throbber
Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 1 of 49 PageID 22
`
`Exhibit A
`to
`Notice of Removal
`
`

`

`35-2021-CA-001536-AXXX-XX
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 2 of 49 PageID 23
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 2 of 49 PagelD 23
`Filing # 134054313 E-Filed 09/03/2021 05:30:50 PM
`
`IN THE CIRCUIT COURT FOR THE FIFTH JUDICIAL
`CIRCUIT IN AND FOR LAKE COUNTY, FLORIDA
`
`Case No.:
`
`CLASS ACTION COMPLAINT
`
`DEMANDFOR JURY TRIAL
`
`CHRYSTAL HOLMES,
`
`on behalf of herself and all others similarly
`situated,
`
`VS.
`
`Plaintiff,
`
`THE VILLAGES TRI-COUNTY MEDICAL
`CENTER,INC.d/b/a UF HEALTH
`CENTRAL FLORIDA,
`
`LEESBURG REGIONAL MEDICAL
`CENTER,INC.d/b/a UF HEALTH
`CENTRAL FLORIDA,
`
`and
`
`CENTRAL FLORIDA HEALTH,INC.d/b/a
`UF HEALTH CENTRAL FLORIDA,
`
`Defendants.
`
`
`
`Plaintiff Chrystal Holmes (“Plaintiff”), individually and on behalf of all others similarly
`
`situated, brings this Class Action Complaint against The Villages Tri-County Medical Center, Inc.
`
`d/b/a UF Health Central Florida, Leesburg Regional Medical Center, Inc. d/b/a UF Health Central
`
`Florida (“Leesburg Hospital’’), and Central Florida Health, Inc. d/b/a UF Health Central Florida
`
`(collectively, “Defendants”), and alleges, upon personal knowledgeas to her own actions and her
`
`counsels’ investigations, and upon information andbelief asto all other matters, as follows:
`
`I. INTRODUCTION
`
`1.
`
`Plaintiff brings this class action against Defendants for their failure to properly
`
`secure and safeguard personal identifiable information that they acquired from their patients.
`
`Defendants required this information from their patients or recorded this information for their
`
`FILED: LAKE COUNTY, GARY J. COONEY, CLERK, 09/07/2021 03:18:51 PM
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 3 of 49 PageID 24
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 3 of 49 PagelD 24
`
`patients as a condition or result of medical treatment, including without limitation, names,
`
`addresses, dates of birth, and/or Social Security numbers (collectively, “personal identifiable
`
`information” or “PIT’) as well as health insurance information, medical record numbers, patient
`
`account numbers, and/or
`
`limited treatment
`
`information (collectively,
`
`“protected health
`
`information”or “PHT’”).
`
`2.
`
`Defendants are the registered owners of the fictious name “UF Health Central
`
`Florida” (““UFHCF’) and individually and collectively operate underthis fictitious name.
`
`3.
`
`UFHCFis a health care system that “care[s] for patients in Lake, Sumter, and
`
`Marion counties through inpatient acute hospital services at UF Health The Villages® Hospital
`
`and UF Health Leesburg Hospital, inpatient rehabilitation services at UF Health The Villages®
`
`Rehabilitation Hospital, adult inpatient psychiatric services at the UF Health Leesburg Hospital
`
`Senior Behavioral Health Center and diagnostic laboratory services at several locations.”!
`
`4.
`
`In order to obtain medical treatment, Plaintiff and other patients of UFHCFentrust
`
`and provide to UFHCFanextensive amount of PI]. UFHCFalso records an extensive amountof
`
`PHIregarding its patients, including treatment information. UFHCFretains this information on
`
`computer hardware—evenlongafter the treatment relationship ends. UFHCF acknowledgesthat
`
`it understands the importance of protecting information.
`
`5.
`
`On or around May 29 to May 31, 2021, an unauthorized actor obtained
`
`unauthorized access to UFHCF’s computer network as part of a ransomware attack (the
`
`“Cybersecurity Event”).
