`
`Jonathan M. Lebe (State Bar No. 284605)
`Jon@lebelaw.com
`Zachary Gershman (State Bar No. 328004)
`Zachary@lebelaw.com
`Shigufa Saleheen (State Bar No. 341013)
`Shigufa@lebelaw.com
`Lebe Law, APLC
`777 S. Alameda Street, Second Floor
`Los Angeles, CA 90021
`Telephone: (213) 444-1973
`
`Attorneys for Plaintiff Harmon Cottrell,
`Individually and on behalf of all others similarly situated
`
`UNITED STATES DISTRICT COURT
`CENTRAL DISTRICT OF CALIFORNIA
`
`Harmon Cottrell, individually and on
`behalf of all others similarly situated,
`
`CLASS ACTION COMPLAINT
`
`DEMAND FOR JURY TRIAL
`
`Plaintiff,
`
`vs.
`
`Super Care, Inc., d/b/a SuperCare
`Health, Inc.,
`
`Defendant.
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`1
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 2 of 28 Page ID #:2
`
`NATURE OF ACTION AND INTRODUCTORY STATEMENT
`1.
`Plaintiff Harmon Cottrell (“Plaintiff”) brings this class action against
`Defendant SuperCare Health, Inc. (“Defendant”) for its failure to properly secure and
`safeguard personally identifiable information (“PII”) and protected health information
`(“PHI”) of its patients.
`2.
`Defendant SuperCare Health, Inc. (“Defendant”) is a “leading post-acute,
`in-home respiratory care provider in the Western U.S.”1 with the goal “to be the most
`trusted partner managing high-risk respiratory diseases combining both in-home, high-
`touch care with telehealth and remote monitoring.”2
`3.
`As a corporation doing business in California, Defendant is legally
`required to protect PII and PHI from unauthorized access and exfiltration.
`4.
`According to Defendant’s Notice of Security Incident on its website,
`Defendant first noticed “unauthorized activity” on its systems on July 27, 2021.3 A
`subsequent forensic investigation revealed that an unknown party had access to certain
`systems on Defendant’s network from July 23, 2021 to July 27, 2021 (“Data Breach”).4
`5.
`Defendant did not report this Data Breach to the Health and Human
`Services Office of Civil Rights (“OCR”) until March 28, 20225 – nearly eight months
`after Defendant originally became aware of the breach.
`6.
`Between July 2021 and March 2022, Plaintiff and other similarly situated
`Class Members were unaware that their personally identifiable information (“PII”) and
`protected health information (“PHI”) had been potentially compromised. The
`potentially affected data includes, but is not limited to, “name, address, date of birth,
`hospital or medical group, patient account number, medical record number, health
`
`
`1 https://supercarehealth.com (last visited May 18, 2022).
`2 https://supercarehealth.com/homepage/who-we-are/overview/ (last visited May 18, 2022).
`3 https://supercarehealth.com/supercareprotects/ (last visited May 18, 2022).
`4 Id.
`5 See U.S. Department of Health and Human Services Office for Civil Rights Breach Portal: Notice
`to the Secretary of HHS Breach of Unsecured Protected Health Information (“Breach Portal”),
`available at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited May 18, 2022).
`2
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 3 of 28 Page ID #:3
`
`insurance information, testing/diagnostic/treatment information, other health-related
`information, and claim information.”6 Defendant reports that for a small subset of
`individuals, the patient’s “Social Security number and/or driver’s license number may
`have been contained in the impacted files.”7
`7.
`According to the OCR HIPPA Breach Reporting Tool, the breach
`affected nearly 318,400 current and former patients of Defendant.8
`8. When Defendant finally notified Plaintiff and Class Members of the
`breach on March 25, 2022, Defendant failed to explain why its failed to prevent the
`hack for four days, why it did not immediately notify potentially affected individuals
`so they may be able to protect their data, or why its internal investigation of the
`incident took nearly six months.
`9.
`In response to the Data Breach, Defendant claims that it “implemented
`additional security measures to protect our digital environment and minimize the
`likelihood of future incidents.”9 However, Defendant fails detail how its previous
`security systems gave rise to the Data Breach, or share any tangible information
`regarding the steps taken in order to further secure this highly sensitive information.
`10. According to Defendant’s Privacy Policy10, Defendant upholds that
`patient “protected health information,” as well as “any additional unique personally
`identifiable information … is not transferred to any third party.”
`11. However, despite its own promise to Plaintiff and Class Members,
`Defendant failed to safeguard and protect this information from unauthorized access
`and disclosure.
`
`
`6 See Notice Of Data Security Incident, available at: https://supercarehealth.com/supercareprotects/
`(last visited May 18, 2022).
`7 See Id.
`8 See Breach Portal; see also SuperCare Health Sued for PHI Breach Affecting 318,000, available
`at: https://thehipaaetool.com/supercare-health-sued-for-phi-breach-affecting-318000/ (last visited
`May 18, 2022).
`9 See Notice of Data Security Incident
`10 See SuperCare Health Privacy Policy, available at:
`https://supercarehealth.com/homepage/privacy-policy/ (last visited May 18, 2022).
`3
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 4 of 28 Page ID #:4
`
`12. As a result of Defendant’s failure to provide reasonable and adequate data
`security, Plaintiff’s and Class Members’ PII and PHI have been exposed to those who
`should not have access to it. As a result, Plaintiff and putative class members are now
`at much higher risk of identity theft and for cybercrimes, especially considering the
`highly valuable, sensitive, and sought-after PII and PHI stolen here.
`13. The PII and PHI exposed by Defendant as a result of its inadequate data
`security is highly valuable on the black market to phishers, hackers, identity thieves,
`and cybercriminals. Stolen PII and PHI is often trafficked on the “dark web,” a heavily
`encrypted part of the Internet that is not accessible via traditional search engines. Law
`enforcement has difficulty policing the dark web due to this encryption, which allows
`users and criminals to conceal identities and online activity. PHI and medical records,
`are of significantly high value to cybercriminals, with reports that the information
`could go for up to $1,000 on the dark web.11
`14. When malicious actors infiltrate companies and copy and exfiltrate the
`PII and PHI that those companies store, or have access to, that stolen information often
`ends up on the dark web because the malicious actors buy and sell that information for
`profit.
`15. Here, the information potentially compromised by the Data Breach is
`difficult and highly problematic to change— such as driver’s license numbers, social
`security numbers, and addresses.
`16.
` Unauthorized data breaches, such as these, facilitate identity theft as
`hackers obtain consumers’ PII and thereafter use it to siphon money from current
`accounts, open new accounts in the names of their victims, or sell consumers’ PII to
`others who do the same.
`17. Moreover, Plaintiff’s and the Class Members’s PHI is highly coveted and
`protected under the Health Insurance Portability and Accountability Act of 1996
`
`
`11 See Here’s How Much Your Personal Information Is Selling for on the Dark Web, available at:
`https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-
`selling-for-on-the-dark-web/ (last visited May 18, 2022).
`4
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 5 of 28 Page ID #:5
`
`(“HIPAA”). Due to Defendant’s negligence resulting in this Data Breach, Plaintiff
`and Class Members’ medical hospital information, patient account numbers, medical
`record numbers, health insurance numbers, testing/diagnostic/treatment information,
`and claim information have all been compromised. All of this information can be
`utilized to facilitate medical identity theft. Thus, ss a result of Defendant’s negligence
`and this Data Breach, Plaintiff and Class Members face a heighted risk of having false
`medical and health insurance claims made under their names, receiving bills for
`medicine and treatments these patients’ did not actually receive, and experiencing
`disruptions or fraudulent changes made to their medical records.
`18. Notably, once PII and PHI is compromised or stolen, it cannot be
`recovered or returned to an uncompromised condition—these individuals do not even
`have the ability to stop future unlawful usage from occurring. As such, Plaintiff and
`Class Members must remain vigiliant, in perpetuity, to ensure that their PII and PHI is
`not being fraudulently used.
`19. Defendant was obligated under the HIPAA, contract law, industry
`standards, common law and its own representations made to Plaintiff and Class
`Members to keep their PII and PHI confidential.
`20. Ultimately, Plaintiff’s and Class Member’s PII and PHI were
`compromised due to Defendant’s own negligent acts and omissions, as well as its
`failure to adequately safeguard this crucial information.
`21. On information and belief, Defendant’s systems were inadequate to
`detect and prevent the “unauthorized activity” that led to the Data Breach, as the
`information was not stored in an encrypted protected manner as required by reasonable
`standards.
`22. As a result of Defendant’s negligence resulting in this Data Breach,
`Plaintiff and Class Members have suffered and will continue to suffer damages
`including, but not limited to, monetary losses and economic harm, invasion of privacy,
`
`5
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 6 of 28 Page ID #:6
`
`an indefinite increased risk of personal identity and medical identity theft, heighted
`nusiances due to compromised personal contact information, and emotional distress.
