`
`
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE MIDDLE DISTRICT OF FLORIDA
`ORLANDO DIVISION
`
`)
`WENDY BRYAN and PATRICIA
`
`)
`WHITE, individually and on behalf of all
`
`)
`others similarly
`Case No.:
`)
`situated,
`
`
`)
`
`
`)
`
`
`
`)
`
`
`
`
`
`
`
`
`)
`
`v.
`
`
`
`
` ) JURY TRIAL DEMANDED
`
`BioPlus Specialty Pharmacy Services,
`)
`LLC,
`)
`
`)
` Defendant.
`)
`)
`
`Plaintiffs,
`
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`
`
`
`Plaintiffs Wendy Bryan and Patricia White (“Plaintiffs”), individually and on
`
`behalf of all others similarly situated, through the undersigned counsel, hereby allege
`
`the following against Defendant BioPlus Specialty Pharmacy Services, LLC
`
`(“BioPlus” or “Defendant”).
`
`NATURE OF THE ACTION
`
`1.
`
`This is a class action for damages with respect to BioPlus Specialty
`
`Pharmacy Services, LLC, for its failure to exercise reasonable care in securing and
`
`safeguarding its patients’ sensitive personal data—including names, addresses,
`
`email addresses, dates of birth, Social Security numbers, health insurance billing
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 2 of 85 PageID 2
`
`information, and treating physician information, collectively known as Personally
`
`Identifiable Information (“PII” or “Private Information”).
`
`2.
`
`This class action is brought on behalf of patients whose sensitive PII
`
`was stolen by cybercriminals in a cyber-attack that accessed sensitive patient
`
`information through BioPlus’s services on or around October 25, 2021 (the “Data
`
`Breach”).
`
`3.
`
`The Data Breach affected at least 350,000 individuals from BioPlus’s
`
`services.
`
`4.
`
`BioPlus reported to Plaintiffs that information compromised in the Data
`
`Breach included their PII.
`
`5.
`
`Plaintiffs were not notified until December of 2021, nearly three
`
`months after their information was first accessed.
`
`6.
`
`As a result of the Data Breach, Plaintiffs and other Class Members will
`
`experience various types of misuse of their PII in the coming years, including but
`
`not limited to unauthorized credit card charges, unauthorized access to email
`
`accounts, and other fraudulent use of their financial accounts.
`
`7.
`
`Defendant’s security failures enabled the hackers to steal the Private
`
`Information of Plaintiffs and other members of the class—defined below. These
`
`failures put Plaintiffs’ and other Class Members’ Private Information at a serious,
`
`immediate, and ongoing risk. Additionally, Defendant’s failures caused costs and
`
`
`
`2
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 3 of 85 PageID 3
`
`expenses associated with the time spent and the loss of productivity from taking time
`
`to address and attempt to ameliorate the release of personal data, as well as emotional
`
`grief associated with constant monitoring of personal banking and credit accounts.
`
`Mitigating and dealing with the actual and future consequences of the Data Breach
`
`has also created a number of future consequences for Plaintiffs and Class
`
`Members—including, as appropriate, reviewing records of fraudulent charges for
`
`services billed but not received, purchasing credit monitoring and identity theft
`
`protection services, the imposition of withdrawal and purchase limits on
`
`compromised accounts, initiating and monitoring credit freezes, the loss of property
`
`value of their personal information, and the stress, nuisance, and aggravation of
`
`dealing with all issues resulting from the Data Breach.
`
`8.
`
`Plaintiffs and Class Members suffered a loss of the property value of
`
`their Private Information when it was acquired by cyber thieves in the Data Breach.
`
`Numerous courts have recognized the propriety of the loss of the property value of
`
`personal information in data breach cases.
`
`9.
`
`There has been no assurance offered from BioPlus that all personal data
`
`or copies of data have been recovered or destroyed. BioPlus offered one free year
`
`of Experian IdentityWorks’s Credit 3B monitoring services, which does not
`
`guarantee the security of Plaintiffs’ information. To mitigate further harm, Plaintiffs
`
`
`
`3
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 4 of 85 PageID 4
`
`chose not to disclose any more information to receive services connected with
`
`BioPlus.
`
`10. Accordingly, Plaintiffs assert claims for negligence, breach of contract,
`
`breach of implied contract, and breach of fiduciary duty, as well as a claim for
`
`declaratory relief.
`
`PARTIES, JURISDICTION, AND VENUE
`
`A.
`
`Plaintiff Wendy Bryan
`
`11. Plaintiff Wendy Bryan is a citizen of New Jersey and brings this action
`
`in her individual capacity and on behalf of all others similarly situated. Ms. Bryan
`
`has resided in the state of New Jersey for nearly fifty years and owns a home within
`
`the state. Ms. Bryan intends to remain in New Jersey indefinitely.
`
`12. Ms. Bryan used BioPlus’s services in 2021 when she had a specialty
`
`prescription filled through her doctor’s office. To receive services at BioPlus,
`
`Plaintiff Bryan was required to disclose her PII, which was then entered into
`
`BioPlus’s database and maintained by Defendant. In maintaining her information,
`
`Defendant expressly and impliedly promised to safeguard Plaintiff Bryan’s PII.
`
`Defendant, however, did not take proper care of Ms. Bryan’s PII, leading to its
`
`exposure as a direct result of Defendant’s inadequate security measures. In
`
`December of 2021, Plaintiff Bryan received a notification letter from Defendant
`
`stating that her sensitive PII was taken.
`
`
`
`4
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 5 of 85 PageID 5
`
`13. The letter also offered one year of credit monitoring through Experian’s
`
`IdentityWorks Credit 3B monitoring, which was and continues to be ineffective for
`
`Bryan and other Class Members. The Experian credit monitoring would have shared
`
`Ms. Bryan’s information with third parties and could not guarantee complete privacy
`
`of her sensitive PII.
`
`14.
`
`In the months and years following the Data Breach, Ms. Bryan and the
`
`other Class Members will experience a slew of harms as a result of Defendant’s
`
`ineffective data security measures. Some of these harms will include fraudulent
`
`charges, medical procedures ordered in patients’ names without their permission,
`
`and targeted advertising without patient consent.
`
`15. Plaintiff Bryan greatly values her privacy, especially in receiving
`
`medical services, and would not have paid the amount that she did for pharmacy
`
`services if she had known that her information would be maintained using
`
`inadequate data security systems.
`
`B.
`
`Plaintiff Patricia White
`
`16. Plaintiff Patricia White is a citizen of Connecticut and brings this action
`
`in her individual capacity and on behalf of all others similarly situated. Ms. White
`
`has resided in Connecticut for her entire life, has a registered automobile in the state
`
`of Connecticut, and has been a member of local civic groups in the state of
`
`
`
`5
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 6 of 85 PageID 6
`
`Connecticut for nearly three decades. She intends to remain in Connecticut
`
`indefinitely.
`
`17. Ms. White’s information was entered into BioPlus’s systems in 2015
`
`when a clerical error resulted in her prescription information from her doctor’s office
`
`being sent to BioPlus instead of her in-network pharmacy. Ms. White corrected the
`
`clerical error and canceled the service from BioPlus, but her information remained
`
`in Defendant’s systems, vulnerable to misuse, until the data breach occurred in
`
`November of 2021. In maintaining her information within its systems, Defendant
`
`expressly and impliedly promised to safeguard Ms. White’s PII. Defendant did not
`
`properly safeguard, Ms. White’s PII, however, resulting in this information being
`
`exposed during the data breach. Ms. White received a notice letter from Defendant
`
`that her information was taken in December of 2021.
`
`18. The letter also offered two years of Experian IdentityWorks Credit 3B
`
`monitoring, which was and continues to be ineffective for Ms. White and the other
`
`members of the class. Accepting the credit monitoring from BioPlus would have
`
`meant transmitting sensitive PII back to Defendant after they had already
`
`demonstrated that they could not be trusted with such information.
`
`19. Some of the damages that will occur with respect to absent Class
`
`Members have already manifested themselves In Plaintiff White’s experience. Ms.
`
`White received a notification from her credit monitoring services through H &R
`
`
`
`6
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 7 of 85 PageID 7
`
`Block on or about November 30, 2021, that her information appeared on the dark
`
`web, where cyber-criminals trade sensitive patient information for use in phone,
`
`banking, and health insurance scams. Ms. White has notified her credit monitoring
`
`services of this breach and continues to monitor her accounts for suspicious activity.
`
`20.
