throbber
Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 1 of 42 PAGEID #: 1
`
`UNITED STATES DISTRICT COURT
`SOUTHERN DISTRICT OF OHIO
`EASTERN DIVISION
`
`
`
`KATHLEEN TUCKER, on behalf of
`themselves and all others similarly situated,
`
`
`Plaintiff,
`
`v.
`
`MARIETTA AREA HEALTH CARE INC.
`D/B/A MEMORIAL HEALTH SYSTEM,
`
`
`Defendant.
`
`
`
`
`
`
`Case No.
`
`Judge
`
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`CLASS ACTION COMPLAINT
`
`Plaintiff Kathleen Tucker, individually and on behalf of all others similarly situated, brings
`
`this action against Defendant Marietta Area Health Care Inc. d/b/a Memorial Health System
`
`(hereinafter known as “Memorial Health” or “Defendant”), an Ohio corporation, to obtain
`
`damages, restitution, and injunctive relief for the Class, as defined below, from Defendant.
`
`Plaintiff makes the following allegations upon information and belief, except as to her own actions,
`
`the investigation of her counsel, and the facts that are a matter of public record.
`
`NATURE OF THE ACTION
`
`1.
`
`This class action arises out of the recent targeted cyberattack and data breach (“Data
`
`Breach”) on Memorial Health’s network that resulted in unauthorized access to customer data. As
`
`a result of the Data Breach, Plaintiff and approximately 216,478 Class Members1 suffered
`
`ascertainable losses in the form of the loss of the benefit of their bargain, out-of-pocket expenses
`
`and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.
`
`
`1
`https://apps.web.maine.gov/online/aeviewer/ME/40/e7861ebb-6f43-4fe7-9619-25762e3be35d.shtml
`(Last visited Jan. 19, 2022).
`
`
`
`1
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 2 of 42 PAGEID #: 2
`
`2.
`
`In addition, Plaintiff and Class Members’ sensitive personal information—which
`
`was entrusted to Memorial Health, its officials and agents—was compromised and unlawfully
`
`accessed due to the Data Breach.
`
`3.
`
`Information compromised in the Data Breach includes names, dates of birth,
`
`medical record numbers, patient account numbers, Social Security Numbers, “PII”), and medical
`
`and treatment information (“PHI”), The PII and PHI that Defendant Memorial Health collected
`
`and maintained will be collectively referred to as the “Private Information.”
`
`4.
`
`Plaintiff brings this class action lawsuit on behalf of those similarly situated to
`
`address Defendant’s inadequate safeguarding of Class Members’ Private Information that they
`
`collected and maintained, and for failing to provide timely and adequate notice to Plaintiff and
`
`other Class Members that their information had been subject to the unauthorized access of an
`
`unknown third party and precisely what specific type of information was accessed.
`
`5.
`
`Defendant maintained the Private Information in a reckless manner. In particular,
`
`the Private Information was maintained on Defendant’s computer system and network in a
`
`condition vulnerable to cyberattacks. Upon information and belief, the mechanism of the
`
`cyberattack and potential for improper disclosure of Plaintiff’s and Class Members’ Private
`
`Information was a known risk to Defendant, and thus Defendant was on notice that failing to take
`
`steps necessary to secure the Private Information from those risks left that property in a dangerous
`
`condition.
`
`6.
`
`Plaintiff and Class Members’ identities are now at risk because of Defendant’s
`
`negligent conduct since the Private Information that Memorial Health collected and maintained is
`
`now in the hands of data thieves.
`
`
`
`2
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 3 of 42 PAGEID #: 3
`
`7.
`
`Armed with the Private Information accessed in the Data Breach, data thieves can
`
`commit a variety of crimes including, e.g., opening new financial accounts in Class Members’
`
`names, taking out loans in Class Members’ names, using Class Members’ names to obtain medical
`
`services, using Class Members’ health information to target other phishing and hacking intrusions
`
`based on their individual health needs, using Class Members’ information to obtain government
`
`benefits, filing fraudulent tax returns using Class Members’ information, obtaining driver’s
`
`licenses in Class Members’ names but with another person’s photograph, and giving false
`
`information to police during an arrest.
`
`8.
`
`As a result of the Data Breach, Plaintiff and Class Members have been exposed to
`
`a heightened and imminent risk of fraud and identity theft. Plaintiff and Class Members must now
`
`and in the future closely monitor their financial accounts to guard against identity theft.
`
`9.
`
`Plaintiff and Class Members may also incur out of pocket costs for, e.g., purchasing
`
`credit monitoring services, credit freezes, credit reports, or other protective measures to deter and
`
`detect identity theft.
`
`10.
`
`By her Complaint, Plaintiff seeks to remedy these harms on behalf of herself and
`
`all similarly situated individuals whose Private Information was accessed during the Data Breach.
`
`11.
`
`Plaintiff seeks remedies including, but not limited to, compensatory damages,
`
`treble damages, punitive damages, reimbursement of out-of-pocket costs, and injunctive relief
`
`including improvements to Defendant’s data security systems, future annual audits, and adequate
`
`credit monitoring services funded by Defendant.
`
`12.
`
`Accordingly, Plaintiff brings this action against Defendant seeking redress for its
`
`unlawful conduct, and asserting claims for: (i) negligence, (ii) negligence per se, and (iii) breach
`
`of implied contract; and (iv) unjust enrichment.
`
`
`
`
`
`3
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 4 of 42 PAGEID #: 4
`
`THE PARTIES
`
`13.
`
`Plaintiff Kathleen Tucker is a natural person, resident and a citizen of the State of
`
`West Virginia. She has lived in West Virginia since 1979 and has no intention of moving to a
`
`different state in the immediate future. She is registered to vote in West Virginia as well. Plaintiff
`
`Tucker is acting on her own behalf and on behalf of others similarly situated. Defendant obtained
`
`and continues to maintain Plaintiff Tucker’s PII and PHI and owed her a legal duty and obligation
`
`to protect that PII and PHI from unauthorized access and disclosure. Plaintiff Tucker would not
`
`have entrusted her PII and PHI to Defendant had she known that Defendant failed to maintain
`
`adequate data security. Plaintiff Tucker’s PII and PHI was compromised and disclosed as a result
`
`of Defendant’s inadequate data security and the Data Breach.
`
`JURISDICTION AND VENUE
`
`14.
`
`This Court has original jurisdiction under the Class Action Fairness Act, 28 U.S.C.
`
`§ 1332(d)(2), because this is a class action involving more than 100 putative class members and
`
`the amount in controversy exceeds $5,000,000, exclusive of interest and costs. Plaintiff (and many
`
`members of the class) and Defendant are citizens of different states.
`
`15.
`
`This Court has general personal jurisdiction over Memorial Health because
`
`Memorial’s principal place of business is, and does regularly conduct business, in Marietta, Ohio.
`
`16.
`
`Venue is proper in this District under 28 U.S.C. §§ 1391(a)(2), 1391(b)(2), and
`
`1391(c)(2) as a substantial part of the events giving rise to the claims emanated from activities
`
`within this District, and Memorial Health conducts substantial business in this District.
`
`DEFENDANT’S BUSINESS
`
`17. Memorial Health provides comprehensive medical care throughout the Marietta
`
`and surrounding region.
`
`
`
`4
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 5 of 42 PAGEID #: 5
`
`18.
`
`Defendant Memorial Health “employs over 2,700 employees, including 325
`
`providers representing 64 clinics.”2 Memorial Health represents that it “strive[s] to deliver quality,
`
`affordable care with an additional focus on medical and community service.”3
`
`19.
`
`Defendant Memorial Health claims it “is dedicated to providing you with healthcare
`
`information and referral services of the highest quality, whole at the same time protecting your
`
`privacy.”4
`
`20.
`
`Defendant Memorial Health further claims it is “very concerned with the security
`
`of your personally identifiable information and take[s] great care in providing secure transmission
`
`of your information from your computer to our services.”5 Defendant also states that “[o]nce we
`
`receive your information, we take appropriate steps that we believe are reasonable to protect the
`
`security of your data on our system.”6
`
`21.
`
`On information and belief, in the ordinary course of rendering healthcare care
`
`services, Memorial Health requires its patients and customers to provide sensitive personal and
`
`private information such as:
`
`• Name, address, phone number and email address;
`
`• Date of birth;
`
`• Demographic information;
`
`• Social Security number;
`
`• Financial information;
`
`
`2 Mission and Vison, Memorial Health, https://mhsystem.org/missionandvision (Last visited Jan. 19,
`2022).
`3 Id.
`4 Web Site Privacy Notice, Memorial Health, https://mhsystem.org/websiteprivacy (Last visited Jan. 19,
`2022).
`5 Id.
`6 Id.
`
`
`
`5
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 6 of 42 PAGEID #: 6
`
`• Information relating to individual medical history;
`
`• Information concerning an individual’s doctor, nurse or other medical providers;
`
`• Photo identification;
`
`• Employment information, and;
`
`• Other information that may be deemed necessary to provide care.
`
`22.
`
`Additionally, Memorial Health may receive private and personal information from
`
`other individuals and/or organizations that are part of a customer’s “circle of care,” such as
`
`referring physicians, customers’ other doctors, customers’ health plan(s), close friends, and/or
`
`family Members.
`
`23.
`
`On information and belief, Memorial Health provides each of its patients and
`
`customers with a HIPAA compliant notice titled “Memorial Health of Ohio Notice of Privacy
`
`Practices” (the “Privacy Notice”) that explains how they handle customers’ sensitive and
`
`confidential information.7
`
`24.
`
`The Privacy Notice is posted in Defendant’s offices, provided to every customer
`
`upon request, and a “summary” is posted on Defendant’s website.8
`
`25.
`
`Because of the highly sensitive and personal nature of the information Defendant
`
`acquires and stores with respect to its customers, Memorial Health, upon information and belief,
`
`promises to, among other things: keep customers’ protected health information (PHI) private;
`
`comply with healthcare industry standards related to data security and Private Information; inform
`
`customers and patients of its legal duties and comply with all federal and state laws protecting
`
`customers’ and patient’s Private Information ; only use and release customers’ Private Information
`
`
`7 See Notice of Privacy Practices, Memorial Health of Ohio,
`https://mhsystem.org/noticeofprivacypractice (Last visited Jan. 18, 2022).
`8 Id.
`
`
`
`6
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 7 of 42 PAGEID #: 7
`
`for reasons that relate to the customers or patients medical care and treatment; provide adequate
`
`notice to customers if their Private Information is disclosed without authorization; and adhere to
`
`the terms outlined in the Privacy Notice.9
`
`26.
`
`As a condition of purchasing goods and services from Defendant, Memorial Health
`
`requires that its customers entrust it with Private Information.
`
`27.
`
`By obtaining, collecting, using, and deriving a benefit from Plaintiff and Class
`
`Members’ Private Information, Defendant assumed legal and equitable duties and knew or should
`
`have known that it was responsible for protecting Plaintiff and Class Members’ Private
`
`Information from unauthorized disclosure.
`
`28.
`
`Plaintiff and the Class Members have taken reasonable steps to maintain the
`
`confidentiality of their Private Information.
`
`29.
`
`Plaintiff and the Class Members relied on Defendant to implement and follow
`
`adequate data security policies and protocols, to keep their Private Information confidential and
`
`securely maintained, to use such Private Information solely for business and health care purposes
`
`, and to prevent the unauthorized disclosures of this information.
`
`THE CYBERATTACK AND DATA BREACH
`
`30.
`
`On August 14, 2021, Memorial Health identified the presence of malware on the
`
`Marietta servers that was impacting all three Memorial Health hospitals in Ohio and West Virginia.
`
`31.
`
`The Data Breach resulted in a ransomware group encrypting the Hospital System
`
`and shutting down the IT systems.10
`
`
`9 https://mhsystem.org/noticeofprivacypractice (Last visited on Jan. 19, 2022).
`10 https://www.bleepingcomputer.com/news/security/hive-ransomware-attacks-memorial-health-system-
`steals-patient-data/
`
`
`
`7
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 8 of 42 PAGEID #: 8
`
`32.
`
`Emergency protocols were implemented that forced the medical staff off-line and
`
`to work with paper charts until the system could be restored thereby placing patients at risk for
`
`medical errors. With no access to radiology or electronic charts, Memorial Health decided to
`
`divert emergency patients to other hospitals. Moreover, all urgent surgical appointments and
`
`radiology examination were cancelled.11
`
`33.
`
`It was reported that Hive ransomware, a known data security threat group, was
`
`responsible for the attack. Hive has a common course of conduct of exfiltrating and stealing data
`
`prior once the data is accessed. Hive maintains a leak site on the Dark Web that is used to pressure
`
`victims into paying the ransom once it obtains the sensitive information.12 “By exfiltrating
`
`information, the attackers have more leverage to force the victim to pay the ransom in exchange
`
`for the promise to not share or leak the stolen data and to provide a decryption tool.”13
`
`34.
`
`Upon information and belief, Plaintiff’s and class members’ information was
`
`exfiltrated and stolen in the attack. Indeed, Bleeping Computer reported that evidence has been
`
`obtained that suggest databases containing the Sensitive Information were stolen in the attack.14
`
`35. Memorial Health “worked with a national cybersecurity experts to resolve the
`
`impact of a cyber attack in the early morning hours of August 15, 2021.”15
`
`36.
`
`Through the investigation, Defendant determined that from July 10, 2021 through
`
`August 15, 2021, an unauthorized actor had “accessed certain systems within their network”.16
`
`
`11 https://www.hipaajournal.com/cyberattack-forces-memorial-health-system-to-divert-patients-to-
`alternate-hospitals/ (Last visited Jan. 19, 2022)
`12 Id.
`13 https://www.bleepingcomputer.com/news/security/hive-ransomware-attacks-memorial-health-system-
`steals-patient-data/
`14 Id.
`15 Id.
`16 Ex.1. https://mhsystem.org/assets/documents/DataNotice.pdf (Last visited Jan. 19, 2022)
`
`
`
`8
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 9 of 42 PAGEID #: 9
`
`37.
`
`Furthermore, the investigation determined that the accessed systems contained
`
`sensitive information and that was accessible, unprotected and vulnerable for acquisition and/or
`
`exfiltration by the unauthorized actor.17
`
`38.
`
`The type of Sensitive Information accessed by the unauthorized actor included
`
`includes names, dates of birth, medical record numbers, patient account numbers, Social Security
`
`Numbers, and medical and treatment information.18
`
`39.
`
`As a result of the Data Breach, Memorial Health was required to follow “a
`
`deliberate, systematic approach to bring systems back online securely and in a manner that
`
`prioritizes [Memorial Health’s] ability to provide patient care.”19 In addition, the investigation
`
`revealed that approximately 216,478 individuals were victims of the Data Breach.20
`
`40. While Memorial Health stated in the “Notice of Data Security Incident” letter that
`
`August 15, 2021, Memorial Health did not begin notifying victims until January 10, 2022 –
`
`approximately five months after discovering the Data Breach.
`
`41.
`
`Upon information and belief, and based on the type of cyber attack, along with
`
`public news reports, it is plausible and likely that Plaintiff’s Private Information was stolen in the
`
`Data Breach. Plaintiff further believes her Private Information was likely subsequently sold on the
`
`dark web following the Data Breach, as that is the modus operandi of all cybercriminals.
`
`42.
`
`Defendant had obligations created by HIPAA, contract, industry standards,
`
`common law, and its own promises and representations made to Plaintiff and Class Members to
`
`keep their Private Information confidential and to protect it from unauthorized access and
`
`disclosure.
`
`
`
`17 Id.
`18 Id.
`19 Id.
`20 https://apps.web.maine.gov/online/aeviewer/ME/40/e7861ebb-6f43-4fe7-9619-25762e3be35d.shtml
`
`
`
`9
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 10 of 42 PAGEID #: 10
`
`43.
`
`Plaintiff and Class Members provided their Private Information to Defendant with
`
`the reasonable expectation and mutual understanding that Defendant would comply with its
`
`obligations to keep such information confidential and secure from unauthorized access.
`
`44.
`
`Defendant’s data security obligations were particularly important given the
`
`substantial increase in cyberattacks and/or data breaches in the healthcare industry preceding the
`
`date of the breach.
`
`45.
`
`In light of recent high profile data breaches at other healthcare partner and provider
`
`companies, Defendant knew or should have known that their electronic records and patient and
`
`customer Sensitive Information would be targeted by cybercriminals and ransomware attack
`
`groups like Hive.
`
`46.
`
`Indeed, cyberattacks on medical systems like Defendant have become so notorious
`
`that the FBI and U.S. Secret Service have issued a warning to potential targets so they are aware
`
`of, and prepared for, a potential attack. As one report explained, “[e]ntities like smaller
`
`municipalities and hospitals are attractive. . . because they often have lesser IT defenses and a high
`
`incentive to regain access to their data quickly.”21
`
`47.
`
`In fact, according to the cybersecurity firm Mimecast, 90% of healthcare
`
`organizations experienced cyberattacks in the past year.22
`
`48.
`
`Therefore, the increase in such attacks, and attendant risk of future attacks, was
`
`widely known to the public and to anyone in Defendant’s industry, including Defendant.
`
`
`
`
`21 FBI, Secret Service Warn of Targeted, Law360 (Nov. 18, 2019),
`https://www.law360.com/articles/1220974/fbi-secret-service-warn-of-targeted-ransomware (last visited
`June 23, 2021).
`22 See Maria Henriquez, Iowa City Hospital Suffers Phishing Attack, Security Magazine (Nov. 23, 2020),
`https://www.securitymagazine.com/articles/93988-iowa-city-hospital-suffers-phishing-attack.
`
`
`
`10
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 11 of 42 PAGEID #: 11
`
`Defendant Fails to Comply with FTC Guidelines
`
`49.
`
`The Federal Trade Commission (“FTC”) has promulgated numerous guides for
`
`businesses which highlight the importance of implementing reasonable data security practices.
`
`According to the FTC, the need for data security should be factored into all business decision-
`
`making.
`
`50.
`
`In 2016, the FTC updated its publication, Protecting Personal Information: A
`
`Guide for Business, which established cyber-security guidelines for businesses. The guidelines
`
`note that businesses should protect the personal customer information that they keep; properly
`
`dispose of personal information that is no longer needed; encrypt information stored on computer
`
`networks; understand their network’s vulnerabilities; and implement policies to correct any
`
`security problems.23 The guidelines also recommend that businesses use an intrusion detection
`
`system to expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating
`
`someone is attempting to hack the system; watch for large amounts of data being transmitted from
`
`the system; and have a response plan ready in the event of a breach.24
`
`51.
`
`The FTC further recommends that companies not maintain PII longer than is
`
`needed for authorization of a transaction; limit access to sensitive data; require complex passwords
`
`to be used on networks; use industry-tested methods for security; monitor for suspicious activity
`
`on the network; and verify that third-party service providers have implemented reasonable security
`
`measures.
`
`52.
`
`The FTC has brought enforcement actions against businesses for failing to
`
`adequately and reasonably protect customer data, treating the failure to employ reasonable and
`
`
`23 Protecting Personal Information: A Guide for Business, Federal Trade Commission (2016). Available
`at https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-
`information.pdf (last visited Jan. 19, 2022).
`24 Id.
`
`
`
`11
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 12 of 42 PAGEID #: 12
`
`appropriate measures to protect against unauthorized access to confidential consumer data as an
`
`unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”), 15
`
`U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses must take
`
`to meet their data security obligations.
`
`53.
`
`These FTC enforcement actions include actions against healthcare providers like
`
`Defendant. See, e.g., In the Matter of Labmd, Inc., A Corp, 2016-2 Trade Cas. (CCH) ¶ 79708,
`
`2016 WL 4128215, at *32 (MSNET July 28, 2016) (“[T]he Commission concludes that LabMD’s
`
`data security practices were unreasonable and constitute an unfair act or practice in violation of
`
`Section 5 of the FTC Act.”)
`
`54.
`
`55.
`
`Defendant failed to properly implement basic data security practices.
`
`Defendant’s failure to employ reasonable and appropriate measures to protect
`
`against unauthorized access to customers’ PII and PHI constitutes an unfair act or practice
`
`prohibited by Section 5 of the FTC Act, 15 U.S.C. § 45.
`
`56.
`
`Defendant was at all times fully aware of its obligation to protect the PII and PHI
`
`of their customers. Defendant was also aware of the significant repercussions that would result
`
`from its failure to do so.
`
`Defendant Fails to Comply with Industry Standards
`
`57.
`
`As shown above, experts studying cyber security routinely identify healthcare
`
`providers as being particularly vulnerable to cyberattacks because of the value of the PII and PHI
`
`which they collect and maintain.
`
`58.
`
`Several best practices have been identified that at a minimum should be
`
`implemented by healthcare providers like Defendant, including but not limited to: educating all
`
`employees; strong passwords; multi-layer security, including firewalls, anti-virus, and anti-
`
`
`
`12
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 13 of 42 PAGEID #: 13
`
`malware software; encryption, making data unreadable without a key; multi-factor authentication;
`
`backup data, and; limiting which employees can access sensitive data.
`
`59.
`
`Other best cybersecurity practices that are standard in the healthcare industry
`
`include installing appropriate malware detection software; monitoring and limiting the network
`
`ports; protecting web browsers and email management systems; setting up network systems such
`
`as firewalls, switches and routers; monitoring and protection of physical security systems;
`
`protection against any possible communication system; training staff regarding critical points.
`
`60.
`
`Defendant failed to meet the minimum standards of any of the following
`
`frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation
`
`PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5,
`
`PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for
`
`Internet Security’s Critical Security Controls (CIS CSC), which are all established standards in
`
`reasonable cybersecurity readiness.
`
`61.
`
`These foregoing frameworks are existing and applicable industry standards in the
`
`healthcare industry, and Defendant failed to comply with these accepted standards, thereby
`
`opening the door to the cyber incident and causing the data breach.
`
`Defendant’s Conduct Violates HIPAA and Evidences Its Insufficient Data Security
`
`62.
`
`HIPAA requires covered entities to protect against reasonably anticipated threats
`
`to the security of sensitive patient health information.
`
`63.
`
`Covered entities must implement safeguards to ensure the confidentiality, integrity,
`
`and availability of PHI. Safeguards must include physical, technical, and administrative
`
`components.
`
`64.
`
`Title II of HIPAA contains what are known as the Administrative Simplification
`
`
`
`13
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 14 of 42 PAGEID #: 14
`
`provisions. 42 U.S.C. §§ 1301, et seq. These provisions require, among other things, that the
`
`Department of Health and Human Services (“HHS”) create rules to streamline the standards for
`
`handling PII like the data Defendant left unguarded. The HHS subsequently promulgated multiple
`
`regulations under authority of the Administrative Simplification provisions of HIPAA. These rules
`
`include 45 C.F.R. § 164.306(a)(1-4); 45 C.F.R. § 164.312(a)(1); 45 C.F.R. § 164.308(a)(1)(i); 45
`
`C.F.R. § 164.308(a)(1)(ii)(D), and 45 C.F.R. § 164.530(b).
`
`65.
`
`A Data Breach such as the one Defendant experienced, is considered a breach under
`
`the HIPAA Rules because there is an access of PHI not permitted under the HIPAA Privacy Rule:
`
`A breach under the HIPAA Rules is defined as, “...the acquisition,
`access, use, or disclosure of PHI in a manner not permitted under
`the [HIPAA Privacy Rule] which compromises the security or
`privacy of the PHI.” See 45 C.F.R. 164.40
`
`Defendant’s Data Breach resulted from a combination of insufficiencies that
`
`66.
`
`demonstrate Memorial Health failed to comply with safeguards mandated by HIPAA regulations.
`
`DEFENDANT’S BREACH
`
`67.
`
`Defendant breached its obligations to Plaintiff and Class Members and/or was
`
`otherwise negligent and reckless because it failed to properly maintain and safeguard its computer
`
`systems and data. Defendant’s unlawful conduct includes, but is not limited to, the following acts
`
`and/or omissions:
`
`a.
`
`Failing to maintain an adequate data security system to reduce the risk of
`
`data breaches and cyber-attacks;
`
`Failing to adequately protect customers’ Private Information;
`
`Failing to properly monitor its own data security systems for existing
`
`b.
`
`c.
`
`intrusions;
`
`
`
`14
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 15 of 42 PAGEID #: 15
`
`d.
`
`Failing to ensure that its vendors with access to its computer systems and
`
`data employed reasonable security procedures;
`
`e.
`
`Failing to train its employees in the proper handling of emails containing
`
`PII and PHI and maintain adequate email security practices;
`
`f.
`
`Failing to ensure the confidentiality and integrity of electronic PHI it
`
`created, received, maintained, and/or transmitted, in violation of 45 C.F.R.
`
`§ 164.306(a)(1);
`
`g.
`
`Failing to implement technical policies and procedures for electronic
`
`information systems that maintain electronic PHI to allow access only to
`
`those persons or software programs that have been granted access rights in
`
`violation of 45 C.F.R. § 164.312(a)(1);
`
`h.
`
`Failing to implement policies and procedures to prevent, detect, contain,
`
`and correct security violations in violation of 45 C.F.R. § 164.308(a)(1)(i);
`
`i.
`
`Failing to implement procedures to review records of information system
`
`activity regularly, such as audit logs, access reports, and security incident
`
`tracking reports in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D);
`
`j.
`
`Failing to protect against reasonably anticipated threats or hazards to the
`
`security or integrity of electronic PHI in violation of 45 C.F.R. §
`
`164.306(a)(2);
`
`k.
`
`Failing to protect against reasonably anticipated uses or disclosures of
`
`electronic PHI that are not permitted under the privacy rules regarding
`
`individually identifiable health information in violation of 45 C.F.R. §
`
`164.306(a)(3);
`
`
`
`15
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 16 of 42 PAGEID #: 16
`
`l.
`
`Failing to ensure compliance with HIPAA security standard rules by its
`
`workforces in violation of 45 C.F.R. § 164.306(a)(4);
`
`m.
`
`Failing to train all members of its workforces effectively on the policies and
`
`procedures regarding PHI as necessary and appropriate for the members of
`
`its workforces to carry out their functions and to maintain security of PHI,
`
`in violation of 45 C.F.R. § 164.530(b);
`
`n.
`
`Failing to render the electronic PHI it maintained unusable, unreadable, or
`
`indecipherable to unauthorized individuals, as it had not encrypted the
`
`electronic PHI as specified in the HIPAA Security Rule by “the use of an
`
`algorithmic process to transform data into a form in which there is a low
`
`probability of assigning meaning without use of a confidential process or
`
`key” (45 CFR § 164.304’s definition of “encryption”);
`
`o.
`
`Failing to comply with FTC guidelines for cybersecurity, in violation of
`
`Section 5 of the FTC Act, and;
`
`p.
`
`q.
`
`Failing to adhere to industry standards for cybersecurity as discussed above.
`
`Otherwise breached its duties and obligations to protect Plaintiff’s and Class
`
`Members’ Sensitive Information.
`
`68.
`
`Defendant negligently and unlawfully failed to safeguard Plaintiff and Class
`
`Members’ Private Information by allowing cyberthieves to access Memorial Health’s computer
`
`network and systems which contained unsecured and unencrypted PII.
`
`69.
`
`Accordingly, as outlined below, Plaintiff and Class Members now face an increased
`
`risk of fraud and identity theft. In addition, Plaintiff and the Class Members also lost the benefit
`
`of the bargain they made with Defendant.
`
`
`
`16
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 17 of 42 PAGEID #: 17
`
`Cyberattacks and Data Breaches Cause Disruption and
`Put Consumers at an Increased Risk of Fraud and Identity Theft
`
`Cyberattacks and data breaches at healthcare providers like Defendant are
`
`70.
`
`especially problematic because they can negatively impact the overall daily lives of individuals
`
`affected by the attack.
`
`71.
`
`Researchers have found that among medical service providers that experience a
`
`data security incident, the death rate among patients increased in the months and years after the
`
`attack.25
`
`72.
`
`Researchers have further found that at medical service providers that experienced
`
`a data security incident, the incident was associated with deterioration in timeliness and patient
`
`outcomes, generally.26
`
`73.
`
`The United States Government Accountability Office released a report in 2007
`
`regarding data breaches (“GAO Report”) in which it noted that victims of identity theft will face
`
`“substantial costs and time to repair the damage to their good name and credit record.”27
`
`74.
`
`That is because any victim of a data breach is exposed to serious ramifications
`
`regardless of the nature of the data. Indeed, the reason criminals steal personally identifiable
`
`information is to monetize it. They do this by selling the spoils of their cyberattacks on the black
`
`market to identity thieves who desire to extort and harass victims, take over victims’ identities in
`
`order to engage in illegal financial transactions under the victims’ names. Because a person’s
`
`
`25 See Nsikan Akpan, Ransomware and Data Breaches Linked to Uptick in Fatal Heart Attacks, PBS (Oct.
`24, 2019), https://www.pbs.org/newshour/science/ransomware-and-other-data-breaches-linked-to-uptick-
`in-fatal-heart-attacks.
`26 See Sung J. Choi et al., Data Breach Remediation Efforts and Their Implications for Hospital Quality,
`54
`Health
`Services
`Research
`971,
`971-980
`(2019).
`Available
`at
`https://onlinelibrary.wiley.com/doi/full/10.1111/1475-6773.13203.
`27 See U.S. Gov. Accounting Office, GAO-07-737, Personal Information: Data Breaches Are Frequent, but
`Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown (2007). Available
`at https://www.gao.gov/new.items/d07737.pdf.
`
`
`
`17
`
`

`

`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 18 of 42 PAGEID #: 18
`
`identity is akin to a puzzle, the more accurate pieces of data an identity thief obtains about a person,
`
`the easier it is for the thie

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket