Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 1 of 85 PageID 1
`
`
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE MIDDLE DISTRICT OF FLORIDA
`ORLANDO DIVISION
`
`)
`WENDY BRYAN and PATRICIA
`
`)
`WHITE, individually and on behalf of all
`
`)
`others similarly
`Case No.:
`)
`situated,
`
`
`)
`
`
`)
`
`
`
`)
`
`
`
`
`
`
`
`
`)
`
`v.
`
`
`
`
` ) JURY TRIAL DEMANDED
`
`BioPlus Specialty Pharmacy Services,
`)
`LLC,
`)
`
`)
` Defendant.
`)
`)
`
`Plaintiffs,
`
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`
`
`
`Plaintiffs Wendy Bryan and Patricia White (“Plaintiffs”), individually and on
`
`behalf of all others similarly situated, through the undersigned counsel, hereby allege
`
`the following against Defendant BioPlus Specialty Pharmacy Services, LLC
`
`(“BioPlus” or “Defendant”).
`
`NATURE OF THE ACTION
`
`1.
`
`This is a class action for damages with respect to BioPlus Specialty
`
`Pharmacy Services, LLC, for its failure to exercise reasonable care in securing and
`
`safeguarding its patients’ sensitive personal data—including names, addresses,
`
`email addresses, dates of birth, Social Security numbers, health insurance billing
`
`
`
`
`
`IN THE UNITED STATES DISTRICT COURT
`FOR THE MIDDLE DISTRICT OF FLORIDA
`ORLANDO DIVISION
`
`)
`WENDY BRYAN and PATRICIA
`
`)
`WHITE, individually and on behalf of all
`
`)
`others similarly
`Case No.:
`)
`situated,
`
`
`)
`
`
`)
`
`
`
`)
`
`
`
`
`
`
`
`
`)
`
`v.
`
`
`
`
` ) JURY TRIAL DEMANDED
`
`BioPlus Specialty Pharmacy Services,
`)
`LLC,
`)
`
`)
` Defendant.
`)
`)
`
`Plaintiffs,
`
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`
`
`
`Plaintiffs Wendy Bryan and Patricia White (“Plaintiffs”), individually and on
`
`behalf of all others similarly situated, through the undersigned counsel, hereby allege
`
`the following against Defendant BioPlus Specialty Pharmacy Services, LLC
`
`(“BioPlus” or “Defendant”).
`
`NATURE OF THE ACTION
`
`1.
`
`This is a class action for damages with respect to BioPlus Specialty
`
`Pharmacy Services, LLC, for its failure to exercise reasonable care in securing and
`
`safeguarding its patients’ sensitive personal data—including names, addresses,
`
`email addresses, dates of birth, Social Security numbers, health insurance billing
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 2 of 85 PageID 2
`
`information, and treating physician information, collectively known as Personally
`
`Identifiable Information (“PII” or “Private Information”).
`
`2.
`
`This class action is brought on behalf of patients whose sensitive PII
`
`was stolen by cybercriminals in a cyber-attack that accessed sensitive patient
`
`information through BioPlus’s services on or around October 25, 2021 (the “Data
`
`Breach”).
`
`3.
`
`The Data Breach affected at least 350,000 individuals from BioPlus’s
`
`services.
`
`4.
`
`BioPlus reported to Plaintiffs that information compromised in the Data
`
`Breach included their PII.
`
`5.
`
`Plaintiffs were not notified until December of 2021, nearly three
`
`months after their information was first accessed.
`
`6.
`
`As a result of the Data Breach, Plaintiffs and other Class Members will
`
`experience various types of misuse of their PII in the coming years, including but
`
`not limited to unauthorized credit card charges, unauthorized access to email
`
`accounts, and other fraudulent use of their financial accounts.
`
`7.
