`
`UNITED STATES DISTRICT COURT
`DISTRICT OF MASSACHUSETTS
`
`
`WILLIAM BISCAN, individually and on
`behalf of all others similarly situated,
`
`Plaintiff,
`
`v.
`
`SHIELDS HEALTH CARE GROUP INC.,
`
`
`
`Defendant.
`
`
`
`CIVIL ACTION NO.:
`
`
`
`
`
`
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`Plaintiff William Biscan, (“Plaintiff”) individually and on behalf of all others similarly
`
`situated, bring this action against Defendant Shields Health Care Group Inc. (“Shields” or
`
`“Defendant”), a Massachusetts corporation, to obtain damages, restitution, and injunctive relief
`
`for himself and for the Class, as defined below, from Defendant.
`
`Plaintiff makes the following allegations upon information and belief, except as to his own
`
`actions, the investigation of his counsel, and the facts that are a matter of public record:
`
`NATURE OF THE ACTION
`
`1.
`
`This class action arises out of a targeted cyber-attack at Defendant’s medical
`
`facilities that allowed a third party to access Defendant’s computer systems and data from
`
`approximately March 7, 2022 to March 21, 2022, exposing highly sensitive personal information
`
`and medical records of approximately two million patients from Defendant’s computer network
`
`(the “Data Breach”).
`
`2.
`
`As a result of the Data Breach, Plaintiff and Class Members suffered ascertainable
`
`losses, including but not limited to, a diminution in the value of their private and confidential
`
`information, the loss of the benefit of their contractual bargain with Defendant, out-of-pocket
`
`expenses, and the value of their time reasonably incurred to remedy or mitigate the effects of the
`
`
`
`1
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 2 of 54
`
`Data Breach.
`
`3.
`
`Plaintiff’s and Class Members’ sensitive and private personal information—which
`
`was entrusted to Defendant, its officials, and agents—was compromised, unlawfully accessed, and
`
`stolen as a result of the Data Breach. Information compromised in the Data Breach includes names,
`
`addresses, dates of birth, Social Security numbers, insurance information, medical record numbers,
`
`patient identification numbers, and other protected health information as defined by the HIPAA,
`
`and other personally identifiable information (“PII”) and protected health information (“PHI”) that
`
`Defendant collected and maintained (collectively, “Private Information”).
`
`4.
`
`Plaintiff brings this class action lawsuit on behalf of all those similarly situated to
`
`address Defendant’s inadequate safeguarding of Class Members’ Private Information that
`
`Defendant collected and maintained, for failing to provide timely and adequate notice to Plaintiff
`
`and other Class Members of the unauthorized access to their Private Information by an unknown
`
`third party, and for failing to provide timely and adequate notice of precisely what information was
`
`accessed and stolen.
`
`5.
`
`Defendant owed a duty to Plaintiff and Class Members to implement and maintain
`
`reasonable and adequate security measures to secure, protect, and safeguard their Private
`
`Information against unauthorized access and disclosure.
`
`6.
`
`Defendant breached its duty to Plaintiff and Class Members by maintaining
`
`Plaintiff’s and the Class Members’ Private Information in a negligent and/or reckless manner.
`
`7.
`
`Upon information and belief, the means of the Data Breach and potential for
`
`improper disclosure of Plaintiff’s and Class Members’ Private Information were known and
`
`foreseeable risks to Defendant, and thus Defendant was on notice that failing to take steps
`
`necessary to secure the Private Information from those risks left the Private Information in a
`
`
`
`2
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 3 of 54
`
`dangerous and vulnerable condition.
`
`8.
`
`Defendant and its employees failed to properly monitor the computer network and
`
`systems housing the Private Information.
`
`9.
`
`Had Defendant properly monitored its property, it would have discovered the
`
`intrusion sooner or been able to wholly prevent it.
`
`10.
`
`Exacerbating an already devastating privacy intrusion, Plaintiff’s and Class
`
`Members’ identities are now at risk because of Defendant’s negligent conduct, since the Private
`
`Information that Defendant collected and maintained is now in the hands of data thieves.
`
`11.
`
`Armed with the Private Information accessed in the Data Breach, data thieves can
`
`commit a variety of crimes including opening new financial accounts in class members’ names,
`
`taking out loans in class members’ names, using class members’ names to obtain medical services,
`
`using class members’ health information to target other phishing and hacking intrusions based on
`
`their individual health needs, using class members’ information to obtain government benefits,
`
`filing fraudulent tax returns using class members’ information, obtaining driver’s licenses in class
`
`members’ names but with another person’s photograph, and giving false information to police
`
`during an arrest.
`
`12.
`
`As a direct result of the Data Breach, Plaintiff and Class Members have been
`
`exposed to a heightened and imminent risk of fraud and identity theft. Plaintiff and Class Members
`
`must now and in the future closely monitor their financial accounts to guard against identity theft.
`
`13.
`
`Plaintiff and Class Members have, and will continue, to incur out-of-pocket costs
`
`for purchasing credit monitoring services, credit freezes, credit reports, and other protective
`
`measures to deter and detect identity theft.
`
`14.
`
`As a direct and proximate result of the Data Breach and subsequent exposure of
`
`
`
`3
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 4 of 54
`
`their Private Information, Plaintiff and Class Members have suffered and will continue to suffer
`
`damages and economic losses in the form of lost time needed to take appropriate measures to avoid
`
`unauthorized and fraudulent charges, putting alerts on their credit files, and dealing with spam
`
`messages and e-mails received as a result of the Data Breach. Plaintiff and Class Members have
`
`suffered and will continue to suffer an invasion of their property interest in their own PII and PHI
`
`such that they are entitled to damages from Defendant for unauthorized access to, theft of, and
`
`misuse of their PII and PHI. These harms are ongoing, and Plaintiff and Class Members will suffer
`
`from future damages associated with the unauthorized use and misuse of their PII and PHI as
`
`thieves will continue to use the information to obtain money and credit in their names for several
`
`years.
`
`15.
`
`Plaintiff seeks to remedy these harms on behalf of himself and all similarly situated
`
`individuals whose Private Information was accessed and/or removed from Defendant’s network
`
`during the Data Breach.
`
`16.
`
`Plaintiff seeks remedies including, but not limited to, compensatory damages,
`
`reimbursement of out-of-pocket costs, and injunctive relief including improvements to
`
`Defendant’s data security systems, future annual audits, and adequate credit monitoring/identity
`
`protection services funded by Defendant.
`
`17.
`
`Accordingly, Plaintiff brings this action against Defendant seeking redress for its
`
`unlawful conduct asserting claims for negligence, breach of contract, breach of implied contract,
`
`invasion of privacy, breach of fiduciary duty, breach of confidence, violation of the Massachusetts
`
`Regulation of Business Practices for Consumers’ Protection Act, Mass. Gen. Laws Ann. ch. 93A,
`
`§ 1 et seq., and unjust enrichment.
`
`PARTIES
`
`18.
`
`Plaintiff Biscan is, and at all times mentioned herein was, an individual citizen of
`4
`
`
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 5 of 54
`
`Haverhill, Massachusetts. Plaintiff Biscan was a patient of Shields through its services at
`
`Winchester Hospital / Shields MRI, LLC.
`
`19.
`
`Defendant Shields Health Care Group Inc. is a domestic corporation organized and
`
`existing under the laws of the Commonwealth of Massachusetts with its headquarters in Quincy,
`
`Massachusetts.
`
`JURISDICTION AND VENUE
`
`This Court has personal jurisdiction over Defendant because Defendant is a resident
`
`20.
`
`of the Commonwealth of Massachusetts and because Defendant conducts business transactions in
`
`Massachusetts, has committed tortious acts in Massachusetts, and sells its products and services in
`
`Massachusetts. The Court has personal jurisdiction over Plaintiff because he resides in the
`
`Commonwealth of Massachusetts.
`
`21.
`
`Jurisdiction in this civil action is authorized pursuant to 28 U.S.C. § 1332(d), as
`
`minimal diversity exists, there are more than 100 class members, and the amount in controversy is in
`
`excess of $5 million.
`
`FACTUAL ALLEGATIONS
`
`Defendant’s Business
`
`Defendant is “the largest network of MRI centers in New England,”1 with “more
`
`22.
`
`than 40 healthcare facilities throughout New England” including locations in Massachusetts,
`
`Maine, and New Hampshire.2
`
`23.
`
`Defendant’s business includes providing MRI, PET/CT, Radiation Oncology, and
`
`
`1 Shields Health Care Group, Our Services, available at https://shields.com/our-
`services/overview/ (last accessed June 9, 2022).
`2 Shields Health Care Group, Find a Location, available at https://shields.com/find-location/ (last
`accessed June 9, 2022)
`
`
`
`5
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 6 of 54
`
`Ambulatory Surgical Center services.3
`
`24.
`
`In the ordinary course of receiving medical services and treatment from Defendant,
`
`patients are required to provide (and Plaintiff did in fact provide) Defendant with sensitive,
`
`personal, and private information such as:
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`•
`
`Name and address;
`
`Date of birth;
`
`Demographic information;
`
`Social Security number;
`
`Information relating to individual medical history;
`
`Insurance information and coverage;
`
`Information concerning an individual’s doctor, nurse, or other medical providers;
`
`Photo identification;
`
`Other information that may be deemed necessary to provide care.
`
`25.
`
`Defendant also gathers certain medical information about patients and creates
`
`records of the care it provides them.
`
`26.
`
`Additionally, Defendant may receive private and personal information from other
`
`individuals and/or organizations that are part of a patient’s “circle of care,” such as referring
`
`physicians, patients’ other doctors, patients’ health plan(s), close friends, and/or family members.
`
`Defendant Represented to Plaintiff and Class Members
`That It Would Adequately Protect Their Private Information
`
`27.
`
`Defendant boasts that “Shields takes the confidentiality, privacy, and security of
`
`
`3 Shields Health Care Group, Our Services, available at https://shields.com/our-
`services/overview/ (last accessed June 9, 2022).
`6
`
`
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 7 of 54
`
`information in our care seriously.”4
`
`28.
`
`Defendant has promulgated and adopted a privacy practice that it represents to
`
`patients it follows with respect to their Private Information (the “Privacy Practice”). The Privacy
`
`Practice is posted on Defendant’s website, and is provided to each patient prior to treatment.5
`
`29.
`
`In the Privacy Practice, Defendant states that Defendant “will generally only
`
`disclose health information about [patients] for the purposes of treatment, payment or health care
`
`operations” and specifically lists examples of how Defendant will use this information.6 The uses
`
`described in the Privacy Practice do not include exposure to cybercriminals.
`
`30.
`
`Defendant also represents to patients in its Privacy Practice that it will “[m]aintain
`
`the privacy of your health information as required by law.”7
`
`31.
`
`Defendant expressly represents to patients that Defendant is required to “abide by
`
`the terms of this [Privacy Practice].”8
`
`32.
`
`Plaintiff and Class Members are, or were, patients of Defendant or received health-
`
`related services from Defendant, and entrusted Defendant with their Private Information.
`
`The Data Breach
`
`From approximately March 7, 2022 to March 21, 2022, Defendant experienced a
`
`33.
`
`targeted cybersecurity incident where cyberthieves had unauthorized access to the Defendant
`
`network for approximately two weeks.9 Defendant investigated a data security alert at least as early
`
`
`4 Shields Health Care Group, Notice of Data Security Incident, available at
`https://shields.com/notice-of-data-security-incident/ (last accessed June 9, 2022).
`5 See Shields Health Care Group, Privacy, available at https://shields.com/privacy/ (last accessed
`June 9, 2022).
`6 Id.
`7 Id.
`8 Id.
`9 Shields Health Care Group, Notice of Data Security Incident, available at
`https://shields.com/notice-of-data-security-incident/ (last accessed June 9, 2022).
`7
`
`
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 8 of 54
`
`as March 18, 2022.10
`
`34.
`
` Upon information and belief, the cyber-attack was “soft targeted” at Defendant,
`
`due to Defendant’s status as a healthcare entity that collects, creates, and maintains both PII and
`
`PHI. The “soft targeted” cyber-attack was expressly designed to gain access to private and
`
`confidential data, including (among other things) the PII and PHI of patients like Plaintiff and
`
`Class Members.
`
`35.
`
`Defendant’s investigation into the Data Breach found that cybercriminals had been
`
`able to access patient files that that included names, addresses, dates of birth, Social Security
`
`numbers, patient ID numbers, insurance information, and/or medical information related to care
`
`received.11
`
`36.
`
`At minimum, due to inadequate security precautions, between the date range March
`
`7, 2022 and March 21, 2022, the PII and PHI of approximately two million patients was exposed.12
`
`37.
`
`Despite investigating the Data Breach on or about March 18, 2022, Defendant did
`
`not publish a press release regarding the Data Breach until approximately June 7, 2022, stating the
`
`information that was accessed included:
`
`“Full name, Social Security number, date of birth, home address, provider
`information, diagnosis, billing information, insurance number and information,
`medical record number, patient ID, and other medical or treatment information.”13
`
`38.
`
`39.
`
`This was the first notice of the Data Breach that Shields provided to its patients.
`
`Based on Defendant’s disclosures, Plaintiff believes his Private Information was
`
`
`
`10 Id.
`11 Id.
`12 Associated Press, Data breach at health care organization may affect 2 million, available at
`https://apnews.com/article/technology-health-us-department-of-and-human-services-boston-
`massachusetts-4aed357bc7f3fd0a8a88f40d13985fdf (last accessed June 9, 2022).
`13 Shields Health Care Group, Notice of Data Security Incident, available at
`https://shields.com/notice-of-data-security-incident/ (last accessed June 9, 2022).
`8
`
`
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 9 of 54
`
`stolen from Defendant’s network (and subsequently sold) in the Data Breach. Ever since the Data
`
`Breach, Plaintiff Turpin has been victim of increased spam calls and phishing attempts.
`
`40.
`
`Further, the removal of the Private Information from Defendant’s system—names,
`
`addresses, dates of birth, Social Security numbers (which are the keys to identity theft and fraud),
`
`insurance information, medical record numbers, and information regarding patient care—
`
`demonstrates that this cyber-attack was targeted.
`
`41.
`
`Cyber-attacks against healthcare organizations such as Defendant are targeted and
`
`frequent. According to the 2019 Health Information Management Systems Society, Inc.
`
`(“HIMMS”) Cybersecurity Survey, “[a] pattern of cybersecurity threats and experiences is
`
`discernable across U.S. healthcare organizations. Significant security incidents are a near-universal
`
`experience in U.S. healthcare organizations with many of the incidents initiated by bad actors,
`
`leveraging e-mail as a means to compromise the integrity of their targets.”14 “Hospitals have
`
`emerged as a primary target because they sit on a gold mine of sensitive personally identifiable
`
`information for thousands of patients at any given time. From Social Security and insurance
`
`policies to next of kin and credit cards, no other organization, including credit bureaus, have so
`
`much monetizable information stored in their data centers.”15
`
`42.
`
`Defendant had obligations created by HIPAA, contract, industry standards,
`
`common law, and representations made to Plaintiff and the Class Members, to keep their Private
`
`Information confidential and to protect it from unauthorized access and disclosure.
`
`43.
`
`Plaintiff and the Class Members provided their Private Information to Defendant
`
`
`
`14
`https://www.himss.org/sites/hde/files/d7/u132196/2019_HIMSS_Cybersecurity_Survey_Final_R
`eport.pdf (last accessed June 7, 2022)
`15 https://www.idigitalhealth.com/news/how-to-safeguard-hospital-data-from-email-spoofing-
`attacks (last accessed June 7, 2022)
`
`
`
`9
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 10 of 54
`
`with the reasonable expectation and mutual understanding that Defendant would comply with its
`
`obligations to keep such information confidential and secure from unauthorized access.
`
`44.
`
`By failing to protect their PII and PHI from cybercriminals, Defendant put all Class
`
`Members at risk of identity theft, financial fraud, and other serious harms.
`
`45.
`
`Defendant negligently failed to take the necessary precautions required to safeguard
`
`and protect the PII and PHI of Plaintiff and the other Class Members from unauthorized disclosure.
`
`Defendant’s actions represent a flagrant disregard of Plaintiff’s and the other Class Members’
`
`rights.
`
`This Data Breach was Foreseeable
`
`Defendant’s data security obligations were particularly important given the
`
`46.
`
`substantial increase in cyber-attacks and/or data breaches in the healthcare industry preceding the
`
`date of the breach.
`
`47.
`
`Data breaches, including those perpetrated against the healthcare sector of the
`
`economy, have become widespread.
`
`48.
`
`In 2019, a record 1,473 data breaches occurred, resulting in approximately
`
`164,683,455 sensitive records being exposed, a 17% increase from 2018.16
`
`49.
`
` Of the 1,473 recorded data breaches, 525 of them, or 35.64%, were in the medical
`
`or healthcare industry.17
`
`50.
`
`PII and PHI are of great value to hackers and cybercriminals, and the data
`
`compromised in the Data Breach can be used for a variety of unlawful and nefarious purposes.
`
`51.
`
`PII and PHI can be used to distinguish, identify, or trace an individual’s identity,
`
`
`16 https://www.idtheftcenter.org/wp-content/uploads/2020/01/01.28.2020_ITRC_2019-End-of-
`Year-Data-Breach-Report_FINAL_Highres-Appendix.pdf (last accessed June 7, 2022)
`17 Id.
`
`
`
`10
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 11 of 54
`
`such as their name, Social Security number, and medical records. This can be accomplished alone,
`
`or in combination with other personal or identifying information that is connected, or linked to an
`
`individual, such as their birthdate, birthplace, and mother’s maiden name.
`
`52.
`
`Given the nature of the Data Breach, it was foreseeable that the compromised PII
`
`and PHI could be used by hackers and cybercriminals in a variety of different ways.
`
`53.
`
`Indeed, the cybercriminals who possess the Class Members’ PII and PHI can easily
`
`obtain Class Members’ tax returns or open fraudulent credit card accounts in the Class Members’
`
`names.
`
`54.
`
`Defendant was aware of the risk of data breaches because such breaches have
`
`dominated the headlines in recent years.
`
`55.
`
`For instance, the 525 reported medical or healthcare data breaches reported in 2019
`
`exposed nearly 40 million sensitive records (39,378,157), compared to only 369 breaches that
`
`exposed just over 10 million sensitive records (10,632,600) in 2018.18
`
`56.
`
`Data breaches, such as the one experienced by Defendant, have become so
`
`notorious that the Federal Bureau of Investigation (“FBI”) and U.S. Secret Service have issued a
`
`warning to potential targets so they are aware of, and prepared for, a potential attack. As one report
`
`explained, “[e]ntities like smaller municipalities and hospitals are attractive to ransomware
`
`criminals…because they often have lesser IT defenses and a high incentive to regain access to their
`
`data quickly.”19
`
`57.
`
`The increase in such attacks, and attendant risk of future attacks, was widely known
`
`
`
`18 Id. at p15.
`19 https://www.law360.com/consumerprotection/articles/1220974/fbi-secret-service-warn-of-
`targeted-ransomware?nl_pk=3ed44a08-fcc2-4b6c-89f0-
`aa0155a8bb51&utm_source=newsletter&utm_medium=email&utm_campaign=consumerprotect
`ion (last accessed June 7, 2022).
`
`
`
`11
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 12 of 54
`
`to the public and to anyone in Defendant’s industry, including Defendant.
`
`Defendant Fails to Comply with FTC Guidelines
`
`The Federal Trade Commission (“FTC”) has promulgated numerous guides for
`
`58.
`
`businesses which highlight the importance of implementing reasonable data security practices.
`
`According to the FTC, the need for data security should be factored into all business decision-
`
`making.
`
`59.
`
`In 2016, the FTC updated its publication, Protecting Personal Information: A Guide
`
`for Business, which establishes cyber-security guidelines for businesses. The guidelines note that
`
`businesses should protect the personal customer information that they keep; properly dispose of
`
`personal information that is no longer needed; encrypt information stored on computer networks;
`
`understand their network’s vulnerabilities; and implement policies to correct any security
`
`problems. The guidelines also recommend that businesses use an intrusion detection system to
`
`expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating someone
`
`is attempting to hack the system; watch for large amounts of data being transmitted from the
`
`system; and have a response plan ready in the event of a breach.
`
`60.
`
`The FTC further recommends that companies not maintain PII longer than is
`
`needed for authorization of a transaction; limit access to sensitive data; require complex passwords
`
`to be used on networks; use industry-tested methods for security; monitor for suspicious activity
`
`on the network; and verify that third-party service providers have implemented reasonable security
`
`measures.
`
`61.
`
`The FTC has brought enforcement actions against businesses for failing to
`
`adequately and reasonably protect customer data, treating the failure to employ reasonable and
`
`appropriate measures to protect against unauthorized access to confidential consumer data as an
`
`
`
`12
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 13 of 54
`
`unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”), 15
`
`U.S.C. § 45. The orders resulting from these actions have further clarified the measures businesses
`
`must take to meet their data security obligations.
`
`62.
`
`These FTC enforcement actions include actions against healthcare providers like
`
`Defendant. See, e.g., In the Matter of LabMD, Inc., A Corp, 2016-2 Trade Cas. (CCH) ¶ 79708,
`
`2016 WL 4128215, at *32 (MSNET July 28, 2016) (“[T]he Commission concludes that LabMD’s
`
`data security practices were unreasonable and constitute an unfair act or practice in violation of
`
`Section 5 of the FTC Act.”).
`
`63.
`
`Defendant failed to properly implement basic data security practices widely known
`
`throughout the industry. Defendant’s failure to employ reasonable and appropriate measures to
`
`protect against unauthorized access to patient PII and PHI constitutes an unfair act or practice
`
`prohibited by Section 5 of the FTC Act, 15 U.S.C. § 45.
`
`64.
`
`Defendant was at all times fully aware of its obligation to protect the PII and PHI
`
`of its patients. Defendant was also aware of the significant repercussions that would result from
`
`its failure to do so.
`
`Defendant Fails to Comply with Industry Standards
`
`65.
`
`As shown above, experts studying cyber security routinely identify healthcare
`
`providers as being particularly vulnerable to cyber-attacks because of the value of the PII and PHI
`
`they collect and maintain.
`
`66.
`
`Healthcare industry experts assert that “data breaches cost the healthcare industry
`
`approximately $5.6 billion every year[.]”
`
`67.
`
`According to the University of Illinois Chicago (UIC), “[t]o improve cybersecurity
`
`in healthcare, organizations need to hire informatics professionals who can not only collect,
`
`
`
`13
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 14 of 54
`
`manage and leverage data, but protect it as well.”20
`
`68.
`
`UIC has identified several strategies and best practices that, at a minimum, should
`
`be implemented by healthcare providers like Defendant, including but not limited to: establishing
`
`a security culture; protecting mobile devices; thoroughly educating all employees; strong
`
`passwords that need to be changed regularly; multi-layer security, including firewalls, anti-virus,
`
`and anti-malware software; limiting network access; controlling physical access to devices;
`
`encryption; making data unreadable without a password or key; multi-factor authentication;
`
`backup data; and limiting employees access to sensitive and protected data.21
`
`69.
`
`A number of industry and national best practices have been published and are
`
`widely used as a go-to resource when developing an institution’s cybersecurity standards. The
`
`Center for Internet Security (CIS) released its Critical Security Controls, and all healthcare
`
`institutions are strongly advised to follow these guidelines.22
`
`70.
`
`Other cybersecurity best practices that are standard in the healthcare industry
`
`include installing appropriate malware detection software; monitoring and limiting the network
`
`ports; protecting web browsers and email management systems; setting up network systems such
`
`as firewalls, switches, and routers; monitoring and the protection of physical security systems;
`
`protecting against any possible communication system; and training staff regarding critical points.
`
`71.
`
`Upon information and belief, Defendant failed to meet the minimum standards of
`
`both the NIST Cybersecurity Framework Version 1.1 (including without limitation PR.AC-1,
`
`PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5, PR.PT-1,
`
`
`20 See Cybersecurity: How Can It Be Improved in Health Care?, Health Informatics-University
`of Illinois Chicago (last viewed: June 7, 2022),
`https://healthinformatics.uic.edu/blog/cybersecurity-how-can-it-be-improved-in-health-care/.
`21 Id.
`22 https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq/ (last accessed June 7, 2022)
`14
`
`
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 15 of 54
`
`PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2) and the Center for Internet
`
`Security’s Critical Security Controls (CIS CSC), which are established frameworks for reasonable
`
`cybersecurity readiness.
`
`Defendant’s Conduct Violates HIPAA and Evidences Its Insufficient Data Security
`
`72.
`
`HIPAA requires covered entities to protect against reasonably anticipated threats to
`
`the security of sensitive patient health information.
`
`73.
`
`Covered entities must implement safeguards to ensure the confidentiality, integrity,
`
`and availability of sensitive patient health information. Safeguards must include physical,
`
`technical, and administrative components.
`
`74.
`
`Title II of HIPAA contains what are known as the Administrative Simplification
`
`provisions. 42 U.S.C. § 1301, et seq. These provisions require, among other things, that the
`
`Department of Health and Human Services (“HHS”) create rules to streamline the standards for
`
`handling Private Information like the data Defendant left unguarded. The HHS subsequently
`
`promulgated multiple regulations under authority of the Administrative Simplification provisions
`
`of HIPAA. These rules include 45 C.F.R. § 164.306(a)(1-4); 45 C.F.R. § 164.312(a)(1); 45 C.F.R.
`
`§ 164.308(a)(1)(i); 45 C.F.R. § 164.308(a)(1)(ii)(D), and 45 C.F.R. § 164.530(b).
`
`75.
`
`Defendant’s Data Breach resulted from a combination of insufficiencies that
`
`demonstrate it failed to comply with safeguards mandated by HIPAA regulations.
`
`Defendant’s Breach
`
`76.
`
`Defendant breached its obligations to Plaintiff and the Class Members and/or was
`
`otherwise negligent and reckless because it failed to properly maintain and safeguard the
`
`Defendant computer systems, network, and data. Defendant’s unlawful conduct includes, but is
`
`not limited to, the following acts and/or omissions:
`
`
`
`15
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 16 of 54
`
`a.
`
`Failing to maintain an adequate data security system to reduce the
`
`risk of data breaches and cyber-attacks;
`
`b.
`
`c.
`
`d.
`
`e.
`
`Failing to adequately protect patients’ Private Information;
`
`Failing to properly monitor its own data security systems for
`
`existing intrusions, brute-force attempts, and clearing of event logs;
`
`Failing to apply all available security updates;
`
`Failing to install the latest software patches, update its firewalls,
`
`check user account privileges, or ensure proper security practices;
`
`f.
`
`Failing to practice the principle of least-privilege and maintain
`
`credential hygiene;
`
`g.
`
`Failing to avoid the use of domain-wide, admin-level service
`
`accounts;
`
`h.
`
`Failing to employ or enforce the use of strong randomized, just-in-
`
`i.
`
`j.
`
`time local administrator passwords;
`
`Failing to properly train and supervise employees in the proper
`
`handling of inbound emails;
`
`Failing to ensure the confidentiality and integrity of electronic PHI
`
`it created, received, maintained, and/or transmitted, in violation of
`
`45 C.F.R. § 164.306(a)(1);
`
`k.
`
`Failing to implement technical policies and procedures for
`
`electronic information systems that maintain electronic PHI to allow
`
`access only to those persons or software programs that have been
`
`granted access rights in violation of 45 C.F.R. § 164.312(a)(1);
`
`
`
`16
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 17 of 54
`
`l.
`
`Failing to implement policies and procedures to prevent, detect,
`
`contain, and correct security violations in violation of 45 C.F.R.
`
`§ 164.308(a)(1)(i);
`
`m.
`
`Failing to implement procedures to review records of information
`
`system activity regularly, such as audit logs, access reports, and
`
`security incident tracking reports in violation of 45 C.F.R.
`
`§ 164.308(a)(1)(ii)(D);
`
`n.
`
`Failing to protect against reasonably anticipated threats or hazards
`
`to the security or integrity of electronic PHI in violation of 45 C.F.R.
`
`§ 164.306(a)(2);
`
`o.
`
`Failing to protect against reasonably anticipated uses or disclosures
`
`of electronic PHI that are not permitted under the privacy rules
`
`regarding individually identifiable health information in violation of
`
`45 C.F.R. § 164.306(a)(3);
`
`p.
`
`Failing to ensure compliance with HIPAA security standard rules by
`
`its workforces in violation of 45 C.F.R. § 164.306(a)(4);
`
`q.
`
`Failing to train all members of its workforces effectively on the
`
`policies and procedures regarding PHI as necessary and appropriate
`
`for the members of its workforces to carry out their functions and to
`
`maintain security of PHI, in violation of 45 C.F.R. § 164.530(b);
`
`and/or
`
`r.
`
`Failing to render the electronic PHI it maintained unusable,
`
`unreadable, or indecipherable to unauthorized individuals, as it had
`
`
`
`17
`
`
`
`Case 1:22-cv-10901 Document 1 Filed 06/09/22 Page 18 of 54
`
`not encrypted the electronic PHI as specified in the HIPAA Security
`
`Rule by “the use of an algorithmic process to transform data into a
`
`form in which there is a low probability of assigning meaning
`
`without use of a confidential process or key,” 45 CFR § 164.304
`
`(definition of encryption).
`
`77.
`
`As the result of allowing its computer systems to fall into dire need of security
`
`upgrading and its inadequate procedures for handling cybersecurity threats, Defendant negligently
`
`and unlawfully failed to safeguard Plaintiff’s and the Class Members’ Private Information.
`
`Data Breaches Cause Disruption and Put Consumers at an Increased Risk of Fraud
`and Identity Theft
`
`Cyber-attacks at medical facilities such as Defendant’s are especially
`
`78.
`
`problematic because of the disrupti