`23. Specifically, as a result of this unauthorized Data Breach, Plaintiff has
`spent a considerable time and effort monitoring his information to determine if he has
`been subject to any data breaches. Plaintiff reports experiencing feelings of anxiety,
`stress, fear, and frustration because of the Data Breach, due to the unknown nature of
`what information was compromised to what extent.
`24. Further, Plaintiff believes that there may have been more PII
`compromised that what is reported by Defendant. Specifically, after the Data Breach,
`Plaintiff reports receiving an influx of scam calls and text messages to his personal
`cell phone— which is unlisted and unaccessible online. These nuisance calls add
`regular and consistent interruptions into Plaintiff’s day and trigger constant reminders
`of the potential PII and PHI that has been exposed as a result of this Data Breach. As
`such, this goes far beyond allegations of mere worry or inconvenience; it is exactly
`the sort of injury and harm to a Data Breach victim that the law contemplates and
`addresses.
`25. Further, as a result of the unauthorized data disclosure, Plaintiff and Class
`Members are now at risk for actual identity and medial identity theft in addition to
`other forms of fraud. The ramifications of Defendant’s failure to keep PII and PHI
`secure are long lasting and severe. The PII belonging to Plaintiff and class members
`is private, valuable, and sensitive in nature as it can be used to commit a variety of
`harms in the hands of the wrong people.
`26.
`In response to the exposure of this sensitive PII and PHI, Defendant only
`offers Plaintiff and Class Members up to 12 months of free credit monitoring. Not
`only is this insufficient to remedy the lifelong identity theft threat that each patient
`now faces, it completely fails to remedy the exposure of of Plaintiff and Class
`Members’ highly sensitive protected health information—the illicit usage of which
`cannot be monitored.
`
`6
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 7 of 28 Page ID #:7
`
`27. Defendant had ample resources necessary to prevent the unauthorized
`data disclosure, but neglected to adequately implement data security measures, despite
`its obligations to protect the PI of Plaintiff and putative class members. Had Defendant
`remedied the deficiencies in its data security systems and adopted security measures
`recommended by experts in the field, it would have prevented the intrusions into its
`systems and, ultimately, the unauthorized access of PII and PHI.
`28. As a direct and proximate result of Defendant’s actions and inactions,
`Plaintiff and putative class members have been placed at an imminent, immediate, and
`continuing increased risk of harm from identity theft and fraud, requiring them to take
`the time which they otherwise would have dedicated to other life demands such as
`work and family in an effort to mitigate the actual and potential impact of the
`unauthorized data disclosure on their lives.
`JURISDICTION AND VENUE
`29. This Court has subject matter jurisdiction over this action under the Class
`Action Fairness Act of 2005 (“CAFA”), 28 U.S.C. § 1332(d), as the amount in
`controversy exceeds the sum of $5,000,000, exclusive of interest and costs, there are
`more than 100 putative class members, and minimal diversity exists because many
`putative class members are citizens of a different state than Defendant.
`30. The United States District Court for the Central District of California has
`personal jurisdiction over Defendant because Defendant is headquartered in this
`District and does substantial business in California.
`31. Venue is proper because Defendant is headquartered in this District and
`a substantial part of the events or omissions giving rise to Plaintiff’s claims occurred
`in this District.
`
`THE PARTIES
`32. Plaintiff was a patient of SuperCare Health, Inc, where he frequently
`purchased medical equipment for his respiratory needs. On March 25, 2022, Plaintiff
`received a notice from Defendant regarding the breach of his personal information,
`
`7
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 8 of 28 Page ID #:8
`
`including “name, address, date of birth, patient account number, health insurance
`policy/member number, diagnostic information, treatment information, physician’s
`name, and claim information.”
`33. Defendant Super Care, Inc. d/b/a SuperCare Health, Inc., is a California
`corporation with its headquarters in Downey, California.
`34. The true names and capacities of persons or entities, whether individual,
`corporate, associate, or otherwise, who may be responsible for some of the claims
`alleged herein are currently unknown to Plaintiff. Plaintiff will seek leave of court to
`amend this complaint to reflect the true names and capacities of such other responsible
`parties when their identities become known.
`35. All of Plaintiff’s claims stated herein are asserted against Defendant and
`any of its owners, predecessors, successors, subsidiaries, agents and/or assigns.