`
`Defendant’s security failures enabled the hackers to steal the Private
`
`Information of Plaintiffs and other members of the class—defined below. These
`
`failures put Plaintiffs’ and other Class Members’ Private Information at a serious,
`
`immediate, and ongoing risk. Additionally, Defendant’s failures caused costs and
`
`
`
`2
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 3 of 85 PageID 3
`
`expenses associated with the time spent and the loss of productivity from taking time
`
`to address and attempt to ameliorate the release of personal data, as well as emotional
`
`grief associated with constant monitoring of personal banking and credit accounts.
`
`Mitigating and dealing with the actual and future consequences of the Data Breach
`
`has also created a number of future consequences for Plaintiffs and Class
`
`Members—including, as appropriate, reviewing records of fraudulent charges for
`
`services billed but not received, purchasing credit monitoring and identity theft
`
`protection services, the imposition of withdrawal and purchase limits on
`
`compromised accounts, initiating and monitoring credit freezes, the loss of property
`
`value of their personal information, and the stress, nuisance, and aggravation of
`
`dealing with all issues resulting from the Data Breach.
`
`8.
`
`Plaintiffs and Class Members suffered a loss of the property value of
`
`their Private Information when it was acquired by cyber thieves in the Data Breach.
`
`Numerous courts have recognized the propriety of the loss of the property value of
`
`personal information in data breach cases.
`
`9.
`
`There has been no assurance offered from BioPlus that all personal data
`
`or copies of data have been recovered or destroyed. BioPlus offered one free year
`
`of Experian IdentityWorks’s Credit 3B monitoring services, which does not
`
`guarantee the security of Plaintiffs’ information. To mitigate further harm, Plaintiffs
`
`
`
`3
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 4 of 85 PageID 4
`
`chose not to disclose any more information to receive services connected with
`
`BioPlus.
`
`10. Accordingly, Plaintiffs assert claims for negligence, breach of contract,
`
`breach of implied contract, and breach of fiduciary duty, as well as a claim for
`
`declaratory relief.
`
`PARTIES, JURISDICTION, AND VENUE
`
`A.
`
`Plaintiff Wendy Bryan
`
`11. Plaintiff Wendy Bryan is a citizen of New Jersey and brings this action
`
`in her individual capacity and on behalf of all others similarly situated. Ms. Bryan
`
`has resided in the state of New Jersey for nearly fifty years and owns a home within
`
`the state. Ms. Bryan intends to remain in New Jersey indefinitely.
`
`12. Ms. Bryan used BioPlus’s services in 2021 when she had a specialty
`
`prescription filled through her doctor’s office. To receive services at BioPlus,
`
`Plaintiff Bryan was required to disclose her PII, which was then entered into
`
`BioPlus’s database and maintained by Defendant. In maintaining her information,
`
`Defendant expressly and impliedly promised to safeguard Plaintiff Bryan’s PII.
`
`Defendant, however, did not take proper care of Ms. Bryan’s PII, leading to its
`
`exposure as a direct result of Defendant’s inadequate security measures. In
`
`December of 2021, Plaintiff Bryan received a notification letter from Defendant
`
`stating that her sensitive PII was taken.
`
`
`
`4
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 5 of 85 PageID 5
`
`13. The letter also offered one year of credit monitoring through Experian’s
`
`IdentityWorks Credit 3B monitoring, which was and continues to be ineffective for
`
`Bryan and other Class Members. The Experian credit monitoring would have shared
`
`Ms. Bryan’s information with third parties and could not guarantee complete privacy
`
`of her sensitive PII.
`
`14.
`
`In the months and years following the Data Breach, Ms. Bryan and the
`
`other Class Members will experience a slew of harms as a result of Defendant’s
`
`ineffective data security measures. Some of these harms will include fraudulent
`
`charges, medical procedures ordered in patients’ names without their permission,
`
`and targeted advertising without patient consent.
`
`15. Plaintiff Bryan greatly values her privacy, especially in receiving
`
`medical services, and would not have paid the amount that she did for pharmacy
`
`services if she had known that her information would be maintained using
`
`inadequate data security systems.
`
`B.
`
`Plaintiff Patricia White
`
`16. Plaintiff Patricia White is a citizen of Connecticut and brings this action
`
`in her individual capacity and on behalf of all others similarly situated. Ms. White
`
`has resided in Connecticut for her entire life, has a registered automobile in the state
`
`of Connecticut, and has been a member of local civic groups in the state of
`
`
`
`5
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 6 of 85 PageID 6
`
`Connecticut for nearly three decades. She intends to remain in Connecticut
`
`indefinitely.
`
`17. Ms. White’s information was entered into BioPlus’s systems in 2015
`
`when a clerical error resulted in her prescription information from her doctor’s office
`
`being sent to BioPlus instead of her in-network pharmacy. Ms. White corrected the
`
`clerical error and canceled the service from BioPlus, but her information remained
`
`in Defendant’s systems, vulnerable to misuse, until the data breach occurred in
`
`November of 2021. In maintaining her information within its systems, Defendant
`
`expressly and impliedly promised to safeguard Ms. White’s PII. Defendant did not
`
`properly safeguard, Ms. White’s PII, however, resulting in this information being
`
`exposed during the data breach. Ms. White received a notice letter from Defendant
`
`that her information was taken in December of 2021.
`
`18. The letter also offered two years of Experian IdentityWorks Credit 3B
`
`monitoring, which was and continues to be ineffective for Ms. White and the other
`
`members of the class. Accepting the credit monitoring from BioPlus would have
`
`meant transmitting sensitive PII back to Defendant after they had already
`
`demonstrated that they could not be trusted with such information.
`
`19. Some of the damages that will occur with respect to absent Class
`
`Members have already manifested themselves In Plaintiff White’s experience. Ms.
`
`White received a notification from her credit monitoring services through H &R
`
`
`
`6
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 7 of 85 PageID 7
`
`Block on or about November 30, 2021, that her information appeared on the dark
`
`web, where cyber-criminals trade sensitive patient information for use in phone,
`
`banking, and health insurance scams. Ms. White has notified her credit monitoring
`
`services of this breach and continues to monitor her accounts for suspicious activity.
`
`20.
`
`In the months and years following the data breach event, Ms. White and
`
`the other Class Members will experience a slew of harms as a result of Defendant’s
`
`ineffective data security measures. Some of these harms will include fraudulent
`
`charges, medical procedures ordered in patients’ names without their permission,
`
`and targeted advertising without patient consent.
`
`21. Ms. White values the privacy of her personal information. She would
`
`not have agreed to having her information transmitted to BioPlus’s systems—even
`
`by mistake—if she had known that it would be stored using inadequate storage
`
`methods that would lead to its misuse.
`
`C. Defendant BioPlus
`
`22. Defendant BioPlus Specialty Pharmacy Services, LLC, a Florida
`
`limited liability company, is a specialty pharmacy company, with its principal place
`
`of business located in the State of Florida at 376 Northlake Boulevard, Alamonte
`
`Springs, FL 32701. BioPlus conducts business nationally, including in the states of
`
`New Jersey and Connecticut. BioPlus offers a number of pharmacy services,
`
`including patient and provider pharmaceutical approval, and prescription fill and
`
`
`
`7
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 8 of 85 PageID 8
`
`refill services. BioPlus registered its headquarters at 376 Northlake Boulevard,
`
`Alamonte Springs, FL 32701. BioPlus’s corporate policies and practices, including
`
`those used for data privacy, are established in, and emanate from, Florida.
`
`23. BioPlus Specialty Pharmacy Services, LLC has two individual
`
`members—Stephen Vogt and Stephen Garner, both of whom are residents of Florida
`
`and intend to remain in Florida. In addition to two individual members, BioPlus
`
`Specialty Pharmacy Services, LLC has one LLC member—BioPlus Parent, LLC, a
`
`Rhode Island entity whose sole member, John Figueroa, resides in and intends to
`
`remain in Rhode Island. BioPlus Specialty Pharmacy Services, LLC, is therefore a
`
`citizen of Rhode Island and Florida.
