`
`Exhibit A
`to
`Notice of Removal
`
`
`
`35-2021-CA-001536-AXXX-XX
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 2 of 49 PageID 23
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 2 of 49 PagelD 23
`Filing # 134054313 E-Filed 09/03/2021 05:30:50 PM
`
`IN THE CIRCUIT COURT FOR THE FIFTH JUDICIAL
`CIRCUIT IN AND FOR LAKE COUNTY, FLORIDA
`
`Case No.:
`
`CLASS ACTION COMPLAINT
`
`DEMANDFOR JURY TRIAL
`
`CHRYSTAL HOLMES,
`
`on behalf of herself and all others similarly
`situated,
`
`VS.
`
`Plaintiff,
`
`THE VILLAGES TRI-COUNTY MEDICAL
`CENTER,INC.d/b/a UF HEALTH
`CENTRAL FLORIDA,
`
`LEESBURG REGIONAL MEDICAL
`CENTER,INC.d/b/a UF HEALTH
`CENTRAL FLORIDA,
`
`and
`
`CENTRAL FLORIDA HEALTH,INC.d/b/a
`UF HEALTH CENTRAL FLORIDA,
`
`Defendants.
`
`
`
`Plaintiff Chrystal Holmes (“Plaintiff”), individually and on behalf of all others similarly
`
`situated, brings this Class Action Complaint against The Villages Tri-County Medical Center, Inc.
`
`d/b/a UF Health Central Florida, Leesburg Regional Medical Center, Inc. d/b/a UF Health Central
`
`Florida (“Leesburg Hospital’’), and Central Florida Health, Inc. d/b/a UF Health Central Florida
`
`(collectively, “Defendants”), and alleges, upon personal knowledgeas to her own actions and her
`
`counsels’ investigations, and upon information andbelief asto all other matters, as follows:
`
`I. INTRODUCTION
`
`1.
`
`Plaintiff brings this class action against Defendants for their failure to properly
`
`secure and safeguard personal identifiable information that they acquired from their patients.
`
`Defendants required this information from their patients or recorded this information for their
`
`FILED: LAKE COUNTY, GARY J. COONEY, CLERK, 09/07/2021 03:18:51 PM
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 3 of 49 PageID 24
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 3 of 49 PagelD 24
`
`patients as a condition or result of medical treatment, including without limitation, names,
`
`addresses, dates of birth, and/or Social Security numbers (collectively, “personal identifiable
`
`information” or “PIT’) as well as health insurance information, medical record numbers, patient
`
`account numbers, and/or
`
`limited treatment
`
`information (collectively,
`
`“protected health
`
`information”or “PHT’”).
`
`2.
`
`Defendants are the registered owners of the fictious name “UF Health Central
`
`Florida” (““UFHCF’) and individually and collectively operate underthis fictitious name.
`
`3.
`
`UFHCFis a health care system that “care[s] for patients in Lake, Sumter, and
`
`Marion counties through inpatient acute hospital services at UF Health The Villages® Hospital
`
`and UF Health Leesburg Hospital, inpatient rehabilitation services at UF Health The Villages®
`
`Rehabilitation Hospital, adult inpatient psychiatric services at the UF Health Leesburg Hospital
`
`Senior Behavioral Health Center and diagnostic laboratory services at several locations.”!
`
`4.
`
`In order to obtain medical treatment, Plaintiff and other patients of UFHCFentrust
`
`and provide to UFHCFanextensive amount of PI]. UFHCFalso records an extensive amountof
`
`PHIregarding its patients, including treatment information. UFHCFretains this information on
`
`computer hardware—evenlongafter the treatment relationship ends. UFHCF acknowledgesthat
`
`it understands the importance of protecting information.
`
`5.
`
`On or around May 29 to May 31, 2021, an unauthorized actor obtained
`
`unauthorized access to UFHCF’s computer network as part of a ransomware attack (the
`
`“Cybersecurity Event”).
`
`6.
`
`The unauthorized actor may have accessed the PII and PHI of UFHCF’s current
`
`and formerpatients, including Plaintiff and Class Members.
`
`' See “About Us”, https://www.centralfloridahealth.org/ (last visited Aug. 30, 2021).
`
`2
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 4 of 49 PageID 25
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 4 of 49 PagelD 25
`
`7.
`
`In a “Notice to Our Patients of Cybersecurity Event” posted on its website (the
`
`“Website Notice”), UFHCF advised that it was informing its current and formerpatients of the
`
`Cybersecurity Event and mailing them letters.
`
`8.
`
`By obtaining, collecting, using, and deriving a benefit from Plaintiff’s and Class
`
`Members’ PII, UFHCF assumed legal and equitable duties to those individuals. UFHCF admits
`
`that the unencrypted PII and PHI exposed to “unauthorized activity” included names, addresses,
`
`dates of birth, and/or Social Security numbers as well as health insurance information, medical
`
`record numbers, patient account numbers, and/or limited treatment information.
`
`9.
`
`The exposed PII and PHI of UFHCF’s current and formerpatients can be sold on
`
`the dark web. Hackers can access andthen offer for sale the unencrypted, unredacted PII and PHI
`
`to criminals. UFHCF’s current and formerpatients face a lifetime risk of identity theft, which is
`
`heightened here by the loss of Social Security numbers.
`
`10.
`
`This PII and PHI was compromised due to UFHCF’s negligent and/or careless acts
`
`and omissionsandthe failure to protect PII and PHI of UFHCF’s current and formerpatients.
`
`11.
`
`Until notified of the breach, Plaintiff and Class Members had no idea their PIT and
`
`PHI had been compromised, and that they were, and continueto be,at significant risk of identity
`
`theft and various other forms ofpersonal, social, and financial harm. The risk will remain for their
`
`respective lifetimes.
`
`12.
`
`‘Plaintiff bring this action on behalf of all persons whose PII and/or PHI was
`
`compromised as a result of UFHCF’s failureto: (1) adequately protect the PII and PHI of UFHCF’s
`
`current and former patients; (i) warn UFHCF’s current and former patients of UFHCF’s
`
`inadequate information security practices; and (iii) effectively secure hardware containing
`
`protected PIT and PHI using reasonable and effective security procedures free of vulnerabilities
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 5 of 49 PageID 26
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 5 of 49 PagelD 26
`
`and incidents. UFHCF’s conduct amounts to negligence and violates federal and state statutes.
`
`13.
`
`Plaintiff and Class Members have suffered injury as a result of UFHCF’s conduct.
`
`These injuries include: (i) lost or diminished value of PII and PHI; (ii) out-of-pocket expenses
`
`associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or
`
`unauthorized use of their PII and PHI; (iii) lost opportunity costs associated with attempting to
`
`mitigate the actual consequencesofthe Cybersecurity Event, including butnot limited to lost time,
`
`and significantly (iv) the continued and certainly an increased risk to their PII, which: (a) remains
`
`unencrypted and available for unauthorized third parties to access and abuse; and (b) may remain
`
`backed up in UFHCF’s possession and is subject to further unauthorized disclosures so long as
`
`UFHCFfails to undertake appropriate and adequate measuresto protect the PIT and PHI, and at
`
`the very least, are entitled to nominal damages.
`
`14.
`
`UFHCFdisregarded the rights of Plaintiff and Class Members by intentionally,
`
`willfully, recklessly, or negligently failing to take and implement adequate and reasonable
`
`measures to ensure that UFHCF’s current and former patients’ PII and PHI was safeguarded,
`
`failing to take available steps to prevent an unauthorized disclosure of data, and failing to follow
`
`applicable, required and appropriate protocols, policies and procedures regarding the encryption
`
`of data, even for internal use. As the result, the PII and PHI of Plaintiff and Class Members was
`
`compromised through disclosure to an unknown and unauthorized third party. Plaintiff and Class
`
`Members have a continuing interest in ensuring that their information is and remainssafe, and they
`
`should be entitled to injunctive and other equitablerelief.
`
`II. PARTIES
`
`15.
`
`Plaintiff Chrystal Holmesis a citizen of Florida residing in Lake County, Florida.
`
`On or around July 30, 2021, Plaintiff Holmes received UFHCF’s letter notifying her of the
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 6 of 49 PageID 27
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 6 of 49 PagelD 27
`
`Cybersecurity Event.
`
`16.
`
`Defendant The Villages Tri-County Medical Center, Inc. d/b/a UF Health Central
`
`Florida is a corporation organized under the laws of Florida, headquartered at 1451 El Camino
`
`Real, The Villages, FL, with its principal place of business in The Villages, FL.
`
`17.
`
`Defendant Leesburg Regional Medical Center, Inc. d/b/a UF Health Central Florida
`
`is a corporation organized under the laws of Florida, headquartered at 600 E. Dixie Avenue,
`
`Leesburg, FL, with its principal place of business in Leesburg, FL.
`
`18.
`
`Defendant Central Florida Health, Inc. d/b/a UF Health Central Florida is a
`
`corporation organized under the laws of Florida, headquartered at 410 Childs St., Leesburg, FL,
`
`with its principal place of business in Leesburg, FL.
`
`19.
`
`The true namesand capacities of personsor entities, whether individual, corporate,
`
`associate, or otherwise, who may beresponsible for someofthe claimsalleged herein are currently
`
`unknownto Plaintiff. Plaintiff will seek leave of court to amend this complaint to reflect the true
`
`names and capacities of such other responsible parties when their identities become known.
`
`20.——All of Plaintiffs claims stated herein are asserted against UFHCFandanyoftheir
`
`owners, predecessors, successors, subsidiaries, agents and/or assigns.
`
`Il. JURISDICTION AND VENUE
`
`21.
`
`The Court has subject matter jurisdiction over Plaintiffs claims under Florida Stat.
`
`§ 26.012 and § 86.011. This Court has jurisdiction over this dispute because this complaint seeks
`
`damagesin excess of $30,000.00 dollars, exclusive of interest and attorneys’ fees.
`
`22.
`
`The Court has personal jurisdiction over Defendants under Florida Stat. § 48.193,
`
`because Defendants personally or through their agents operated, conducted, engagedin, or carried
`
`on a business or business venture in Florida; had offices in Florida; committed tortious acts in
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 7 of 49 PageID 28
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page7of 49 PagelD 28
`
`Florida; and/or breached a contract in Florida by failing to perform acts required by the contract
`
`to be performedin Florida.
`
`23.
`
`Venue is proper in Lake County pursuant to Florida Stat. § 47.011 and § 47.051
`
`because Defendants are headquartered and do business in Lake County, the cause of action accrued
`
`in Lake County, and/or Defendants have offices for the transaction of their customary business in
`
`Lake County.
`
`Background
`
`IV. FACTUAL ALLEGATIONS
`
`24.|UFHCFoperates dozens of medicalfacilities throughout Florida undera variety of
`
`fictitious names, including AdventHealth Medical Group Surgical Specialists at Tampa.
`
`25.
`
`Plaintiff and Class Members treated by UFHCF were required to provide some of
`
`their most sensitive and confidential information, including names, addresses, dates of birth, and/or
`
`Social Security numbersas well as health insurance information, medical record numbers, patient
`
`account numbers, and/or limited treatment information. This information is static, does not
`
`change, and can be used to commit myriad financial crimes.
`
`26.
`
`‘In providing treatment to Plaintiff and Class Members, UFHCF generated and
`
`retained additional sensitive personal information about Plaintiff and Class Members, including
`
`medicationslists and clinical documentation/notes.
`
`27.