`
`6.
`
`The unauthorized actor may have accessed the PII and PHI of UFHCF’s current
`
`and formerpatients, including Plaintiff and Class Members.
`
`' See “About Us”, https://www.centralfloridahealth.org/ (last visited Aug. 30, 2021).
`
`2
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 4 of 49 PageID 25
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 4 of 49 PagelD 25
`
`7.
`
`In a “Notice to Our Patients of Cybersecurity Event” posted on its website (the
`
`“Website Notice”), UFHCF advised that it was informing its current and formerpatients of the
`
`Cybersecurity Event and mailing them letters.
`
`8.
`
`By obtaining, collecting, using, and deriving a benefit from Plaintiff’s and Class
`
`Members’ PII, UFHCF assumed legal and equitable duties to those individuals. UFHCF admits
`
`that the unencrypted PII and PHI exposed to “unauthorized activity” included names, addresses,
`
`dates of birth, and/or Social Security numbers as well as health insurance information, medical
`
`record numbers, patient account numbers, and/or limited treatment information.
`
`9.
`
`The exposed PII and PHI of UFHCF’s current and formerpatients can be sold on
`
`the dark web. Hackers can access andthen offer for sale the unencrypted, unredacted PII and PHI
`
`to criminals. UFHCF’s current and formerpatients face a lifetime risk of identity theft, which is
`
`heightened here by the loss of Social Security numbers.
`
`10.
`
`This PII and PHI was compromised due to UFHCF’s negligent and/or careless acts
`
`and omissionsandthe failure to protect PII and PHI of UFHCF’s current and formerpatients.
`
`11.
`
`Until notified of the breach, Plaintiff and Class Members had no idea their PIT and
`
`PHI had been compromised, and that they were, and continueto be,at significant risk of identity
`
`theft and various other forms ofpersonal, social, and financial harm. The risk will remain for their
`
`respective lifetimes.
`
`12.
`
`‘Plaintiff bring this action on behalf of all persons whose PII and/or PHI was
`
`compromised as a result of UFHCF’s failureto: (1) adequately protect the PII and PHI of UFHCF’s
`
`current and former patients; (i) warn UFHCF’s current and former patients of UFHCF’s
`
`inadequate information security practices; and (iii) effectively secure hardware containing
`
`protected PIT and PHI using reasonable and effective security procedures free of vulnerabilities
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 5 of 49 PageID 26
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 5 of 49 PagelD 26
`
`and incidents. UFHCF’s conduct amounts to negligence and violates federal and state statutes.
`
`13.
`
`Plaintiff and Class Members have suffered injury as a result of UFHCF’s conduct.
`
`These injuries include: (i) lost or diminished value of PII and PHI; (ii) out-of-pocket expenses
`
`associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or
`
`unauthorized use of their PII and PHI; (iii) lost opportunity costs associated with attempting to
`
`mitigate the actual consequencesofthe Cybersecurity Event, including butnot limited to lost time,
`
`and significantly (iv) the continued and certainly an increased risk to their PII, which: (a) remains
`
`unencrypted and available for unauthorized third parties to access and abuse; and (b) may remain
`
`backed up in UFHCF’s possession and is subject to further unauthorized disclosures so long as
`
`UFHCFfails to undertake appropriate and adequate measuresto protect the PIT and PHI, and at
`
`the very least, are entitled to nominal damages.
`
`14.
`
`UFHCFdisregarded the rights of Plaintiff and Class Members by intentionally,
`
`willfully, recklessly, or negligently failing to take and implement adequate and reasonable
`
`measures to ensure that UFHCF’s current and former patients’ PII and PHI was safeguarded,
`
`failing to take available steps to prevent an unauthorized disclosure of data, and failing to follow
`
`applicable, required and appropriate protocols, policies and procedures regarding the encryption
`
`of data, even for internal use. As the result, the PII and PHI of Plaintiff and Class Members was
`
`compromised through disclosure to an unknown and unauthorized third party. Plaintiff and Class
`
`Members have a continuing interest in ensuring that their information is and remainssafe, and they
`
`should be entitled to injunctive and other equitablerelief.