`
`D.
`
`Jurisdiction
`
`24. The Court has jurisdiction over Plaintiffs' claims under 28 U.S.C. §
`
`1332(d)(2) (“CAFA”), because (a) there are 100 or more Class Members, (b) at least
`
`one Class member is a citizen of a state that is diverse from Defendant’s citizenship,
`
`and (c) the matter in controversy exceeds $5,000,000, exclusive of interest and costs.
`
`25. The Court has personal
`
`jurisdiction over Defendant because
`
`Defendant’s principal place of business is located in this District.
`
`E. Venue
`
`26. Venue is proper in this district under 28 U.S.C. § 1391(b)(1) because
`
`Defendant maintains its principal place of business in this District and therefore
`
`
`
`8
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 9 of 85 PageID 9
`
`resides in this District pursuant to 28 U.S.C. § 1391(c)(2). A substantial part of the
`
`events or omissions giving rise to the Class’s claims also occurred in this District.
`
`FACTS
`
`27. Defendant provides a wide variety of pharmacy services to patients
`
`across the country. As part of its business, Defendant was entrusted with, and
`
`obligated to safeguard and protect the Private Information of Plaintiffs and the Class
`
`in accordance with all applicable laws.
`
`28.
`
`In November of 2021, Defendant first learned of an unauthorized entry
`
`into its network, which contained customers’ Private Information including names,
`
`addresses, email addresses, dates of birth, Social Security numbers, financial account
`
`numbers, billing, and other health information. Defendant posted the following
`
`notice on its website:1
`
`December 10, 2021 — BioPlus Specialty Pharmacy
`Services, LLC (“BioPlus”) is committed to protecting the
`confidentiality and security of the information we
`maintain. This notice concerns a data security incident that
`may have involved some of that information.
`
`On November 11, 2021, we identified suspicious activity
`in our IT network. Upon learning of the incident, we
`immediately took steps to isolate and secure our systems.
`We also launched an investigation with the assistance of a
`third-party forensic firm and notified law enforcement.
`
`
`
`1 Update on Cyber Incident, (Dec. 10, 2021), https://bioplusrx.com/cyber-incident/ [hereinafter
`Data Breach Notice].
`
`
`
`9
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 10 of 85 PageID 10
`
`that an
`investigation, we determined
`the
`Through
`unauthorized party gained access to our IT network
`between October 25, 2021 and November 11, 2021.
`During that time, the unauthorized party accessed files that
`contained information pertaining to certain BioPlus
`patients. However, our investigation could not rule out the
`possibility that information pertaining to all current and
`former BioPlus patients may have been subject to
`unauthorized access.
`
`On December 10, 2021, we began mailing letters to all
`current and former patients whose information may have
`been involved. The information subject to unauthorized
`access may have included patient names, dates of birth,
`addresses, medical record numbers, current/former health
`plan member ID numbers, claims information, diagnoses,
`and/or prescription information. For certain patients,
`Social Security numbers were also involved. As a
`precautionary measure, the letters include guidance on
`how patients can protect their information. Additionally,
`for patients whose Social Security number was involved,
`we are offering complimentary credit monitoring and
`identity protection services. We have also established a
`dedicated, toll-free call center for patients to call with
`questions. If you believe you are affected but do not
`receive a letter by January 10, 2022, please call 1-855-545-
`2336, available Monday through Friday, between 9:00 am
`and 6:30 pm, Eastern Time.
`
`We take this issue very seriously, and deeply regret any
`concern this incident may have caused. To help prevent
`something like this from happening again, we have
`implemented, and will continue to adopt, additional
`safeguards and technical security measures to further
`protect and monitor our systems.
`
`29. Upon learning of the Data Breach in November 2021, Defendant
`
`investigated. As a result of the Data Breach, Defendant initially estimated that the
`
`
`
`10
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 11 of 85 PageID 11
`
`Private Information of at least 350,000 patients were potentially compromised
`
`stemming from services previously received.2
`
`30.
`
`In December of 2021 Defendant announced that it first learned of
`
`suspicious activity that allowed on ore more cybercriminals to access their systems
`
`through a ransomware attack. The 2021 Notice disclosed that a ransomware attack
`
`enabled a threat actor to access BioPlus systems.
`
`31. Defendant offered no explanation for the delay between the initial
`
`discovery of the Breach and the belated notification to affected customers, which
`
`resulted in Plaintiffs and Class Members suffering harm they otherwise could have
`
`avoided had a timely disclosure been made.
`
`32. BioPlus’s notice of Data Breach was not just untimely but woefully
`
`deficient, failing to provide basic details, including but not limited to, how
`
`unauthorized parties accessed its networks, what information was accessed, whether
`
`the information was encrypted or otherwise protected, how it learned of the Data
`
`Breach, whether the breach occurred system-wide, whether servers storing
`
`information were accessed, and how many patients were affected by the Data
`
`Breach. Even worse, BioPlus offered only one or two years of identity monitoring
`
`
`2 These numbers were reported to the Health and Human Services Healthcare Data Breach Portal.
`See Cases Currently Under Investigation, U.S. DEP’T OF HEALTH & HUMAN SERVS.: BREACH
`PORTAL, https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf [hereinafter Breach Portal] (last
`visited Dec. 28, 2021).
`
`
`
`
`11
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 12 of 85 PageID 12
`
`to Plaintiffs and Class Members, which required the disclosure of additional PII that
`
`BioPlus had just demonstrated it could not be trusted with.
`
`33. Plaintiffs and Class Members’ PII is currently for sale to criminals on
`
`the dark web, meaning that unauthorized parties have accessed and viewed
`
`Plaintiffs’ and Class Members’ unencrypted, unredacted information, including
`
`names, addresses, email addresses, dates of birth, Social Security numbers, member
`
`ID numbers, policyholder names, employer names, policy numbers name, and more.
`
`34. The Breach occurred because Defendant failed to take reasonable
`
`measures to protect the PII it collected and stored. Among other things, Defendant
`
`failed to implement data security measures designed to prevent this attack, despite
`
`repeated warnings to the healthcare industry, insurance companies, and associated
`
`entities about the risk of cyberattacks and the highly publicized occurrence of many
`
`similar attacks in the recent past on other healthcare providers.
`
`35. Defendant disregarded the rights of Plaintiffs and Class Members by
`
`intentionally, willfully, recklessly, or negligently failing to take and implement
`
`adequate and reasonable measures to ensure that Plaintiffs’ and Class Members’ PII
`
`was safeguarded, failing to take available steps to prevent an unauthorized disclosure
`
`of data, and failing to follow applicable, required and appropriate protocols, policies
`
`and procedures regarding the encryption of data, even for internal use. As a result,
`
`the PII of Plaintiffs and Class Members was compromised through unauthorized
`
`
`
`12
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 13 of 85 PageID 13
`
`access by an unknown third party. Plaintiffs and Class Members have a continuing
`
`interest in ensuring that their information is and remains safe.
`
`A. Defendant’s Privacy Promises
`
`36. BioPlus made, and continues to make, various promises to its
`
`customers, including Plaintiffs, that it will maintain the security and privacy of their
`
`Private Information.
`
`37.
`
` In its Notice of Privacy Practices, Defendant stated the following:
`
`• “We do not give out, exchange, barter, rent, sell, lend,
`or disseminate to any unauthorized person, any
`information about patients that is considered patient
`confidential,
`is restricted by
`law, or has been
`specifically restricted by a patient in a signed HIPAA
`authorization form”
`
`
`
` •
`
` “Information about each patient is only used or
`disclosed as is reasonably necessary to carry out
`treatment, to obtain payment for treatment, and to
`conduct health care operations.”
`
`
`
`38. BioPlus describes how it may use and disclose medical information for
`
`each category of uses or disclosures, none of which provide it a right to expose
`
`patients’ Private Information in the manner it was exposed to unauthorized third
`
`parties in the Data Breach.