`
`In the months and years following the data breach event, Ms. White and
`
`the other Class Members will experience a slew of harms as a result of Defendant’s
`
`ineffective data security measures. Some of these harms will include fraudulent
`
`charges, medical procedures ordered in patients’ names without their permission,
`
`and targeted advertising without patient consent.
`
`21. Ms. White values the privacy of her personal information. She would
`
`not have agreed to having her information transmitted to BioPlus’s systems—even
`
`by mistake—if she had known that it would be stored using inadequate storage
`
`methods that would lead to its misuse.
`
`C. Defendant BioPlus
`
`22. Defendant BioPlus Specialty Pharmacy Services, LLC, a Florida
`
`limited liability company, is a specialty pharmacy company, with its principal place
`
`of business located in the State of Florida at 376 Northlake Boulevard, Alamonte
`
`Springs, FL 32701. BioPlus conducts business nationally, including in the states of
`
`New Jersey and Connecticut. BioPlus offers a number of pharmacy services,
`
`including patient and provider pharmaceutical approval, and prescription fill and
`
`
`
`7
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 8 of 85 PageID 8
`
`refill services. BioPlus registered its headquarters at 376 Northlake Boulevard,
`
`Alamonte Springs, FL 32701. BioPlus’s corporate policies and practices, including
`
`those used for data privacy, are established in, and emanate from, Florida.
`
`23. BioPlus Specialty Pharmacy Services, LLC has two individual
`
`members—Stephen Vogt and Stephen Garner, both of whom are residents of Florida
`
`and intend to remain in Florida. In addition to two individual members, BioPlus
`
`Specialty Pharmacy Services, LLC has one LLC member—BioPlus Parent, LLC, a
`
`Rhode Island entity whose sole member, John Figueroa, resides in and intends to
`
`remain in Rhode Island. BioPlus Specialty Pharmacy Services, LLC, is therefore a
`
`citizen of Rhode Island and Florida.
`
`D.
`
`Jurisdiction
`
`24. The Court has jurisdiction over Plaintiffs' claims under 28 U.S.C. §
`
`1332(d)(2) (“CAFA”), because (a) there are 100 or more Class Members, (b) at least
`
`one Class member is a citizen of a state that is diverse from Defendant’s citizenship,
`
`and (c) the matter in controversy exceeds $5,000,000, exclusive of interest and costs.
`
`25. The Court has personal
`
`jurisdiction over Defendant because
`
`Defendant’s principal place of business is located in this District.
`
`E. Venue
`
`26. Venue is proper in this district under 28 U.S.C. § 1391(b)(1) because
`
`Defendant maintains its principal place of business in this District and therefore
`
`
`
`8
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 9 of 85 PageID 9
`
`resides in this District pursuant to 28 U.S.C. § 1391(c)(2). A substantial part of the
`
`events or omissions giving rise to the Class’s claims also occurred in this District.
`
`FACTS
`
`27. Defendant provides a wide variety of pharmacy services to patients
`
`across the country. As part of its business, Defendant was entrusted with, and
`
`obligated to safeguard and protect the Private Information of Plaintiffs and the Class
`
`in accordance with all applicable laws.
`
`28.
`
`In November of 2021, Defendant first learned of an unauthorized entry
`
`into its network, which contained customers’ Private Information including names,
`
`addresses, email addresses, dates of birth, Social Security numbers, financial account
`
`numbers, billing, and other health information. Defendant posted the following
`
`notice on its website:1
`
`December 10, 2021 — BioPlus Specialty Pharmacy
`Services, LLC (“BioPlus”) is committed to protecting the
`confidentiality and security of the information we
`maintain. This notice concerns a data security incident that
`may have involved some of that information.
`
`On November 11, 2021, we identified suspicious activity
`in our IT network. Upon learning of the incident, we
`immediately took steps to isolate and secure our systems.
`We also launched an investigation with the assistance of a
`third-party forensic firm and notified law enforcement.
`
`
`
`1 Update on Cyber Incident, (Dec. 10, 2021), https://bioplusrx.com/cyber-incident/ [hereinafter
`Data Breach Notice].
`
`
`
`9
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 10 of 85 PageID 10
`
`that an
`investigation, we determined
`the
`Through
`unauthorized party gained access to our IT network
`between October 25, 2021 and November 11, 2021.