`
`II. PARTIES
`
`15.
`
`Plaintiff Chrystal Holmesis a citizen of Florida residing in Lake County, Florida.
`
`On or around July 30, 2021, Plaintiff Holmes received UFHCF’s letter notifying her of the
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 6 of 49 PageID 27
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 6 of 49 PagelD 27
`
`Cybersecurity Event.
`
`16.
`
`Defendant The Villages Tri-County Medical Center, Inc. d/b/a UF Health Central
`
`Florida is a corporation organized under the laws of Florida, headquartered at 1451 El Camino
`
`Real, The Villages, FL, with its principal place of business in The Villages, FL.
`
`17.
`
`Defendant Leesburg Regional Medical Center, Inc. d/b/a UF Health Central Florida
`
`is a corporation organized under the laws of Florida, headquartered at 600 E. Dixie Avenue,
`
`Leesburg, FL, with its principal place of business in Leesburg, FL.
`
`18.
`
`Defendant Central Florida Health, Inc. d/b/a UF Health Central Florida is a
`
`corporation organized under the laws of Florida, headquartered at 410 Childs St., Leesburg, FL,
`
`with its principal place of business in Leesburg, FL.
`
`19.
`
`The true namesand capacities of personsor entities, whether individual, corporate,
`
`associate, or otherwise, who may beresponsible for someofthe claimsalleged herein are currently
`
`unknownto Plaintiff. Plaintiff will seek leave of court to amend this complaint to reflect the true
`
`names and capacities of such other responsible parties when their identities become known.
`
`20.——All of Plaintiffs claims stated herein are asserted against UFHCFandanyoftheir
`
`owners, predecessors, successors, subsidiaries, agents and/or assigns.
`
`Il. JURISDICTION AND VENUE
`
`21.
`
`The Court has subject matter jurisdiction over Plaintiffs claims under Florida Stat.
`
`§ 26.012 and § 86.011. This Court has jurisdiction over this dispute because this complaint seeks
`
`damagesin excess of $30,000.00 dollars, exclusive of interest and attorneys’ fees.
`
`22.
`
`The Court has personal jurisdiction over Defendants under Florida Stat. § 48.193,
`
`because Defendants personally or through their agents operated, conducted, engagedin, or carried
`
`on a business or business venture in Florida; had offices in Florida; committed tortious acts in
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 7 of 49 PageID 28
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page7of 49 PagelD 28
`
`Florida; and/or breached a contract in Florida by failing to perform acts required by the contract
`
`to be performedin Florida.
`
`23.
`
`Venue is proper in Lake County pursuant to Florida Stat. § 47.011 and § 47.051
`
`because Defendants are headquartered and do business in Lake County, the cause of action accrued
`
`in Lake County, and/or Defendants have offices for the transaction of their customary business in
`
`Lake County.
`
`Background
`
`IV. FACTUAL ALLEGATIONS
`
`24.|UFHCFoperates dozens of medicalfacilities throughout Florida undera variety of
`
`fictitious names, including AdventHealth Medical Group Surgical Specialists at Tampa.
`
`25.
`
`Plaintiff and Class Members treated by UFHCF were required to provide some of
`
`their most sensitive and confidential information, including names, addresses, dates of birth, and/or
`
`Social Security numbersas well as health insurance information, medical record numbers, patient
`
`account numbers, and/or limited treatment information. This information is static, does not
`
`change, and can be used to commit myriad financial crimes.
`
`26.
`
`‘In providing treatment to Plaintiff and Class Members, UFHCF generated and
`
`retained additional sensitive personal information about Plaintiff and Class Members, including
`
`medicationslists and clinical documentation/notes.
`
`27.