`
`Plaintiff and Class Members, as current and former patients, relied on UFHCFto
`
`keep their PII and PHI confidential and securely maintained, to use this information for business
`
`purposesonly, and to make only authorized disclosures of this information. UFHCF’s current and
`
`former patients demandsecurity to safeguard their PIT and PHI.
`
`28.|UFHCEhada duty to adopt reasonable measures to protect Plaintiff's and Class
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 8 of 49 PageID 29
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 8 of 49 PagelD 29
`
`Members’ PII and PHIfrom involuntary disclosure to thirdparties.
`
`The Cybersecurity Event
`
`29.
`
`Defendant Leesburg Hospital posted a “Privacy policy”on its website (the “Privacy
`
`Notice”), effective April 14, 2003 and revised February 17, 2010 and September 23, 2013.”
`
`30.
`
`The Private Notice states that “[aJll ofthe UF Health Central Florida's entities, sites
`
`and locations follow the terms of this notice, including but not limited to: UF Health Leesburg
`
`Hospital, UF Health The Villages® Hospital, UF Health The Villages® Hospital Rehabilitation
`
`Hospital, UF Health Leesburg Hospital Urgent Care Center, UF Health Alliance Laboratory, and
`
`all other affiliated sites and locations.’>
`
`31.
`
`The Privacy Noticestates “[w]e understand that medical information about you and
`
`yourhealth is personal. We are committed to protecting that medicalinformation.”
`
`32.
`
`The Privacy Noticestates “[w]e are required by law to makesure that health-related
`
`informationthat identifies you is kept private.’””
`
`33.
`
`Prior to the Cybersecurity Event, UFHCF should have (1) encrypted or tokenized
`
`the sensitive PIT and PHIof Plaintiff and the Nationwide Class, (ii) deleted such PII and PHIthat
`
`it no longer had reason to maintain, (i1i) eliminated the potential accessibility of the PII and PHI
`
`from the Internet, and (iv) otherwise reviewed and improvedthe security of its computer system.
`
`34.
`
`Prior to the Cybersecurity Event, UFHCF did not (1) encrypt or tokenize the
`
`sensitive PII and PHI of Plaintiff and the Nationwide Class,(i1) delete such PII and PHIthatit no
`
`2 Ex. 1, available at https://www.leesburgregional.org/privacy-policy/ (last visited August 30,
`2021).
`
`3 Td.
`
`4 Td.
`
`> Td.
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 9 of 49 PageID 30
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 9 of 49 PagelD 30
`
`longer had reason to maintain,(iii) eliminate the potential accessibility of the PII and PHI from
`
`the Internet, and (iv) otherwise review and improvethe security of its computer system.
`
`35.
`
`On or around July 30, 2021, UFHCF posted the Website Notice.® The Website
`
`Notice provided,in part, as follows:
`
`On May 31, 2021, UF Health Central Florida — including UF
`Health Leesburg Hospital and UF Health The Villages® Hospital —
`detected unusual activity involving its computer systems. We took
`immediate action to contain the event, including reporting it to law
`enforcement and launching an investigation with independent
`experts. UF Health’s Gainesville or Jacksonville campuses were not
`affected.
`
`The investigation determined that unauthorized access to UF Health
`Central Florida’s computer network occurred between May 29 and
`May 31, 2021. During this brief time period,
`some patient
`information may have been accessible, such as names, addresses,
`dates of birth, Social Security numbers, health insurance
`information, medical record numbersand patient account numbers,
`as well as limited treatment information used by UF Health for its
`business operations. UF Health’s electronic medical records were
`not involved or accessed.
`
`Wehave no reason to believe the information was further used or
`disclosed; however, on July 30, 2021, we began mailing letters to
`individuals whose data may have been involved and, as a
`precautionary measure, are offering them complimentary credit
`monitoring and identity protection services. Patients are also
`encouraged to review statements from their health insurer, and to
`contact them immediately if they see any services they did not
`receive. Wealso established a dedicated call center for patients to
`call with questions. If you believe you are affected, but do not
`receive a letter by Aug. 16, 2021, please call 1-833-909-3926
`between 9 a.m. and 9 p.m. Eastern Time Monday through Friday.’