`CLASS ACTION ALLEGATIONS
`36. Plaintiff seeks relief on behalf of himself and as a representative of all
`others who are similarly situated.
`(a) Nationwide Class: All individuals nationwide whose PII or PHI was
`actually or potentially compromised during the data breach referenced
`in the Notice of Data Breach sent by Defendant on or around March
`25, 2022.
`(b) California Class: All individuals residing in California whose PII or
`PHI was actually or potentially compromised during the data breach
`referenced in the Notice of Data Breach sent by Defendant on or
`around March 25, 2022.
`37. Plaintiff reserves the right to amend the class definition.
`38. This action satisfies the numerosity, commonality, typicality, and
`adequacy requirements under Fed. R. Civ. P. 23.
`(a) Numerosity: The Class Members are believed to be so numerous and
`geographically dispersed that the joinder of all members is
`
`8
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 9 of 28 Page ID #:9
`
`impractical. Upon information and belief, the number of potentially
`affected individuals is over 300,000.
`(b) Commonality: Plaintiff and the Class Members’s claims raise
`predominantly common fact and legal questions that a class wide
`proceeding can answer for all Class members, such as:
`i. Whether Defendant had a duty to use reasonable care in
`safeguarding Plaintiff’s and Class Member’s PII and PHI;
`ii. Whether Defendant failed
`to
`implement and maintain
`reasonable security procedures and practices appropriate to the
`nature and scope of the information compromised in the Data
`Breach;
`iii. Whether Defendant was negligent in maintaining, protecting,
`and securing PII and PHI;
`iv. Whether Defendant breached contract promises to safeguard
`Plaintiff’s and Class Member’s PII and PHI;
`v. Whether Defendant took reasonable measures to determine the
`extent of the Data Breach after discovering it;
`vi. Whether Defendant’s Breach Notice was reasonable; and
`vii. Whether the Data Breach caused Plaintiff and Class Members
`injuries.
`(c) Typicality: Plaintiff’s claims and damages sought are typical of those
`of other Class Members. Further, Plaintiff seeks relief consistent with
`the relief sought by Class Members.
`(d) Adequacy of Representation: Plaintiff will fairly and adequately
`protect the proposed Class’s interests, and his interests do not conflict
`with Class members’ interests.
`
`///
`///
`
`9
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 10 of 28 Page ID #:10
`
`FIRST CAUSE OF ACTION
`VIOLATION OF CALIFORNIA’S CONFIDENTIALITY OF MEDICAL
`INFORMATION ACT (“CMIA”)
`(Cal. Civ. Code § 56.10, et seq.)
`(on behalf of Plaintiff and the California Class)
`39. Pursuant to the Confidentiality of Medical Information Act, Cal. Civ.
`Code § 56.10 et seq, “a provider of health care, health care service plan, or contractor
`shall not disclose medical information regarding a patient of the provider of health
`care or an enrollee or subscriber of a health care service plan without first obtaining
`an authorization.”
`40. Under Cal. Civ. Code § 56.101(a), “Every provider of health care… or
`contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes
`of medical information shall do so in a manner that preserves the confidentiality of
`the information contained therein.” Any entity “who negligently creates, maintains,
`preserves, stores, abandons, destroys, or disposes of medical information shall be
`subject to the remedies and penalties provided under subdivisions (b) and (c) of
`Section 56.36.”
`41. Moreover, under Cal. Civ. Code § 56.05(a), “any business organized
`for the purpose of maintaining medical information … in order to make the
`information available to an individual or to a provider of health care at the request
`of the individual or a provider of health care, for purposes of allowing the individual
`to manage his or her information, or for the diagnosis and treatment of the individual,
`shall be deemed to be a provider of health care subject to the requirements of this
`part.”
`42. Here, Defendant provided in-home respiratory care services for its
`patients through a “team of specialized RTs, RNs, pharmacists, and RDs, together
`with high-tech solutions with mobile apps, telehealth, and video education.”12 As
`
`12 https://supercarehealth.com/homepage/who-we-serve/physicians-specialty-groups/
`10
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 11 of 28 Page ID #:11
`
`such, under Cal. Civ. Code § 56.05(m), Defendant operates as a provider of health
`care as to Plaintiff and Class Members.
`43. Moreover, Defendant maintained medical information within its
`systems for the purpose of providing medical equipment, telehealth appointments,
`prescription refills, and app-based health care data management. To the extent that
`Defendant may be only providing medical supplies to Plaintiff and Class Members,
`Defendant still qualifies as a medical services organization that qualifies as a
`“contractor” of health care services under Cal. Civ. Code § 56.05(d), and must be
`held to the standards reflected in this statute.