`
`Plaintiff and Class Members, as current and former patients, relied on UFHCFto
`
`keep their PII and PHI confidential and securely maintained, to use this information for business
`
`purposesonly, and to make only authorized disclosures of this information. UFHCF’s current and
`
`former patients demandsecurity to safeguard their PIT and PHI.
`
`28.|UFHCEhada duty to adopt reasonable measures to protect Plaintiff's and Class
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 8 of 49 PageID 29
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 8 of 49 PagelD 29
`
`Members’ PII and PHIfrom involuntary disclosure to thirdparties.
`
`The Cybersecurity Event
`
`29.
`
`Defendant Leesburg Hospital posted a “Privacy policy”on its website (the “Privacy
`
`Notice”), effective April 14, 2003 and revised February 17, 2010 and September 23, 2013.”
`
`30.
`
`The Private Notice states that “[aJll ofthe UF Health Central Florida's entities, sites
`
`and locations follow the terms of this notice, including but not limited to: UF Health Leesburg
`
`Hospital, UF Health The Villages® Hospital, UF Health The Villages® Hospital Rehabilitation
`
`Hospital, UF Health Leesburg Hospital Urgent Care Center, UF Health Alliance Laboratory, and
`
`all other affiliated sites and locations.’>
`
`31.
`
`The Privacy Noticestates “[w]e understand that medical information about you and
`
`yourhealth is personal. We are committed to protecting that medicalinformation.”
`
`32.
`
`The Privacy Noticestates “[w]e are required by law to makesure that health-related
`
`informationthat identifies you is kept private.’””
`
`33.
`
`Prior to the Cybersecurity Event, UFHCF should have (1) encrypted or tokenized
`
`the sensitive PIT and PHIof Plaintiff and the Nationwide Class, (ii) deleted such PII and PHIthat
`
`it no longer had reason to maintain, (i1i) eliminated the potential accessibility of the PII and PHI
`
`from the Internet, and (iv) otherwise reviewed and improvedthe security of its computer system.
`
`34.
`
`Prior to the Cybersecurity Event, UFHCF did not (1) encrypt or tokenize the
`
`sensitive PII and PHI of Plaintiff and the Nationwide Class,(i1) delete such PII and PHIthatit no
`
`2 Ex. 1, available at https://www.leesburgregional.org/privacy-policy/ (last visited August 30,
`2021).
`
`3 Td.
`
`4 Td.
`
`> Td.
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 9 of 49 PageID 30
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 9 of 49 PagelD 30
`
`longer had reason to maintain,(iii) eliminate the potential accessibility of the PII and PHI from
`
`the Internet, and (iv) otherwise review and improvethe security of its computer system.
`
`35.
`
`On or around July 30, 2021, UFHCF posted the Website Notice.® The Website
`
`Notice provided,in part, as follows:
`
`On May 31, 2021, UF Health Central Florida — including UF
`Health Leesburg Hospital and UF Health The Villages® Hospital —
`detected unusual activity involving its computer systems. We took
`immediate action to contain the event, including reporting it to law
`enforcement and launching an investigation with independent
`experts. UF Health’s Gainesville or Jacksonville campuses were not
`affected.
`
`The investigation determined that unauthorized access to UF Health
`Central Florida’s computer network occurred between May 29 and
`May 31, 2021. During this brief time period,
`some patient
`information may have been accessible, such as names, addresses,
`dates of birth, Social Security numbers, health insurance
`information, medical record numbersand patient account numbers,
`as well as limited treatment information used by UF Health for its
`business operations. UF Health’s electronic medical records were
`not involved or accessed.
`
`Wehave no reason to believe the information was further used or
`disclosed; however, on July 30, 2021, we began mailing letters to
`individuals whose data may have been involved and, as a
`precautionary measure, are offering them complimentary credit
`monitoring and identity protection services. Patients are also
`encouraged to review statements from their health insurer, and to
`contact them immediately if they see any services they did not
`receive. Wealso established a dedicated call center for patients to
`call with questions. If you believe you are affected, but do not
`receive a letter by Aug. 16, 2021, please call 1-833-909-3926
`between 9 a.m. and 9 p.m. Eastern Time Monday through Friday.’