`
`36.|UFHCF admitted in the Website Notice that unauthorized third persons may have
`
`6 Ex. 2, available at https://www.leesburgregional.org/notice-to-our-patients-of-cybersecurity-
`event/ (last visited Aug. 30, 2021).
`
`7 Td. at 1.
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 10 of 49 PageID 31
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 10 of 49 PagelD 31
`
`accessed sensitive information about current and former patients of UFHCF, including names,
`
`addresses, dates of birth, and/or Social Security numbersas well as health insurance information,
`
`medical record numbers, patient account numbers, and/or limited treatment information.
`
`37.
`
`Plaintiff's and Class Members’ unencrypted information may end up for sale on the
`
`dark web, or simply fall into the hands of companiesthat will use the detailed PI and PHI for
`
`targeted marketing without the approvalof the affected current and former patients. Unauthorized
`
`individuals can easily access the PII and PHI of UFHCF’s current and formerpatients.
`
`38.|UFHCF did not use reasonable security procedures and practices appropriate to the
`
`nature of the sensitive, unencrypted information it was maintaining for current and formerpatients,
`
`causing the exposure of PI and PHI for more than 700,000 individuals.
`
`39.
`
`As explained by the Federal Bureau of Investigation, “[p]revention is the most
`
`effective defense against ransomwareanditis critical to take precautions for protection.’”®
`
`40.
`
`To prevent and detect ransomware attacks, including the ransomware attack that
`
`resulted in the Cybersecurity Event, Defendants could and should have implemented, as
`
`recommendedby the United States Government, the following measures:
`
`e
`
`Implement an awareness and training program. Because end users are targets,
`employees and individuals should be aware of the threat of ransomware and howit is
`delivered.
`
`e Enable strong spam filters to prevent phishing emails from reaching the end users and
`authenticate inbound email using technologies like Sender Policy Framework (SPF),
`Domain Message Authentication Reporting and Conformance (DMARC), and
`DomainKeysIdentified Mail (DKIM)to prevent email spoofing.
`
`e
`
`Scanall incoming and outgoing emails to detect threats andfilter executable files from
`reaching end users.
`
`available at
`at 3,
`from RANSOMWARE,
`8 See How to Protect Your Networks
`https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view (last
`visited Mar. 15, 2021).
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 11 of 49 PageID 32
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 11 of 49 PagelD 32
`
`e Configure firewalls to block access to known malicious IP addresses.
`
`e Patch operating systems, software, and firmware on devices. Consider using a
`centralized patch management system.
`
`e
`
`Set anti-virus and anti-malware programs to conduct regular scans automatically.
`
`e Manage the use of privileged accounts based on the principle of least privilege: no
`users should be assigned administrative access unless absolutely needed; and those
`with a need for administrator accounts should only use them when necessary.
`
`e Configure access controls—includingfile, directory, and network share permissions—
`with least privilege in mind. Ifa user only needsto read specific files, the user should
`not have write accessto thosefiles, directories, or shares.
`
`e Disable macro scripts from office files transmitted via email. Consider using Office
`Viewer software to open Microsoft Office files transmitted via email instead of full
`office suite applications.
`
`e
`
`Implement Software Restriction Policies (SRP) or other controls to prevent programs
`from executing from common ransomware locations, such as temporary folders
`supporting popular
`Internet browsers or compression/decompression programs,
`including the AppData/LocalAppData folder.
`
`e Consider disabling Remote Desktop protocol (RDP)if it is not being used.
`
`e Use application whitelisting, which only allows systems to execute programs known
`and permitted by security policy.
`
`e Execute operating system environments or specific programs in a virtualized
`environment.
`
`e Categorize data based on organizational value and implement physical and logical
`separation of networks and data for different organizational units.’
`
`41.
`
`To prevent and detect ransomware attacks, including the ransomware attack that
`
`resulted in the Cybersecurity Event, Defendants could and should have implemented, as
`
`recommendedby the United States Cybersecurity & Infrastructure Security Agency, the following
`
`measures:
`
`e Update and patch your computer. Ensure your applications and operating systems
`(OSs) have been updated with the latest patches. Vulnerable applications and OSs are
`
`9 Td. at 3-4.
`
`10
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 12 of 49 PageID 33
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 12 of 49 PagelD 33
`
`the target of most ransomwareattacks....
`
`e Use caution with links and when entering website addresses. Be careful when
`clicking directly on links in emails, even if the sender appears to be someone you
`know. Attempt
`to independently verify website addresses
`(e.g., contact your
`organization's helpdesk, search the internet for the sender organization’s website or
`the topic mentioned in the email). Pay attention to the website addresses you click on,
`as well as those you enter yourself. Malicious website addresses often appear almost
`identical to legitimate sites, often using a slight variation in spelling or a different
`domain(e.g., .com instead of -net)....
`
`e Open email attachments with caution. Be wary of opening email attachments, even
`from senders you think you know,particularly when attachments are compressedfiles
`or ZIP files.
`
`e Keep your personal information safe. Check a website’s security to ensure the
`information you submit is encrypted before you provideit....
`
`e Verify email senders. If you are unsure whether or not an emailis legitimate, try to
`verify the email’s legitimacy by contacting the sender directly. Do not click on any
`links in the email. If possible, use a previous (legitimate) email to ensure the contact
`information you havefor the senderis authentic before you contact them.
`
`e
`
`Inform yourself. Keep yourself informed about recent cybersecurity threats and up
`to date on ransomware techniques. You can find information about knownphishing
`attacks on the Anti-Phishing Working Group website. You may also want to sign up
`for CISA product notifications, which will alert you when a new Alert, Analysis
`Report, Bulletin, Current Activity, or Tip has been published.
`
`e Use and maintain preventative software programs. Install antivirus software,
`firewalls, and email filters—and keep them updated—to reduce malicious network
`traffic....1°
`
`42.
`
`To prevent and detect ransomwareattacks, including the ransomware attack that
`
`resulted in the Cybersecurity Event, Defendants could and should have implemented, as
`
`recommended by the Microsoft Threat Protection Intelligence Team, the following measures:
`
`Secure internet-facing assets
`
`-
`-
`-
`
`Apply latest security updates
`Use threat and vulnerability management
`Perform regular audit; removeprivileged credentials;
`
`10 See Security Tip (ST19-001) Protecting Against Ransomware(original release date Apr. 11,
`2019), available at https://us-cert.cisa.gov/ncas/tips/ST19-001 (last visited Mar. 15, 2021).
`
`11
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 13 of 49 PageID 34
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 13 of 49 PagelD 34
`
`Thoroughly investigate and remediate alerts
`
`-
`
`Prioritize and treat commodity malware infections as potential
`compromise;
`
`full
`
`Include IT Pros in security discussions
`
`-
`
`Ensure collaboration among [security operations], [security admins], and
`[information technology] admins to configure servers and other endpoints
`securely;
`
`Build credential hygiene
`
`-
`
`Use [multifactor authentication] or [network level authentication] and use
`strong, randomized,just-in-time local admin passwords
`
`Apply principle of least-privilege
`
`-
`-
`-
`-
`
`Monitor for adversarial activities
`Huntfor brute force attempts
`Monitor for cleanup of Event Logs
`Analyze logon events
`
`Harden infrastructure
`
`-
`-
`-
`
`-
`
`Use WindowsDefender Firewall
`Enable tamperprotection
`Enable cloud-delivered protection
`Turn on attack surface reduction rules and [Antimalware Scan Interface] for
`Office [Visual Basic for Applications].!!
`
`43.
`
`Given that Defendants were storing the PI] and PHI of more than 700,000
`
`individuals, Defendants could and should have implementedall of the above measures to prevent
`
`and detect ransomwareattacks.