`44. Under Cal. Civ. Code 56.05(l), “medical information” refers to “any
`individually identifiable information, in electronic or physical form, in possession
`of or derived from a provider of health care… or contractor regarding a patient’s
`medical history, mental or physical condition, or treatment.” Further, “individually
`identifiable” refers to “medical information [that] includes or contains any element
`of personal identifying information sufficient to allow identification of the
`individual, such as the patient’s name, address, electronic mail address, telephone
`number, or social security number, or other information that, alone or in combination
`with other publicly available information, reveals the identity of the individual.”
`45. Here, Defendant maintained, preserved, and stored Plaintiff’s and the
`California Class’s “medical information,” as defined under Cal. Civ. Code §
`56.05(l), such as testing/diagnostic/treatment information, other health-related
`information, and claim information. This information — coupled with individually
`identifiable information regarding the Plaintiff and the California Class, such as
`names, addresses, and dates of birth — together, could reveal the identity of Plaintiff
`and the California Class.
`46. Under Cal. Civ. Code § 56.05(j), a “patient” refers to “a natural person,
`whether or not still living, who received health care services from a provider of
`health care and to whom medical information pertains.” Here, Plaintiff and the
`
`11
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 12 of 28 Page ID #:12
`
`California Class are “patients” as defined by Cal. Civ. Code § 56.05(k) because they
`receive medical treatment and services from Defendant and its health care partners,
`and the medical information implicated in this Data Breach are directly related to
`them.
`47. Thus, as Defendant is bound by CIMA standards, Defendant owed a
`duty to preserve the confidentiality of Plaintiff’s and the California Class’s medical
`information and to not allow their medical information to be released and viewed by
`unauthorized persons.
`48. Defendant breached its duty owed to Plaintiff and the California Class
`by failing to implement fair, reasonable, or adequate computer systems and data
`security policies to safeguard Plaintiff’s and California Class Members’ medical
`information, and by allowing that PHI to be released and viewed by unauthorized
`persons.
`49. The resulting unauthorized access and potential acquisition of
`Plaintiff’s and California Class Members’ PHI to unauthorized hackers during the
`Data Breach was an affirmative communicative act in violation of Cal. Civ. Code §
`56.101(a). Further, Plaintiff’s and California Class Members’ PHI was viewed by
`the unauthorized hackers as a direct and proximate result of Defendant’s violation
`of Cal. Civ. Code § 56.101(a).
`50. Further, Plaintiff’s and California Class Members’ PHI that was subject
`to the Data Breach included “electronic medical records” or “electronic health
`records” as referenced by Cal. Civ. Code § 56.101(c).
`51. Under Cal. Civ. Code § 56.101(b)(1)(A), a proper electronic health
`record system or electronic medical record system must “[p]rotect and preserve the
`integrity of electronic medical information.” Here, Defendant negligently created,
`maintained, preserved, stored, abandoned, destroyed, or disposed of medical
`information, which ultimately resulted in Plaintiff’s and California Class Members’
`PHI being viewed by unauthorized hackers in the Data Breach. Thus, the Data
`
`12
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 13 of 28 Page ID #:13
`
`Breach was a direct and proximate result of Defendant’s violation of Cal. Civ. Code
`§ 56.101.
`52. Under Cal. Civ. Code § 56.101(b)(1)(B), a proper electronic health
`record system or electronic medical record system must “[a]utomatically record and
`preserve any change or deletion of any electronically stored medical information.
`The record of any change or deletion shall include the identity of the person who
`accessed and changed the medical information, the date and time the medical
`information was accessed, and the change that was made to the medical
`information.”
`53. Here, Defendant’s electronic health record system or electronic medical
`record system failed to automatically record and preserve any actual or potential
`change or deletion of any electronically stored medical information, in violation of
`Cal. Civ. Code § 56.101(b)(1)(B).
`54. Further, Defendant’s electronic health record system or electronic
`medical record system failed to record the identity of persons who actually or
`potentially accessed and changed medical information, failed to record the date and
`time medical information was accessed and failed to record any actual or potential
`changes that were made to medical information, in violation of Cal. Civ. Code §
`56.101(b)(1)(B).
`55. Under Cal. Civ. Code § 56.10(e), a health care provider “shall not
`further disclose medical information regarding a patient of the provider of health
`care or an enrollee or subscriber of a health care service plan or insurer or self-
`insured employer received under this section to a person or entity that is not engaged
`in providing direct health care services to the patient or his or her provider of health
`care or health care service plan or insurer or self-insured employer.”
`56. Here, Defendant disclosed Plaintiff’s and California Class Members’
`PHI to persons or entities not engaged in providing direct health care services to
`Plaintiff’s or California Class Members or their providers of health care or health
`
`13
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 14 of 28 Page ID #:14
`
`care service plans or insurers or self-insured employers, in violation of § 56.10(e).
`57. The foregoing violations of CMIA resulted from Defendant’s
`affirmative actions, and Defendant knew or should have known it had inadequate
`computer systems and data security practices to safeguard such information.
`Defendant knew or should have known of the risks inherent in collecting and storing
`the protected medical information of Plaintiff and members of the California Class.
`58. The injury and harm Plaintiff and members of the California Class
`suffered was the reasonably foreseeable result of Defendant’s breach of its duties.
`Defendant knew or should have known that it was failing to meet its duties and its
`breach would cause Plaintiff and members of the California Class to suffer the
`foreseeable harms associated with the exposure of their PHI.
`59. As a direct and proximate result of Defendant’s negligent conduct,
`Plaintiff and members of the California Class now face an increased risk of future
`harm.
`
`60. Under Cal. Civ. Code § 56.36(b), an individual may bring an action
`against a person or entity who has negligently released confidential information or
`records concerning him or her in violation of this part, for either or both of the
`following: “(1) … nominal damages of one thousand dollars ($1,000). In order to
`recover under this paragraph, it is not necessary that the plaintiff suffered or was
`threatened with actual damages” and “(2) The amount of actual damages, if any,
`sustained by the patient.”
`61. Here, Defendant negligently released confidential information or
`records concerning Plaintiff’s and California Class Members’ PHI in violation of
`Cal. Civ. Code § 56.36(b). As such, Plaintiff and California Class Members are
`entitled to bring an action for damages against Defendant.
`62. As a direct and proximate result of Defendant’s violation of Cal. Civ.
`Code § 56, et seq., Plaintiff and members of the California Class have suffered injury
`and are entitled to damages in an amount to be proven at trial.
`
`14
`
`CLASS ACTION COMPLAINT
`
`
`
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 15 of 28 Page ID #:15
`
`SECOND CAUSE OF ACTION
`VIOLATION OF CALIFORNIA CONSUMER RECORDS ACT
`Cal. Bus. Code § 1798.80, et seq.
`(on behalf of Plaintiff and the California Class)
`63. Plaintiff hereby re-alleges and incorporates by reference the above
`allegations by reference as if fully set forth herein.
`64. California Civil Code section 1798.80, et seq., known as the “Customer
`Records Act” (“CRA”) was enacted to “encourage business that own, license, or
`maintain personal information about Californians to provide reasonable security for
`that information.” Cal. Civ. Code § 1798.81.5(a)(1).
`65. Under Section 1798.81.5(b), any business that “owns, licenses, or
`maintains personal information about a California resident” is required to “implement
`and maintain reasonable security procedures and practices appropriate to the nature of
`the information,” and “to protect the personal information from unauthorized access,
`destruction, use, modification, or disclosure.”
`66. Defendant was and still is a “business” under the terms of the CRA as a
`corporation operating in the State of California that collected personal information of
`Plaintiff and Class Members. Further, Defendant satisfies at least one of the
`requirements of Section 1798.140(c), as it “receives for the business’ commercial
`purposes … or shares for commercial purposes… the personal information of 50,000
`or more consumers, households, or devices.”
`67. Section 1798.81.5(d)(1)(B) defines “personal information” as including
`an individual’s first name or first initial and the individual’s last name in combination
`with any one or more of the following data elements, when either the name or the data
`elements are not encrypted or redacted. This includes, but is not limited to, an
`individual’s social security number; driver’s license number; California identification
`card number; medical information, such as an individual’s medical history or medical
`treatment or diagnosis by a health care professional; health insurance information,
`
`15
`
`CLASS ACTION COMPLAINT
`
`
`
`Case 5:22-cv-00835 Document 1 Filed 05/18/22 Page 16 of 28 Page ID #:16
`
` 1
` 2
` 3
` 4
` 5
` 6
` 7
` 8
` 9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`such as individual’s insurance policy number or subscriber identification number, any
`unique identifier used by a health insurer to identify the individual, or any information
`in an individu