`
`39. By failing to protect Plaintiffs’ and Class Members’ Private
`
`Information, and by allowing the Data Breach to occur, BioPlus broke these
`
`promises to Plaintiffs and Class Members.
`
`
`
`13
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 14 of 85 PageID 14
`
`B. Defendant Failed to Maintain Reasonable and Adequate Security
`Measures to Safeguard Customer’s Private Information
`
`
`
`40. BioPlus acquires, collects, and stores a massive amount of its
`
`customers’ protected PII, including health information and other personally
`
`identifiable data.
`
`41. As a condition of engaging in health-related services, BioPlus requires
`
`that these patients entrust them with highly confidential Private Information.
`
`42. By obtaining, collecting, using, and deriving a benefit from Plaintiffs’
`
`and Class Members’ Private Information, BioPlus assumed legal and equitable
`
`duties and knew or should have known that it was responsible for protecting
`
`Plaintiffs’ and Class Members’ Private Information from disclosure.
`
`43. Defendant had obligations created by the Health Insurance Portability
`
`Act (42 U.S.C. § 1320d et seq.) (“HIPAA”), industry standards, common law, and
`
`representations made to Class Members, to keep Class Members’ Private
`
`Information confidential and to protect it from unauthorized access and disclosure.
`
`44. Defendant failed to properly safeguard Class Members’ Private
`
`Information, allowing hackers to access their Private Information.
`
`45. Plaintiffs and Class Members provided their Private Information to
`
`Defendant with the reasonable expectation and mutual understanding that Defendant
`
`and any of its affiliates would comply with their obligation to keep such information
`
`confidential and secure from unauthorized access.
`
`
`
`14
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 15 of 85 PageID 15
`
`46. Prior to and during the Data Breach, Defendant promised customers
`
`that their Private Information would be kept confidential.
`
`47. Defendant’s failure to provide adequate security measures to safeguard
`
`customers’ Private Information is especially egregious because Defendant operates
`
`in a field which has recently been a frequent target of scammers attempting to
`
`fraudulently gain access to customers’ highly confidential Private Information.
`
`48.
`
`In fact, Defendant has been on notice for years that the healthcare
`
`industry and health insurance companies are a prime target for scammers because of
`
`the amount of confidential customer information maintained.
`
`49. Defendant was also on notice that the FBI has been concerned about
`
`data security in the healthcare industry. In August 2014, after a cyberattack on
`
`Community Health Systems, Inc., the FBI warned companies within the healthcare
`
`industry that hackers were targeting them. The warning stated that “[t]he FBI has
`
`observed malicious actors targeting healthcare related systems, perhaps for the
`
`purpose of obtaining the Protected Healthcare Information (PHI) and/or Personally
`
`Identifiable Information (PII).”3
`
`
`3 Jim Finkle, FBI Warns Healthcare Firms that they are Targeted by Hackers, REUTERS (Aug.
`2014),
`https://www.reuters.com/article/us-cybersecurity-healthcare-fbi/fbi-warnshealthcare-
`firms-they-are-targeted-by-hackers-idUSKBN0GK24U20140820.
`
`
`
`15
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 16 of 85 PageID 16
`
`50. The American Medical Association (“AMA”) has also warned
`
`healthcare companies about the important of protecting their patients’ confidential
`
`information:
`
`Cybersecurity is not just a technical issue; it’s a patient
`safety issue. AMA research has revealed that 83% of
`physicians work in a practice that has experienced some
`kind of cyberattack. Unfortunately, practices are learning
`that cyberattacks not only threaten the privacy and security
`of patients’ health and financial information, but also
`patient access to care.4
`
`51. The number of US data breaches surpassed 1,000 in 2016, a record high
`
`and a forty percent increase in the number of data breaches from the previous year.5
`
`In 2017, a new record high of 1,579 breaches were reported—representing a 44.7
`
`percent increase.6 That trend continues.