`
`4A,
`
`The occurrence of the Cybersecurity Event indicates that Defendants failed to
`
`adequately implement one or more ofthe above measuresto prevent ransomwareattacks, resulting
`
`' See Human-operated ransomware attacks: A preventable disaster (Mar 5, 2020), available at
`https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-
`preventable-disaster/ (last visited Mar. 15, 2021).
`
`12
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 14 of 49 PageID 35
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 14 of 49 PagelD 35
`
`in the Cybersecurity Event and the exposure of the PII and PHI of more than 700,000 individuals,
`
`including Plaintiff and Class Members.
`
`UFHCEAcquires, Collects and Stores Plaintiff's and Class Members’ PH and PHI.
`
`45.|UFHCFacquired, collected, and stored UFHCF’s current and formerpatients’ PII
`
`and PHI.
`
`46.
`
`As a condition of maintaining treatment with UFHCF, UFHCFrequires that its
`
`patients entrust UFHCFwith highly confidential PII and PHI.
`
`47.
`
`By obtaining, collecting, and storing Plaintiff's and Class Members’ PII and PHI,
`
`UFHCFassumed legal and equitable duties and knew or should have known that they were
`
`responsible for protecting Plaintiff's and Class Members’ PII and PHI from disclosure.
`
`48.
`
`Plaintiff and the Class Members have taken reasonable steps to maintain the
`
`confidentiality of their PIT and PHI. Plaintiff and the Class Members, as current and former
`
`patients, relied on the UFHCFto keep their PII and PHI confidential and securely maintained, to
`
`use this information for business purposes only, and to make only authorized disclosures of this
`
`information.
`
`Securing PU and PHI and Preventing Breaches
`
`49.|UFHCFcould have prevented this Cybersecurity Event by properly securing and
`
`encrypting Plaintiff's and Class Members’ PII and PHI, or UFHCFcould have destroyedthe data,
`
`especially old data from former patients that UFHCF had no legal nghtto retain.
`
`50.|UFHCF’s negligence in safeguarding UFHCF’s current and former patients’ PII
`
`and PHI is exacerbated by the repeated warnings andalerts directed to protecting and securing
`
`sensitive data.
`
`51.
`
`Despite the prevalence of public announcements of data breach and data security
`
`13
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 15 of 49 PageID 36
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 15 of 49 PagelD 36
`
`compromises, UFHCF failed to take appropriate steps to protect the PII and PHI ofPlaintiff and
`
`the proposed Class from being compromised.
`
`52.
`
`The Federal Trade Commission (“FTC”) defines identity theft as “a fraud
`
`committed or attempted using the identifying information of another person without authority.”””
`
`The FTC describes “identifying information” as “any name or numberthat maybe used,alone or
`
`in conjunction with any other information, to identify a specific person,” including, among other
`
`things, “[n]ame, Social Security number,date of birth, official State or governmentissued driver’s
`
`license or identification number, alien registration number, government passport number,
`
`employeror taxpayeridentification number.”!?
`
`53.
`
`The ramifications of UFHCF’s failure to keep secure UFHCF’s current and former
`
`patients’ PI and PHI are long lasting and severe. Once PII and PHIis stolen, particularly Social
`
`Security numbers, fraudulent use of that information and damageto victims may continue for
`
`years.
`
`Value ofPersonal Identifiable Information and Protected Health Information
`
`54.
`
`The PII and PHIofindividuals remainsof high value to criminals, as evidenced by
`
`the prices they will pay through the dark web. Numeroussources cite dark web pricing for stolen
`
`identity credentials. For example, personal information can be sold at a price ranging from $40 to
`
`$200, and bank details have a price range of $50 to $200.'* Experian reports that a stolen credit or
`
`217C.ER. § 248.201 (2013).
`
`3d.
`
`‘4 Yourpersonal dataisfor sale on the dark web. Here’s how muchit costs, Digital Trends, Oct.