`
`36.|UFHCF admitted in the Website Notice that unauthorized third persons may have
`
`6 Ex. 2, available at https://www.leesburgregional.org/notice-to-our-patients-of-cybersecurity-
`event/ (last visited Aug. 30, 2021).
`
`7 Td. at 1.
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 10 of 49 PageID 31
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 10 of 49 PagelD 31
`
`accessed sensitive information about current and former patients of UFHCF, including names,
`
`addresses, dates of birth, and/or Social Security numbersas well as health insurance information,
`
`medical record numbers, patient account numbers, and/or limited treatment information.
`
`37.
`
`Plaintiff's and Class Members’ unencrypted information may end up for sale on the
`
`dark web, or simply fall into the hands of companiesthat will use the detailed PI and PHI for
`
`targeted marketing without the approvalof the affected current and former patients. Unauthorized
`
`individuals can easily access the PII and PHI of UFHCF’s current and formerpatients.
`
`38.|UFHCF did not use reasonable security procedures and practices appropriate to the
`
`nature of the sensitive, unencrypted information it was maintaining for current and formerpatients,
`
`causing the exposure of PI and PHI for more than 700,000 individuals.
`
`39.
`
`As explained by the Federal Bureau of Investigation, “[p]revention is the most
`
`effective defense against ransomwareanditis critical to take precautions for protection.’”®
`
`40.
`
`To prevent and detect ransomware attacks, including the ransomware attack that
`
`resulted in the Cybersecurity Event, Defendants could and should have implemented, as
`
`recommendedby the United States Government, the following measures:
`
`e
`
`Implement an awareness and training program. Because end users are targets,
`employees and individuals should be aware of the threat of ransomware and howit is
`delivered.
`
`e Enable strong spam filters to prevent phishing emails from reaching the end users and
`authenticate inbound email using technologies like Sender Policy Framework (SPF),
`Domain Message Authentication Reporting and Conformance (DMARC), and
`DomainKeysIdentified Mail (DKIM)to prevent email spoofing.
`
`e
`
`Scanall incoming and outgoing emails to detect threats andfilter executable files from
`reaching end users.
`
`available at
`at 3,
`from RANSOMWARE,
`8 See How to Protect Your Networks
`https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view (last
`visited Mar. 15, 2021).
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 11 of 49 PageID 32
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 11 of 49 PagelD 32
`
`e Configure firewalls to block access to known malicious IP addresses.
`
`e Patch operating systems, software, and firmware on devices. Consider using a
`centralized patch management system.
`
`e
`
`Set anti-virus and anti-malware programs to conduct regular scans automatically.
`
`e Manage the use of privileged accounts based on the principle of least privilege: no
`users should be assigned administrative access unless absolutely needed; and those
`with a need for administrator accounts should only use them when necessary.
`
`e Configure access controls—includingfile, directory, and network share permissions—
`with least privilege in mind. Ifa user only needsto read specific files, the user should
`not have write accessto thosefiles, directories, or shares.
`
`e Disable macro scripts from office files transmitted via email. Consider using Office
`Viewer software to open Microsoft Office files transmitted via email instead of full
`office suite applications.
`
`e
`
`Implement Software Restriction Policies (SRP) or other controls to prevent programs
`from executing from common ransomware locations, such as temporary folders
`supporting popular
`Internet browsers or compression/decompression programs,
`including the AppData/LocalAppData folder.
`
`e Consider disabling Remote Desktop protocol (RDP)if it is not being used.
`
`e Use application whitelisting, which only allows systems to execute programs known
`and permitted by security policy.
`
`e Execute operating system environments or specific programs in a virtualized
`environment.
`
`e Categorize data based on organizational value and implement physical and logical
`separation of networks and data for different organizational units.’
`
`41.
