure to employ reasonable and appropriate measures to
`
`protect against unauthorized access to patients’ PII and PHI constitutes an unfair act or
`
`practice prohibited by Section 5 of the FTC Act, 15 U.S.C. § 45.
`
`80. Defendant was at all times fully aware of its obligation to protect the PII
`
`and PHI of its patients. Defendant was also aware of the significant repercussions that
`
`would result from its failure to do so.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 18
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 19 of 56 Page ID #:19
`
`
`
`DEFENDANT FAILED TO MEET INDUSTRY STANDARDS
`
`81. As shown above, experts studying cyber security routinely identify
`
`healthcare providers as being particularly vulnerable to cyberattacks because of the value
`
`of the PII and PHI which they collect and maintain.
`
`82. Several best practices have been identified that a minimum should be
`
`implemented by healthcare providers like Defendant, including but not limited to:
`
`educating all employees; strong passwords; multi-layer security, including firewalls, anti-
`
`virus, and anti-malware software; encryption, making data unreadable without a key;
`
`multi-factor authentication; backup data, and; limiting which employees can access
`
`sensitive data.
`
`83. Other best cybersecurity practices that are standard in the healthcare
`
`industry include installing appropriate malware detection software; monitoring and
`
`limiting the network ports; protecting web browsers and email management systems;
`
`setting up network systems such as firewalls, switches and routers; monitoring and
`
`protection of physical security systems; protection against any possible communication
`
`system; training staff regarding critical points.
`
`84. Defendant failed to meet the minimum standards of any of the following
`
`frameworks: the NIST Cybersecurity Framework Version 1.1 (including without
`
`limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1,
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 19
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 20 of 56 Page ID #:20
`
`
`
`PR.DS-1, PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and
`
`RS.CO-2), and the Center for Internet Security’s Critical Security Controls (CIS CSC),
`
`which are all established standards in reasonable cybersecurity readiness.
`
`85. These foregoing frameworks are existing and applicable industry standards
`
`in the healthcare industry, and Defendant failed to comply with these accepted standards,
`
`thereby opening the door to and causing the Breach.
`
`
`
`DEFENDANT VIOLATES HIPAA
`AND EVIDENCES INSUFFICIENT DATA SECURITY
`
`
`86. HIPAA requires covered entities to protect against reasonably anticipated
`
`threats to the security of sensitive patient health information.
`
`87. Covered entities must implement safeguards to ensure the confidentiality,
`
`integrity, and availability of PHI. Safeguards must include physical, technical, and
`
`administrative components.
`
`88. Title II of HIPAA contains what are known as the Administrative
`
`Simplification provisions. These provisions require, among other things, that the
`
`Department of Health and Human Services (“HHS”) create rules to streamline the
`
`standards for handling PHI and PII like the data Defendant left unguarded.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 20
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 21 of 56 Page ID #:21
`
`
`
`89. The HHS subsequently promulgated multiple regulations under authority of
`
`the Administrative Simplification provisions of HIPAA. These rules include 45 C.F.R. §
`
`164.306(a)(1-4); 45 C.F.R. § 164.312(a)(1); 45 C.F.R. § 164.308(a)(1)(i); 45 C.F.R. §
`
`164.308(a)(1)(ii)(D) and 45 C.F.R. § 164.530(b).
`
`A data breach such as the one Defendant experienced, is also considered a
`breach under the HIPAA Rules because there is an access of PHI not
`permitted under the HIPAA Privacy Rule: A breach under the HIPAA Rules
`is defined as, “...the acquisition, access, use, or disclosure of PHI in a manner
`not permitted under the [HIPAA Privacy Rule] which compromises the
`security or privacy of the PHI.” See 45 C.F.R. 164.40
`
`90. Data breaches are Security Incidents under HIPAA because they impair
`
`both the integrity (data is not interpretable) and availability (data is not accessible) of
`
`patient health information:
`
`The presence of ransomware (or any malware) on a covered entity’s or
`business associate’s computer systems is a security incident under the
`HIPAA Security Rule. A security incident is defined as the attempted or
`successful unauthorized access, use, disclosure, modification, or
`destruction of information or interference with system operations in an
`information system. See the definition of security incident at 45 C.F.R.
`164.304. Once the ransomware is detected, the covered entity or business
`associate must initiate its security incident and response and reporting
`procedures. See 45 C.F.R.164.308(a)(6).
`
`91.
`
`91. Defendant’s Breach resulted from a combination of insufficiencies that
`
`demonstrate it failed to comply with safeguards mandated by HIPAA regulations.
`
`
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT - 21
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`
`
`
`
`Case 2:22-cv-02483 Document 1 Filed 04/12/22 Page 22 of 56 Page ID #:22
`
`
`
`DEFENDANT’S BREACH
`
`92. Defendant breached its obligations to Plaintiff and the Class members
`
`and/or was otherwise negligent and reckless because it failed to properly maintain and
`
`safeguard its computer systems, network and data.
`
`93. Defendant’s unlawful conduct includes, but is not limited to, the following
`
`acts and/or omissions:
`
`a. Failing to maintain an adequate data security system to reduce the
`risk of data breaches and cyber-attacks;
`
`
`
`
`
`
`
`
`
`
`
`b. Failing to adequately protect patients’ PHI and other PII and PHI;
`
`c. Failing to properly monitor its own data security systems for existing
`intrusions, brute-force attempts and clearing of event logs;
`
`d. Failing to apply all available security updates;
`
`e. Failing to install the latest software patches, update its firewalls,
`check user account privileges, or ensure proper security pra