`16, 2019, available at: https://www.digitaltrends.com/computing/personal-data-sold-on-the-
`dark-web-how-much-it-costs/ (last accessed Jan. 26, 2021).
`
`14
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 16 of 49 PageID 37
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 16 of 49 PagelD 37
`
`debit card numbercansell for $5 to $110 on the dark web.'° Criminals can also purchase access
`
`to entire company data breaches from $900 to $4,500.!¢
`
`55.
`
`Social Security numbers, for example, are among the mot sensitive kind ofpersonal
`
`information to have stolen because they maybe put to a variety of fraudulent uses andare difficult
`
`for an individual to change. The Social Security Administration stresses that the loss of an
`
`individual’s Social Security number,as is the case here, can lead to identity theft and extensive
`
`financial fraud:
`
`A dishonest person whohas your Social Security numbercan useit
`to get other personal information about you. Identity thieves can use
`your numberand your goodcredit to apply for more credit in your
`name. Then, they use the credit cards and don’t pay the bills, it
`damages your credit. You may not find out that someone is using
`your numberuntil you’re turned downforcredit, or you begin to get
`calls from unknown creditors demanding payment for items you
`never bought. Someoneillegally using your Social Security number
`and assuming youridentity can causea lot of problems.'7
`
`56.|What is more, it is no easy task to changeor cancel a stolen Social Security number.
`
`An individual cannot obtain a new Social Security number without significant paperwork and
`
`evidence of actual misuse. In other words, preventive action to defend against the possibility of
`
`misuse of a Social Security numberis not permitted; an individual must show evidenceofactual,
`
`ongoing fraud activity to obtain a new number.
`
`57.
`
`Even then, a new Social Security number maynot be effective. According to Julie
`
`'S Here’s How Much Your Personal Information Is Sellingfor on the Dark Web, Experian, Dec.
`6, 2017, available at: https://www.experian.com/blogs/ask-experian/heres-how-much-your-
`personal-information-is-selling-for-on-the-dark-web/ (last accessed Jan. 26, 2021).
`
`'6 In the Dark, VPNOverview, 2019, available at: https://vpnoverview.com/privacy/anonymous-
`browsing/in-the-dark/ (last accessed Jan. 26, 2021).
`
`7 Social Security Administration, Identity Theft and Your Social Security Number, available at:
`https://www.ssa.gov/pubs/EN-05-10064.pdf(last accessed Jan. 26, 2021).
`
`15
`
`
`
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 17 of 49 PageID 38
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 17 of 49 PagelD 38
`
`Ferguson ofthe Identity Theft Resource Center, “The credit bureaus and banksare able to link the
`
`new numbervery quickly to the old number,so all of that old bad information is quickly inherited
`
`into the new Social Security number.”!®
`
`58.
`
`Based on the foregoing, the information compromised in the Cybersecurity Event
`
`is significantly more valuable than the loss of, for example, credit card information in a retailer
`
`data breach, because, there, victims can cancel or close credit and debit card accounts. The
`
`information compromised in this Cybersecurity Event is impossible to “close” and difficult, if not
`
`impossible, to change—name, address, date of birth, and Social Security number.
`
`59.
`
`This data demands a muchhigherprice on the black market. Martin Walter, senior
`
`director at cybersecurity firm RedSeal, explained, “Compared to credit card information,
`
`personally identifiable information and Social Security numbers are worth more than 10x on the
`
`black market.’”!”
`
`60.
`
`Among other forms of fraud,
`
`identity thieves may obtain driver’s licenses,
`
`government benefits, medical services, and housing or even give false information to police.
`
`61.
`
`The PII and PHIofPlaintiff and Class Members wastaken by hackers to engage in
`
`identity theft or and or to sell it to others criminals who will purchase the PII and PHIfor that
`
`purpose. The fraudulent activity resulting from the Cybersecurity Event may not cometolight for
`
`years.
`
`'8 Bryan Naylor, Victims of Social Secur