`
`To prevent and detect ransomware attacks, including the ransomware attack that
`
`resulted in the Cybersecurity Event, Defendants could and should have implemented, as
`
`recommendedby the United States Cybersecurity & Infrastructure Security Agency, the following
`
`measures:
`
`e Update and patch your computer. Ensure your applications and operating systems
`(OSs) have been updated with the latest patches. Vulnerable applications and OSs are
`
`9 Td. at 3-4.
`
`10
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 12 of 49 PageID 33
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 12 of 49 PagelD 33
`
`the target of most ransomwareattacks....
`
`e Use caution with links and when entering website addresses. Be careful when
`clicking directly on links in emails, even if the sender appears to be someone you
`know. Attempt
`to independently verify website addresses
`(e.g., contact your
`organization's helpdesk, search the internet for the sender organization’s website or
`the topic mentioned in the email). Pay attention to the website addresses you click on,
`as well as those you enter yourself. Malicious website addresses often appear almost
`identical to legitimate sites, often using a slight variation in spelling or a different
`domain(e.g., .com instead of -net)....
`
`e Open email attachments with caution. Be wary of opening email attachments, even
`from senders you think you know,particularly when attachments are compressedfiles
`or ZIP files.
`
`e Keep your personal information safe. Check a website’s security to ensure the
`information you submit is encrypted before you provideit....
`
`e Verify email senders. If you are unsure whether or not an emailis legitimate, try to
`verify the email’s legitimacy by contacting the sender directly. Do not click on any
`links in the email. If possible, use a previous (legitimate) email to ensure the contact
`information you havefor the senderis authentic before you contact them.
`
`e
`
`Inform yourself. Keep yourself informed about recent cybersecurity threats and up
`to date on ransomware techniques. You can find information about knownphishing
`attacks on the Anti-Phishing Working Group website. You may also want to sign up
`for CISA product notifications, which will alert you when a new Alert, Analysis
`Report, Bulletin, Current Activity, or Tip has been published.
`
`e Use and maintain preventative software programs. Install antivirus software,
`firewalls, and email filters—and keep them updated—to reduce malicious network
`traffic....1°
`
`42.
`
`To prevent and detect ransomwareattacks, including the ransomware attack that
`
`resulted in the Cybersecurity Event, Defendants could and should have implemented, as
`
`recommended by the Microsoft Threat Protection Intelligence Team, the following measures:
`
`Secure internet-facing assets
`
`-
`-
`-
`
`Apply latest security updates
`Use threat and vulnerability management
`Perform regular audit; removeprivileged credentials;
`
`10 See Security Tip (ST19-001) Protecting Against Ransomware(original release date Apr. 11,
`2019), available at https://us-cert.cisa.gov/ncas/tips/ST19-001 (last visited Mar. 15, 2021).
`
`11
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 13 of 49 PageID 34
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 13 of 49 PagelD 34
`
`Thoroughly investigate and remediate alerts
`
`-
`
`Prioritize and treat commodity malware infections as potential
`compromise;
`
`full
`
`Include IT Pros in security discussions
`
`-
`
`Ensure collaboration among [security operations], [security admins], and
`[information technology] admins to configure servers and other endpoints
`securely;
`
`Build credential hygiene
`
`-
`
`Use [multifactor authentication] or [network level authentication] and use
`strong, randomized,just-in-time local admin passwords
`
`Apply principle of least-privilege
`
`-
`-
`-
`-
`
`Monitor for adversarial activities
`Huntfor brute force attempts
`Monitor for cleanup of Event Logs
`Analyze logon events
`
`Harden infrastructure
`
`-
`-
`-
`
`-
`
`Use WindowsDefender Firewall
`Enable tamperprotection
`Enable cloud-delivered protection
`Turn on attack surface reduction rules and [Antimalware Scan Interface] for
`Office [Visual Basic for Applications].!!
`
`43.
`
`Given that Defendants were storing the PI] and PHI of more than 700,000
`
`individuals, Defendants could and should have implementedall of the above measures to prevent
`
`and detect ransomwareattacks.