`
`52. The healthcare sector reported the second largest number of breaches
`
`among all measured sectors in 2018, with the highest rate of exposure per breach.7
`
`Indeed, when compromised, healthcare related data is among the most sensitive and
`
`
`4 Andis Robeznieks, Cybersecurity: Ransomware attacks shut down clinics, hospitals, AM. MED.
`ASS’N
`(Oct.
`4,
`2019),
`https://www.ama-assn.org/practice-
`management/sustainability/cybersecurity-ransomware-attacks-shut-down-clinics-hospitals.
`5 Identity Theft Resource Center, Data Breaches Increase 40 Percent in 2016, Finds New Report
`From
`Center
`Resource
`Theft
`Identity
`https://www.idtheftcenter.org/surveys-studys.
`6
`Identity Theft Resource Center, 2017 Annual Data Breach Year-End Review,
`https://www.idtheftcenter.org/2017-data-breaches/.
`7
`Identity Theft Resource Center, 2018 End
`https://www.idtheftcenter.org/2018-data-breaches/.
`
`-of-Year Data Breach Report,
`
`
`
`16
`
`and
`
`CyberScout
`
`(Jan.
`
`19,
`
`2017),
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 17 of 85 PageID 17
`
`personally consequential. A report focusing on healthcare breaches found that the
`
`“average total cost to resolve an identity theft-related incident . . . came to about
`
`$20,000,” and that the victims were often forced to pay out-of-pocket costs for
`
`healthcare they did not receive in order to restore coverage.8 Almost 50 percent of
`
`the victims lost their healthcare coverage as a result of the incident, while nearly 30
`
`percent said their insurance premiums went up after the event. Forty percent of the
`
`customers were never able to resolve their identity theft at all. Data breaches and
`
`identity theft have a crippling effect on individuals and detrimentally impact the
`
`economy as a whole.9
`
`53. A 2017 study conducted by HIMSS Analytics showed that email was
`
`the most likely cause of a data breach, with 78 percent of providers stating that they
`
`experienced a healthcare ransomware or malware attack in the past 12 months.
`
`54. Healthcare related data breaches continued to rapidly into 2021 when
`
`ReproSource was breached.10
`
`55.
`
`In the Healthcare industry, the number one threat vector from a cyber
`
`security standpoint is phishing. Cybersecurity firm Proofpoint reports that “phishing
`
`is the initial point of compromise in most significant [healthcare] security incidents,
`
`
`8 Elinor Mills, Study: Medical identity theft is costly for victims, CNET (March 3, 2010),
`https://www.cnet.com/news/study-medical-identity-theft-is-costly-for- victims/.
`9 Id.
`10 2019 HIMSS Cybersecurity Survey, https://www.himss.org/2019-himsscybersecurity-survey.
`
`
`
`17
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 18 of 85 PageID 18
`
`according to a recent report from the Healthcare Information and Management
`
`Systems Society (HIMSS). And yet, 18% of healthcare organizations fail to conduct
`
`phishing tests, a finding HIMSS describes as “incredible.”11
`
`56. As explained by the Federal Bureau of Investigation, “[p]revention is
`
`the most effective defense against ransomware and it is critical to take precaution
`
`for protection.”12
`
`57. To prevent and detect ransomware attacks, including the ransomware
`
`attack that resulted in the Data Breach, Defendant could and should have
`
`implemented, as recommended by the United States Government, the following
`
`measures:
`
`• Implement an awareness and
`training program.
`Because end users are
`targets, employees and
`individuals should be aware of
`the
`threat of
`ransomware and how it is delivered.
`
` Enable strong spam filters to prevent phishing emails
`from reaching the end users and authenticate inbound
`email using
`technologies
`like Sender Policy
`Framework (SPF), Domain Message Authentication
`Reporting
`and Conformance
`(DMARC),
`and
`DomainKeys Identified Mail (DKIM) to prevent email
`spoofing.
`
` •
`
`
`
`
`11 Aaron Jensen, Healthcare Phishing Statistics: 2019 HIMSS Survey Results, PROOFPOINT (Mar.
`27, 2019), https://www.proofpoint.com/us/security-awareness/post/healthcare-phishingstatistics-
`2019-himss-survey-results.
`12 See How to Protect Your Networks from RANSOMWARE, FBI (2016) https ://www. fbi.gov/file-
`repository/ransomware-prevention-and-response-for-cisos.pdf/view.
`
`
`
`18
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 19 of 85 PageID 19
`
`• Scan all incoming and outgoing emails to detect threats
`and filter executable files from reaching end users.
`
` Configure firewalls to block access to known malicious
`IP addresses.
`
` Patch operating systems, software, and firmware on
`devices.
` Consider using a centralized patch
`management system.
`
` Set anti-virus and anti-malware programs to conduct
`regular scans automatically.
`
` •
`
` •
`
` •
`
` •
`
` Manage the use of privileged accounts based on the
`principle of least privilege; no users should be assigned
`administrative access unless absolutely needed; and
`those with a need for administrator accounts should
`only use them when necessary.
`• Configure access controls—including file, directory,
`and network share permissions—with least privilege in
`mind. If a user only needs to read specific files, the user
`should not have write access to those files, directories,
`or shares.
`
` Disable macro scripts from office files transmitted via
`email. Consider using Office Viewer software to open
`Microsoft Office files transmitted via email instead of
`full office suite applications.
`
` Implement Software Restriction Policies (SRP) or
`other controls to prevent programs from executing
`from common
`ransomware
`locations, such as
`temporary
`folders
`supporting popular
`Internet
`browsers or compression/decompression programs,
`including the AppData/LocalAppData folder.
`
` Consider disabling Remote Desktop protocol (RDP) if
`it is not being used.
`
` •
`
` •
`
` •
`
`
`
`
`
`19
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 20 of 85 PageID 20
`
`• Use application whitelisting, which only allows
`systems to execute programs known and permitted by
`security policy.
`
` Execute operating system environments or specific
`programs in a virtualized environment.
`
` Categorize data based on organizational value and
`implement physical and logical separation of networks
`and data for different organizational units.
`
` •
`
` •
`
`
`
`58. To prevent and detect ransomware attacks, including the ransomware
`
`attack that resulted in the Data Breach, Defendants could and should have
`
`implemented, as recommended by the United States Government, the following
`
`measures:
`
`• Update and patch your computer. Ensure your
`applications and operating systems (OSs) have been
`updated with
`the
`latest patches. Vulnerable
`applications and OSs are the target of most ransomware
`attacks . . .
`
`• Use caution with links and when entering website
`addresses. Be careful when clicking directly on links
`in emails, even if the sender appears to be someone you
`know. Attempt
`to
`independently verify website
`addresses (e.g., contact your organization's helpdesk,
`search the internet for the sender organization's website
`or the topic mentioned in the email). Pay attention to
`the website addresses you click on, as well as those you
`enter yourself. Malicious website addresses often
`appear almost identical to legitimate sites, often using
`a slight variation in spelling or a different domain (e.g.,
`.com instead of .net) . . .
`
`
`
`
`
`20
`
`
`
`Case 6:22-cv-00030-CEM-EJK Document 1 Filed 01/05/22 Page 21 of 85 PageID 21
`
`• Open email attachments with caution. Be wary of
`opening email attachments, even from senders you
`think you know, particularly when attachments are
`compressed files or ZIP files.
`
`• Keep your personal information safe. Check a
`website's security to ensure the information you submit
`is encrypted before you provide it . . .
`
`• Verify email senders. If you are unsure whether or not
`an email is legitimate, try to verify the email's
`legitimacy by contacting the sender directly. Do not
`click on any links in the email. If possible, use a
`previous (legitimate) email to ensure the contact
`information you have for the sender is authentic before
`you contact them.
`
`• Inform yourself
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