`During that time, the unauthorized party accessed files that
`contained information pertaining to certain BioPlus
`patients. However, our investigation could not rule out the
`possibility that information pertaining to all current and
`former BioPlus patients may have been subject to
`unauthorized access.
`
`On December 10, 2021, we began mailing letters to all
`current and former patients whose information may have
`been involved. The information subject to unauthorized
`access may have included patient names, dates of birth,
`addresses, medical record numbers, current/former health
`plan member ID numbers, claims information, diagnoses,
`and/or prescription information. For certain patients,
`Social Security numbers were also involved. As a
`precautionary measure, the letters include guidance on
`how patients can protect their information. Additionally,
`for patients whose Social Security number was involved,
`we are offering complimentary credit monitoring and
`identity protection services. We have also established a
`dedicated, toll-free call center for patients to call with
`questions. If you believe you are affected but do not
`receive a letter by January 10, 2022, please call 1-855-545-
`2336, available Monday through Friday, between 9:00 am
`and 6:30 pm, Eastern Time.
`
`We take this issue very seriously, and deeply regret any
`concern this incident may have caused. To help prevent
`something like this from happening again, we have
`implemented, and will continue to adopt, additional
`safeguards and technical security measures to further
`protect and monitor our systems.
`
`29. Upon learning of the Data Breach in November 2021, Defendant
`
`investigated. As a result of the Data Breach, Defendant initially estimated that the
`
`
`
`10
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 11 of 85 PageID 11
`
`Private Information of at least 350,000 patients were potentially compromised
`
`stemming from services previously received.2
`
`30.
`
`In December of 2021 Defendant announced that it first learned of
`
`suspicious activity that allowed on ore more cybercriminals to access their systems
`
`through a ransomware attack. The 2021 Notice disclosed that a ransomware attack
`
`enabled a threat actor to access BioPlus systems.
`
`31. Defendant offered no explanation for the delay between the initial
`
`discovery of the Breach and the belated notification to affected customers, which
`
`resulted in Plaintiffs and Class Members suffering harm they otherwise could have
`
`avoided had a timely disclosure been made.
`
`32. BioPlus’s notice of Data Breach was not just untimely but woefully
`
`deficient, failing to provide basic details, including but not limited to, how
`
`unauthorized parties accessed its networks, what information was accessed, whether
`
`the information was encrypted or otherwise protected, how it learned of the Data
`
`Breach, whether the breach occurred system-wide, whether servers storing
`
`information were accessed, and how many patients were affected by the Data
`
`Breach. Even worse, BioPlus offered only one or two years of identity monitoring
`
`
`2 These numbers were reported to the Health and Human Services Healthcare Data Breach Portal.
`See Cases Currently Under Investigation, U.S. DEP’T OF HEALTH & HUMAN SERVS.: BREACH
`PORTAL, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf [hereinafter Breach Portal] (last
`visited Dec. 28, 2021).
`
`
`
`
`11
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 12 of 85 PageID 12
`
`to Plaintiffs and Class Members, which required the disclosure of additional PII that
`
`BioPlus had just demonstrated it could not be trusted with.
`
`33. Plaintiffs and Class Members’ PII is currently for sale to criminals on
`
`the dark web, meaning that unauthorized parties have accessed and viewed
`
`Plaintiffs’ and Class Members’ unencrypted, unredacted information, including
`
`names, addresses, email addresses, dates of birth, Social Security numbers, member
`
`ID numbers, policyholder names, employer names, policy numbers name, and more.
`
`34. The Breach occurred because Defendant failed to take reasonable
`
`measures to protect the PII it collected and stored. Among other things, Defendant
`
`failed to implement data security measures designed to prevent this attack, despite
`
`repeated warnings to the healthcare industry, insurance companies, and associated
`
`entities about the risk of cyberattacks and the highly publicized occurrence of many
`
`similar attacks in the recent past on other healthcare providers.
`
`35. Defendant disregarded the rights of Plaintiffs and Class Members by
`
`intentionally, willfully, recklessly, or negligently failing to take and implement
`
`adequate and reasonable measures to ensure that Plaintiffs’ and Class Members’ PII
`
`was safeguarded, failing to take available steps to prevent an unauthorized disclosure
`
`of data, and failing to follow applicable, required and appropriate protocols, policies
`
`and procedures regarding the encryption of data, even for internal use. As a result,
`
`the PII of Plaintiffs and Class Members was compromised through unauthorized
`
`
`
`12
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 13 of 85 PageID 13
`
`access by an unknown third party. Plaintiffs and Class Members have a continuing
`
`interest in ensuring that their information is and remains safe.
`
`A. Defendant’s Privacy Promises
`
`36. BioPlus made, and continues to make, various promises to its
`
`customers, including Plaintiffs, that it will maintain the security and privacy of their
`
`Private Information.
`
`37.
`
` In its Notice of Privacy Practices, Defendant stated the following:
`
`• “We do not give out, exchange, barter, rent, sell, lend,
`or disseminate to any unauthorized person, any
`information about patients that is considered patient
`confidential,
`is restricted by
`law, or has been
`specifically restricted by a patient in a signed HIPAA
`authorization form”
`
`
`
` •
`
` “Information about each patient is only used or
`disclosed as is reasonably necessary to carry out
`treatment, to obtain payment for treatment, and to
`conduct health care operations.”
`
`
`
`38. BioPlus describes how it may use and disclose medical information for
`
`each category of uses or disclosures, none of which provide it a right to expose
`
`patients’ Private Information in the manner it was exposed to unauthorized third
`
`parties in the Data Breach.
`
`39. By failing to protect Plaintiffs’ and Class Members’ Private
`
`Information, and by allowing the Data Breach to occur, BioPlus broke these
`
`promises to Plaintiffs and Class Members.
`
`
`
`13
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 14 of 85 PageID 14
`
`B. Defendant Failed to Maintain Reasonable and Adequate Security
`Measures to Safeguard Customer’s Private Information
`
`
`
`40. BioPlus acquires, collects, and stores a massive amount of its
`
`customers’ protected PII, including health information and other personally
`
`identifiable data.
`
`41. As a condition of engaging in health-related services, BioPlus requires
`
`that these patients entrust them with highly confidential Private Information.
`
`42. By obtaining, collecting, using, and deriving a benefit from Plaintiffs’
`
`and Class Members’ Private Information, BioPlus assumed legal and equitable
`
`duties and knew or should have known that it was responsible for protecting
`
`Plaintiffs’ and Class Members’ Private Information from disclosure.
`
`43. Defendant had obligations created by the Health Insurance Portability
`
`Act (42 U.S.C. § 1320d et seq.) (“HIPAA”), industry standards, common law, and
`
`representations made to Class Members, to keep Class Members’ Private
`
`Information confidential and to protect it from unauthorized access and disclosure.
`
`44. Defendant failed to properly safeguard Class Members’ Private
`
`Information, allowing hackers to access their Private Information.
`
`45. Plaintiffs and Class Members provided their Private Information to
`
`Defendant with the reasonable expectation and mutual understanding that Defendant
`
`and any of its affiliates would comply with their obligation to keep such information
`
`confidential and secure from unauthorized access.
`
`
`
`14
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 15 of 85 PageID 15
`
`46. Prior to and during the Data Breach, Defendant promised customers
`
`that their Private Information would be kept confidential.
`
`47. Defendant’s failure to provide adequate security measures to safeguard
`
`customers’ Private Information is especially egregious because Defendant operates
`
`in a field which has recently been a frequent target of scammers attempting to
`
`fraudulently gain access to customers’ highly confidential Private Information.
`
`48.
`
`In fact, Defendant has been on notice for years that the healthcare
`
`industry and health insurance companies are a prime target for scammers because of
`
`the amount of confidential customer information maintained.
`
`49. Defendant was also on notice that the FBI has been concerned about
`
`data security in the healthcare industry. In August 2014, after a cyberattack on
`
`Community Health Systems, Inc., the FBI warned companies within the healthcare
`
`industry that hackers were targeting them. The warning stated that “[t]he FBI has
`
`observed malicious actors targeting healthcare related systems, perhaps for the
`
`purpose of obtaining the Protected Healthcare Information (PHI) and/or Personally
`
`Identifiable Information (PII).”3
`
`
`3 Jim Finkle, FBI Warns Healthcare Firms that they are Targeted by Hackers, REUTERS (Aug.
`2014),
`https://www.reuters.com/article/us-cybersecurity-healthcare-fbi/fbi-warnshealthcare-
`firms-they-are-targeted-by-hackers-idUSKBN0GK24U20140820.
`
`
`
`15
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 16 of 85 PageID 16
`
`50. The American Medical Association (“AMA”) has also warned
`
`healthcare companies about the important of protecting their patients’ confidential
`
`information:
`
`Cybersecurity is not just a technical issue; it’s a patient
`safety issue. AMA research has revealed that 83% of
`physicians work in a practice that has experienced some
`kind of cyberattack. Unfortunately, practices are learning
`that cyberattacks not only threaten the privacy and security
`of patients’ health and financial information, but also
`patient access to care.4
`
`51. The number of US data breaches surpassed 1,000 in 2016, a record high
`
`and a forty percent increase in the number of data breaches from the previous year.5
`
`In 2017, a new record high of 1,579 breaches were reported—representing a 44.7
`
`percent increase.6 That trend continues.
`
`52. The healthcare sector reported the second largest number of breaches
`
`among all measured sectors in 2018, with the highest rate of exposure per breach.7
`
`Indeed, when compromised, healthcare related data is among the most sensitive and
`
`
`4 Andis Robeznieks, Cybersecurity: Ransomware attacks shut down clinics, hospitals, AM. MED.
`ASS’N
`(Oct.
`4,
`2019),
`https://www.ama-assn.org/practice-
`management/sustainability/cybersecurity-ransomware-attacks-shut-down-clinics-hospitals.
`5 Identity Theft Resource Center, Data Breaches Increase 40 Percent in 2016, Finds New Report
`From
`Center
`Resource
`Theft
`Identity
`https://www.idtheftcenter.org/surveys-studys.
`6
`Identity Theft Resource Center, 2017 Annual Data Breach Year-End Review,
`https://www.idtheftcenter.org/2017-data-breaches/.
`7
`Identity Theft Resource Center, 2018 End
`https://www.idtheftcenter.org/2018-data-breaches/.
`
`-of-Year Data Breach Report,
`
`
`
`16
`
`and
`
`CyberScout
`
`(Jan.
`
`19,
`
`2017),
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 17 of 85 PageID 17
`
`personally consequential. A report focusing on healthcare breaches found that the
`
`“average total cost to resolve an identity theft-related incident . . . came to about
`
`$20,000,” and that the victims were often forced to pay out-of-pocket costs for
`
`healthcare they did not receive in order to restore coverage.8 Almost 50 percent of
`
`the victims lost their healthcare coverage as a result of the incident, while nearly 30
`
`percent said their insurance premiums went up after the event. Forty percent of the
`
`customers were never able to resolve their identity theft at all. Data breaches and
`
`identity theft have a crippling effect on individuals and detrimentally impact the
`
`economy as a whole.9
`
`53. A 2017 study conducted by HIMSS Analytics showed that email was
`
`the most likely cause of a data breach, with 78 percent of providers stating that they
`
`experienced a healthcare ransomware or malware attack in the past 12 months.
`
`54. Healthcare related data breaches continued to rapidly into 2021 when
`
`ReproSource was breached.10
`
`55.
`
`In the Healthcare industry, the number one threat vector from a cyber
`
`security standpoint is phishing. Cybersecurity firm Proofpoint reports that “phishing
`
`is the initial point of compromise in most significant [healthcare] security incidents,
`
`
`8 Elinor Mills, Study: Medical identity theft is costly for victims, CNET (March 3, 2010),
`https://www.cnet.com/news/study-medical-identity-theft-is-costly-for- victims/.
`9 Id.
`10 2019 HIMSS Cybersecurity Survey, https://www.himss.org/2019-himsscybersecurity-survey.
`
`
`
`17
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 18 of 85 PageID 18
`
`according to a recent report from the Healthcare Information and Management
`
`Systems Society (HIMSS). And yet, 18% of healthcare organizations fail to conduct
`
`phishing tests, a finding HIMSS describes as “incredible.”11
`
`56. As explained by the Federal Bureau of Investigation, “[p]revention is
`
`the most effective defense against ransomware and it is critical to take precaution
`
`for protection.”12
`
`57. To prevent and detect ransomware attacks, including the ransomware
`
`attack that resulted in the Data Breach, Defendant could and should have
`
`implemented, as recommended by the United States Government, the following
`
`measures:
`
`• Implement an awareness and
`training program.
`Because end users are
`targets, employees and
`individuals should be aware of
`the
`threat of
`ransomware and how it is delivered.
`
` Enable strong spam filters to prevent phishing emails
`from reaching the end users and authenticate inbound
`email using
`technologies
`like Sender Policy
`Framework (SPF), Domain Message Authentication
`Reporting
`and Conformance
`(DMARC),
`and
`DomainKeys Identified Mail (DKIM) to prevent email
`spoofing.
`
` •
`
`
`
`
`11 Aaron Jensen, Healthcare Phishing Statistics: 2019 HIMSS Survey Results, PROOFPOINT (Mar.
`27, 2019), https://www.proofpoint.com/us/security-awareness/post/healthcare-phishingstatistics-
`2019-himss-survey-results.
`12 See How to Protect Your Networks from RANSOMWARE, FBI (2016) https ://www. fbi.gov/file-
`repository/ransomware-prevention-and-response-for-cisos.pdf/view.
`
`
`
`18
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 19 of 85 PageID 19
`
`• Scan all incoming and outgoing emails to detect threats
`and filter executable files from reaching end users.
`
` Configure firewalls to block access to known malicious
`IP addresses.
`
` Patch operating systems, software, and firmware on
`devices.
` Consider using a centralized patch
`management system.
`
` Set anti-virus and anti-malware programs to conduct
`regular scans automatically.
`
` •
`
` •
`
` •
`
` •
`
` Manage the use of privileged accounts based on the
`principle of least privilege; no users should be assigned
`administrative access unless absolutely needed; and
`those with a need for administrator accounts should
`only use them when necessary.
`• Configure access controls—including file, directory,
`and network share permissions—with least privilege in
`mind. If a user only needs to read specific files, the user
`should not have write access to those files, directories,
`or shares.
`
` Disable macro scripts from office files transmitted via
`email. Consider using Office Viewer software to open
`Microsoft Office files transmitted via email instead of
`full office suite applications.
`
` Implement Software Restriction Policies (SRP) or
`other controls to prevent programs from executing
`from common
`ransomware
`locations, such as
`temporary
`folders
`supporting popular
`Internet
`browsers or compression/decompression programs,
`including the AppData/LocalAppData folder.
`
` Consider disabling Remote Desktop protocol (RDP) if
`it is not being used.
`
` •
`
` •
`
` •
`
`
`
`
`
`19
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 20 of 85 PageID 20
`
`• Use application whitelisting, which only allows
`systems to execute programs known and permitted by
`security policy.
`
` Execute operating system environments or specific
`programs in a virtualized environment.
`
` Categorize data based on organizational value and
`implement physical and logical separation of networks
`and data for different organizational units.
`
` •
`
` •
`
`
`
`58. To prevent and detect ransomware attacks, including the ransomware
`
`attack that resulted in the Data Breach, Defendants could and should have
`
`implemented, as recommended by the United States Government, the following
`
`measures:
`
`• Update and patch your computer. Ensure your
`applications and operating systems (OSs) have been
`updated with
`the
`latest patches. Vulnerable
`applications and OSs are the target of most ransomware
`attacks . . .
`
`• Use caution with links and when entering website
`addresses. Be careful when clicking directly on links
`in emails, even if the sender appears to be someone you
`know. Attempt
`to
`independently verify website
`addresses (e.g., contact your organization's helpdesk,
`search the internet for the sender organization's website
`or the topic mentioned in the email). Pay attention to
`the website addresses you click on, as well as those you
`enter yourself. Malicious website addresses often
`appear almost identical to legitimate sites, often using
`a slight variation in spelling or a different domain (e.g.,
`.com instead of .net) . . .
`
`
`
`
`
`20
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 21 of 85 PageID 21
`
`• Open email attachments with caution. Be wary of
`opening email attachments, even from senders you
`think you know, particularly when attachments are
`compressed files or ZIP files.
`
`• Keep your personal information safe. Check a
`website's security to ensure the information you submit
`is encrypted before you provide it . . .
`
`• Verify email senders. If you are unsure whether or not
`an email is legitimate, try to verify the email's
`legitimacy by contacting the sender directly. Do not
`click on any links in the email. If possible, use a
`previous (legitimate) email to ensure the contact
`information you have for the sender is authentic before
`you contact them.
`
`• Inform yourself