`
`4A,
`
`The occurrence of the Cybersecurity Event indicates that Defendants failed to
`
`adequately implement one or more ofthe above measuresto prevent ransomwareattacks, resulting
`
`' See Human-operated ransomware attacks: A preventable disaster (Mar 5, 2020), available at
`https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-
`preventable-disaster/ (last visited Mar. 15, 2021).
`
`12
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 14 of 49 PageID 35
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 14 of 49 PagelD 35
`
`in the Cybersecurity Event and the exposure of the PII and PHI of more than 700,000 individuals,
`
`including Plaintiff and Class Members.
`
`UFHCEAcquires, Collects and Stores Plaintiff's and Class Members’ PH and PHI.
`
`45.|UFHCFacquired, collected, and stored UFHCF’s current and formerpatients’ PII
`
`and PHI.
`
`46.
`
`As a condition of maintaining treatment with UFHCF, UFHCFrequires that its
`
`patients entrust UFHCFwith highly confidential PII and PHI.
`
`47.
`
`By obtaining, collecting, and storing Plaintiff's and Class Members’ PII and PHI,
`
`UFHCFassumed legal and equitable duties and knew or should have known that they were
`
`responsible for protecting Plaintiff's and Class Members’ PII and PHI from disclosure.
`
`48.
`
`Plaintiff and the Class Members have taken reasonable steps to maintain the
`
`confidentiality of their PIT and PHI. Plaintiff and the Class Members, as current and former
`
`patients, relied on the UFHCFto keep their PII and PHI confidential and securely maintained, to
`
`use this information for business purposes only, and to make only authorized disclosures of this
`
`information.
`
`Securing PU and PHI and Preventing Breaches
`
`49.|UFHCFcould have prevented this Cybersecurity Event by properly securing and
`
`encrypting Plaintiff's and Class Members’ PII and PHI, or UFHCFcould have destroyedthe data,
`
`especially old data from former patients that UFHCF had no legal nghtto retain.
`
`50.|UFHCF’s negligence in safeguarding UFHCF’s current and former patients’ PII
`
`and PHI is exacerbated by the repeated warnings andalerts directed to protecting and securing
`
`sensitive data.
`
`51.
`
`Despite the prevalence of public announcements of data breach and data security
`
`13
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 15 of 49 PageID 36
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 15 of 49 PagelD 36
`
`compromises, UFHCF failed to take appropriate steps to protect the PII and PHI ofPlaintiff and
`
`the proposed Class from being compromised.
`
`52.
`
`The Federal Trade Commission (“FTC”) defines identity theft as “a fraud
`
`committed or attempted using the identifying information of another person without authority.”””
`
`The FTC describes “identifying information” as “any name or numberthat maybe used,alone or
`
`in conjunction with any other information, to identify a specific person,” including, among other
`
`things, “[n]ame, Social Security number,date of birth, official State or governmentissued driver’s
`
`license or identification number, alien registration number, government passport number,
`
`employeror taxpayeridentification number.”!?
`
`53.
`
`The ramifications of UFHCF’s failure to keep secure UFHCF’s current and former
`
`patients’ PI and PHI are long lasting and severe. Once PII and PHIis stolen, particularly Social
`
`Security numbers, fraudulent use of that information and damageto victims may continue for
`
`years.
`
`Value ofPersonal Identifiable Information and Protected Health Information
`
`54.
`
`The PII and PHIofindividuals remainsof high value to criminals, as evidenced by
`
`the prices they will pay through the dark web. Numeroussources cite dark web pricing for stolen
`
`identity credentials. For example, personal information can be sold at a price ranging from $40 to
`
`$200, and bank details have a price range of $50 to $200.'* Experian reports that a stolen credit or
`
`217C.ER. § 248.201 (2013).
`
`3d.
`
`‘4 Yourpersonal dataisfor sale on the dark web. Here’s how muchit costs, Digital Trends, Oct.
`16, 2019, available at: https://www.digitaltrends.com/computing/personal-data-sold-on-the-
`dark-web-how-much-it-costs/ (last accessed Jan. 26, 2021).
`
`14
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 16 of 49 PageID 37
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 16 of 49 PagelD 37
`
`debit card numbercansell for $5 to $110 on the dark web.'° Criminals can also purchase access
`
`to entire company data breaches from $900 to $4,500.!¢
`
`55.
`
`Social Security numbers, for example, are among the mot sensitive kind ofpersonal
`
`information to have stolen because they maybe put to a variety of fraudulent uses andare difficult
`
`for an individual to change. The Social Security Administration stresses that the loss of an
`
`individual’s Social Security number,as is the case here, can lead to identity theft and extensive
`
`financial fraud:
`
`A dishonest person whohas your Social Security numbercan useit
`to get other personal information about you. Identity thieves can use
`your numberand your goodcredit to apply for more credit in your
`name. Then, they use the credit cards and don’t pay the bills, it
`damages your credit. You may not find out that someone is using
`your numberuntil you’re turned downforcredit, or you begin to get
`calls from unknown creditors demanding payment for items you
`never bought. Someoneillegally using your Social Security number
`and assuming youridentity can causea lot of problems.'7
`
`56.|What is more, it is no easy task to changeor cancel a stolen Social Security number.
`
`An individual cannot obtain a new Social Security number without significant paperwork and
`
`evidence of actual misuse. In other words, preventive action to defend against the possibility of
`
`misuse of a Social Security numberis not permitted; an individual must show evidenceofactual,
`
`ongoing fraud activity to obtain a new number.
`
`57.
`
`Even then, a new Social Security number maynot be effective. According to Julie
`
`'S Here’s How Much Your Personal Information Is Sellingfor on the Dark Web, Experian, Dec.
`6, 2017, available at: https://www.experian.com/blogs/ask-experian/heres-how-much-your-
`personal-information-is-selling-for-on-the-dark-web/ (last accessed Jan. 26, 2021).
`
`'6 In the Dark, VPNOverview, 2019, available at: https://vpnoverview.com/privacy/anonymous-
`browsing/in-the-dark/ (last accessed Jan. 26, 2021).
`
`7 Social Security Administration, Identity Theft and Your Social Security Number, available at:
`https://www.ssa.gov/pubs/EN-05-10064.pdf(last accessed Jan. 26, 2021).
`
`15
`
`

`

`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 17 of 49 PageID 38
`Case 5:21-cv-00508 Document 1-1 Filed 10/14/21 Page 17 of 49 PagelD 38
`
`Ferguson ofthe Identity Theft Resource Center, “The credit bureaus and banksare able to link the
`
`new numbervery quickly to the old number,so all of that old bad information is quickly inherited
`
`into the new Social Security number.”!®
`
`58.
`
`Based on the foregoing, the information compromised in the Cybersecurity Event
`
`is significantly more valuable than the loss of, for example, credit card information in a retailer
`
`data breach, because, there, victims can cancel or close credit and debit card accounts. The
`
`information compromised in this Cybersecurity Event is impossible to “close” and difficult, if not
`
`impossible, to change—name, address, date of birth, and Social Security number.
`
`59.
`
`This data demands a muchhigherprice on the black market. Martin Walter, senior
`
`director at cybersecurity firm RedSeal, explained, “Compared to credit card information,
`
`personally identifiable information and Social Security numbers are worth more than 10x on the
`
`black market.’”!”
`
`60.
`
`Among other forms of fraud,
`
`identity thieves may obtain driver’s licenses,
`
`government benefits, medical services, and housing or even give false information to police.
`
`61.
`
`The PII and PHIofPlaintiff and Class Members wastaken by hackers to engage in
`
`identity theft or and or to sell it to others criminals who will purchase the PII and PHIfor that
`
`purpose. The fraudulent activity resulting from the Cybersecurity Event may not cometolight for
`
`years.
`
`'8 Bryan Naylor, Victims of Social Secur

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket