`
`UNITED STATES DISTRICT COURT
`SOUTHERN DISTRICT OF OHIO
`EASTERN DIVISION
`
`
`
`KATHLEEN TUCKER, on behalf of
`themselves and all others similarly situated,
`
`
`Plaintiff,
`
`v.
`
`MARIETTA AREA HEALTH CARE INC.
`D/B/A MEMORIAL HEALTH SYSTEM,
`
`
`Defendant.
`
`
`
`
`
`
`Case No.
`
`Judge
`
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`CLASS ACTION COMPLAINT
`
`Plaintiff Kathleen Tucker, individually and on behalf of all others similarly situated, brings
`
`this action against Defendant Marietta Area Health Care Inc. d/b/a Memorial Health System
`
`(hereinafter known as “Memorial Health” or “Defendant”), an Ohio corporation, to obtain
`
`damages, restitution, and injunctive relief for the Class, as defined below, from Defendant.
`
`Plaintiff makes the following allegations upon information and belief, except as to her own actions,
`
`the investigation of her counsel, and the facts that are a matter of public record.
`
`NATURE OF THE ACTION
`
`1.
`
`This class action arises out of the recent targeted cyberattack and data breach (“Data
`
`Breach”) on Memorial Health’s network that resulted in unauthorized access to customer data. As
`
`a result of the Data Breach, Plaintiff and approximately 216,478 Class Members1 suffered
`
`ascertainable losses in the form of the loss of the benefit of their bargain, out-of-pocket expenses
`
`and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.
`
`
`1
`https://apps.web.maine.gov/online/aeviewer/ME/40/e7861ebb-6f43-4fe7-9619-25762e3be35d.shtml
`(Last visited Jan. 19, 2022).
`
`
`
`1
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 2 of 42 PAGEID #: 2
`
`2.
`
`In addition, Plaintiff and Class Members’ sensitive personal information—which
`
`was entrusted to Memorial Health, its officials and agents—was compromised and unlawfully
`
`accessed due to the Data Breach.
`
`3.
`
`Information compromised in the Data Breach includes names, dates of birth,
`
`medical record numbers, patient account numbers, Social Security Numbers, “PII”), and medical
`
`and treatment information (“PHI”), The PII and PHI that Defendant Memorial Health collected
`
`and maintained will be collectively referred to as the “Private Information.”
`
`4.
`
`Plaintiff brings this class action lawsuit on behalf of those similarly situated to
`
`address Defendant’s inadequate safeguarding of Class Members’ Private Information that they
`
`collected and maintained, and for failing to provide timely and adequate notice to Plaintiff and
`
`other Class Members that their information had been subject to the unauthorized access of an
`
`unknown third party and precisely what specific type of information was accessed.
`
`5.
`
`Defendant maintained the Private Information in a reckless manner. In particular,
`
`the Private Information was maintained on Defendant’s computer system and network in a
`
`condition vulnerable to cyberattacks. Upon information and belief, the mechanism of the
`
`cyberattack and potential for improper disclosure of Plaintiff’s and Class Members’ Private
`
`Information was a known risk to Defendant, and thus Defendant was on notice that failing to take
`
`steps necessary to secure the Private Information from those risks left that property in a dangerous
`
`condition.
`
`6.
`
`Plaintiff and Class Members’ identities are now at risk because of Defendant’s
`
`negligent conduct since the Private Information that Memorial Health collected and maintained is
`
`now in the hands of data thieves.
`
`
`
`2
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 3 of 42 PAGEID #: 3
`
`7.
`
`Armed with the Private Information accessed in the Data Breach, data thieves can
`
`commit a variety of crimes including, e.g., opening new financial accounts in Class Members’
`
`names, taking out loans in Class Members’ names, using Class Members’ names to obtain medical
`
`services, using Class Members’ health information to target other phishing and hacking intrusions
`
`based on their individual health needs, using Class Members’ information to obtain government
`
`benefits, filing fraudulent tax returns using Class Members’ information, obtaining driver’s
`
`licenses in Class Members’ names but with another person’s photograph, and giving false
`
`information to police during an arrest.
`
`8.
`
`As a result of the Data Breach, Plaintiff and Class Members have been exposed to
`
`a heightened and imminent risk of fraud and identity theft. Plaintiff and Class Members must now
`
`and in the future closely monitor their financial accounts to guard against identity theft.
`
`9.
`
`Plaintiff and Class Members may also incur out of pocket costs for, e.g., purchasing
`
`credit monitoring services, credit freezes, credit reports, or other protective measures to deter and
`
`detect identity theft.
`
`10.
`
`By her Complaint, Plaintiff seeks to remedy these harms on behalf of herself and
`
`all similarly situated individuals whose Private Information was accessed during the Data Breach.
`
`11.
`
`Plaintiff seeks remedies including, but not limited to, compensatory damages,
`
`treble damages, punitive damages, reimbursement of out-of-pocket costs, and injunctive relief
`
`including improvements to Defendant’s data security systems, future annual audits, and adequate
`
`credit monitoring services funded by Defendant.
`
`12.
`
`Accordingly, Plaintiff brings this action against Defendant seeking redress for its
`
`unlawful conduct, and asserting claims for: (i) negligence, (ii) negligence per se, and (iii) breach
`
`of implied contract; and (iv) unjust enrichment.
`
`
`
`
`
`3
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 4 of 42 PAGEID #: 4
`
`THE PARTIES
`
`13.
`
`Plaintiff Kathleen Tucker is a natural person, resident and a citizen of the State of
`
`West Virginia. She has lived in West Virginia since 1979 and has no intention of moving to a
`
`different state in the immediate future. She is registered to vote in West Virginia as well. Plaintiff
`
`Tucker is acting on her own behalf and on behalf of others similarly situated. Defendant obtained
`
`and continues to maintain Plaintiff Tucker’s PII and PHI and owed her a legal duty and obligation
`
`to protect that PII and PHI from unauthorized access and disclosure. Plaintiff Tucker would not
`
`have entrusted her PII and PHI to Defendant had she known that Defendant failed to maintain
`
`adequate data security. Plaintiff Tucker’s PII and PHI was compromised and disclosed as a result
`
`of Defendant’s inadequate data security and the Data Breach.
`
`JURISDICTION AND VENUE
`
`14.
`
`This Court has original jurisdiction under the Class Action Fairness Act, 28 U.S.C.
`
`§ 1332(d)(2), because this is a class action involving more than 100 putative class members and
`
`the amount in controversy exceeds $5,000,000, exclusive of interest and costs. Plaintiff (and many
`
`members of the class) and Defendant are citizens of different states.
`
`15.
`
`This Court has general personal jurisdiction over Memorial Health because
`
`Memorial’s principal place of business is, and does regularly conduct business, in Marietta, Ohio.
`
`16.
`
`Venue is proper in this District under 28 U.S.C. §§ 1391(a)(2), 1391(b)(2), and
`
`1391(c)(2) as a substantial part of the events giving rise to the claims emanated from activities
`
`within this District, and Memorial Health conducts substantial business in this District.
`
`DEFENDANT’S BUSINESS
`
`17. Memorial Health provides comprehensive medical care throughout the Marietta
`
`and surrounding region.
`
`
`
`4
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 5 of 42 PAGEID #: 5
`
`18.
`
`Defendant Memorial Health “employs over 2,700 employees, including 325
`
`providers representing 64 clinics.”2 Memorial Health represents that it “strive[s] to deliver quality,
`
`affordable care with an additional focus on medical and community service.”3
`
`19.
`
`Defendant Memorial Health claims it “is dedicated to providing you with healthcare
`
`information and referral services of the highest quality, whole at the same time protecting your
`
`privacy.”4
`
`20.
`
`Defendant Memorial Health further claims it is “very concerned with the security
`
`of your personally identifiable information and take[s] great care in providing secure transmission
`
`of your information from your computer to our services.”5 Defendant also states that “[o]nce we
`
`receive your information, we take appropriate steps that we believe are reasonable to protect the
`
`security of your data on our system.”6
`
`21.
`
`On information and belief, in the ordinary course of rendering healthcare care
`
`services, Memorial Health requires its patients and customers to provide sensitive personal and
`
`private information such as:
`
`• Name, address, phone number and email address;
`
`• Date of birth;
`
`• Demographic information;
`
`• Social Security number;
`
`• Financial information;
`
`
`2 Mission and Vison, Memorial Health, https://mhsystem.org/missionandvision (Last visited Jan. 19,
`2022).
`3 Id.
`4 Web Site Privacy Notice, Memorial Health, https://mhsystem.org/websiteprivacy (Last visited Jan. 19,
`2022).
`5 Id.
`6 Id.
`
`
`
`5
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 6 of 42 PAGEID #: 6
`
`• Information relating to individual medical history;
`
`• Information concerning an individual’s doctor, nurse or other medical providers;
`
`• Photo identification;
`
`• Employment information, and;
`
`• Other information that may be deemed necessary to provide care.
`
`22.
`
`Additionally, Memorial Health may receive private and personal information from
`
`other individuals and/or organizations that are part of a customer’s “circle of care,” such as
`
`referring physicians, customers’ other doctors, customers’ health plan(s), close friends, and/or
`
`family Members.
`
`23.
`
`On information and belief, Memorial Health provides each of its patients and
`
`customers with a HIPAA compliant notice titled “Memorial Health of Ohio Notice of Privacy
`
`Practices” (the “Privacy Notice”) that explains how they handle customers’ sensitive and
`
`confidential information.7
`
`24.
`
`The Privacy Notice is posted in Defendant’s offices, provided to every customer
`
`upon request, and a “summary” is posted on Defendant’s website.8
`
`25.
`
`Because of the highly sensitive and personal nature of the information Defendant
`
`acquires and stores with respect to its customers, Memorial Health, upon information and belief,
`
`promises to, among other things: keep customers’ protected health information (PHI) private;
`
`comply with healthcare industry standards related to data security and Private Information; inform
`
`customers and patients of its legal duties and comply with all federal and state laws protecting
`
`customers’ and patient’s Private Information ; only use and release customers’ Private Information
`
`
`7 See Notice of Privacy Practices, Memorial Health of Ohio,
`https://mhsystem.org/noticeofprivacypractice (Last visited Jan. 18, 2022).
`8 Id.
`
`
`
`6
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 7 of 42 PAGEID #: 7
`
`for reasons that relate to the customers or patients medical care and treatment; provide adequate
`
`notice to customers if their Private Information is disclosed without authorization; and adhere to
`
`the terms outlined in the Privacy Notice.9
`
`26.
`
`As a condition of purchasing goods and services from Defendant, Memorial Health
`
`requires that its customers entrust it with Private Information.
`
`27.
`
`By obtaining, collecting, using, and deriving a benefit from Plaintiff and Class
`
`Members’ Private Information, Defendant assumed legal and equitable duties and knew or should
`
`have known that it was responsible for protecting Plaintiff and Class Members’ Private
`
`Information from unauthorized disclosure.
`
`28.
`
`Plaintiff and the Class Members have taken reasonable steps to maintain the
`
`confidentiality of their Private Information.
`
`29.
`
`Plaintiff and the Class Members relied on Defendant to implement and follow
`
`adequate data security policies and protocols, to keep their Private Information confidential and
`
`securely maintained, to use such Private Information solely for business and health care purposes
`
`, and to prevent the unauthorized disclosures of this information.
`
`THE CYBERATTACK AND DATA BREACH
`
`30.
`
`On August 14, 2021, Memorial Health identified the presence of malware on the
`
`Marietta servers that was impacting all three Memorial Health hospitals in Ohio and West Virginia.
`
`31.
`
`The Data Breach resulted in a ransomware group encrypting the Hospital System
`
`and shutting down the IT systems.10
`
`
`9 https://mhsystem.org/noticeofprivacypractice (Last visited on Jan. 19, 2022).
`10 https://www.bleepingcomputer.com/news/security/hive-ransomware-attacks-memorial-health-system-
`steals-patient-data/
`
`
`
`7
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 8 of 42 PAGEID #: 8
`
`32.
`
`Emergency protocols were implemented that forced the medical staff off-line and
`
`to work with paper charts until the system could be restored thereby placing patients at risk for
`
`medical errors. With no access to radiology or electronic charts, Memorial Health decided to
`
`divert emergency patients to other hospitals. Moreover, all urgent surgical appointments and
`
`radiology examination were cancelled.11
`
`33.
`
`It was reported that Hive ransomware, a known data security threat group, was
`
`responsible for the attack. Hive has a common course of conduct of exfiltrating and stealing data
`
`prior once the data is accessed. Hive maintains a leak site on the Dark Web that is used to pressure
`
`victims into paying the ransom once it obtains the sensitive information.12 “By exfiltrating
`
`information, the attackers have more leverage to force the victim to pay the ransom in exchange
`
`for the promise to not share or leak the stolen data and to provide a decryption tool.”13
`
`34.
`
`Upon information and belief, Plaintiff’s and class members’ information was
`
`exfiltrated and stolen in the attack. Indeed, Bleeping Computer reported that evidence has been
`
`obtained that suggest databases containing the Sensitive Information were stolen in the attack.14
`
`35. Memorial Health “worked with a national cybersecurity experts to resolve the
`
`impact of a cyber attack in the early morning hours of August 15, 2021.”15
`
`36.
`
`Through the investigation, Defendant determined that from July 10, 2021 through
`
`August 15, 2021, an unauthorized actor had “accessed certain systems within their network”.16
`
`
`11 https://www.hipaajournal.com/cyberattack-forces-memorial-health-system-to-divert-patients-to-
`alternate-hospitals/ (Last visited Jan. 19, 2022)
`12 Id.
`13 https://www.bleepingcomputer.com/news/security/hive-ransomware-attacks-memorial-health-system-
`steals-patient-data/
`14 Id.
`15 Id.
`16 Ex.1. https://mhsystem.org/assets/documents/DataNotice.pdf (Last visited Jan. 19, 2022)
`
`
`
`8
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 9 of 42 PAGEID #: 9
`
`37.
`
`Furthermore, the investigation determined that the accessed systems contained
`
`sensitive information and that was accessible, unprotected and vulnerable for acquisition and/or
`
`exfiltration by the unauthorized actor.17
`
`38.
`
`The type of Sensitive Information accessed by the unauthorized actor included
`
`includes names, dates of birth, medical record numbers, patient account numbers, Social Security
`
`Numbers, and medical and treatment information.18
`
`39.
`
`As a result of the Data Breach, Memorial Health was required to follow “a
`
`deliberate, systematic approach to bring systems back online securely and in a manner that
`
`prioritizes [Memorial Health’s] ability to provide patient care.”19 In addition, the investigation
`
`revealed that approximately 216,478 individuals were victims of the Data Breach.20
`
`40. While Memorial Health stated in the “Notice of Data Security Incident” letter that
`
`August 15, 2021, Memorial Health did not begin notifying victims until January 10, 2022 –
`
`approximately five months after discovering the Data Breach.
`
`41.
`
`Upon information and belief, and based on the type of cyber attack, along with
`
`public news reports, it is plausible and likely that Plaintiff’s Private Information was stolen in the
`
`Data Breach. Plaintiff further believes her Private Information was likely subsequently sold on the
`
`dark web following the Data Breach, as that is the modus operandi of all cybercriminals.
`
`42.
`
`Defendant had obligations created by HIPAA, contract, industry standards,
`
`common law, and its own promises and representations made to Plaintiff and Class Members to
`
`keep their Private Information confidential and to protect it from unauthorized access and
`
`disclosure.
`
`
`
`17 Id.
`18 Id.
`19 Id.
`20 https://apps.web.maine.gov/online/aeviewer/ME/40/e7861ebb-6f43-4fe7-9619-25762e3be35d.shtml
`
`
`
`9
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 10 of 42 PAGEID #: 10
`
`43.
`
`Plaintiff and Class Members provided their Private Information to Defendant with
`
`the reasonable expectation and mutual understanding that Defendant would comply with its
`
`obligations to keep such information confidential and secure from unauthorized access.
`
`44.
`
`Defendant’s data security obligations were particularly important given the
`
`substantial increase in cyberattacks and/or data breaches in the healthcare industry preceding the
`
`date of the breach.
`
`45.
`
`In light of recent high profile data breaches at other healthcare partner and provider
`
`companies, Defendant knew or should have known that their electronic records and patient and
`
`customer Sensitive Information would be targeted by cybercriminals and ransomware attack
`
`groups like Hive.
`
`46.
`
`Indeed, cyberattacks on medical systems like Defendant have become so notorious
`
`that the FBI and U.S. Secret Service have issued a warning to potential targets so they are aware
`
`of, and prepared for, a potential attack. As one report explained, “[e]ntities like smaller
`
`municipalities and hospitals are attractive. . . because they often have lesser IT defenses and a high
`
`incentive to regain access to their data quickly.”21
`
`47.
`
`In fact, according to the cybersecurity firm Mimecast, 90% of healthcare
`
`organizations experienced cyberattacks in the past year.22
`
`48.
`
`Therefore, the increase in such attacks, and attendant risk of future attacks, was
`
`widely known to the public and to anyone in Defendant’s industry, including Defendant.
`
`
`
`
`21 FBI, Secret Service Warn of Targeted, Law360 (Nov. 18, 2019),
`https://www.law360.com/articles/1220974/fbi-secret-service-warn-of-targeted-ransomware (last visited
`June 23, 2021).
`22 See Maria Henriquez, Iowa City Hospital Suffers Phishing Attack, Security Magazine (Nov. 23, 2020),
`https://www.securitymagazine.com/articles/93988-iowa-city-hospital-suffers-phishing-attack.
`
`
`
`10
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 11 of 42 PAGEID #: 11
`
`Defendant Fails to Comply with FTC Guidelines
`
`49.
`
`The Federal Trade Commission (“FTC”) has promulgated numerous guides for
`
`businesses which highlight the importance of implementing reasonable data security practices.
`
`According to the FTC, the need for data security should be factored into all business decision-
`
`making.
`
`50.
`
`In 2016, the FTC updated its publication, Protecting Personal Information: A
`
`Guide for Business, which established cyber-security guidelines for businesses. The guidelines
`
`note that businesses should protect the personal customer information that they keep; properly
`
`dispose of personal information that is no longer needed; encrypt information stored on computer
`
`networks; understand their network’s vulnerabilities; and implement policies to correct any
`
`security problems.23 The guidelines also recommend that businesses use an intrusion detection
`
`system to expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating
`
`someone is attempting to hack the system; watch for large amounts of data being transmitted from
`
`the system; and have a response plan ready in the event of a breach.24
`
`51.
`
`The FTC further recommends that companies not maintain PII longer than is
`
`needed for authorization of a transaction; limit access to sensitive data; require complex passwords
`
`to be used on networks; use industry-tested methods for security; monitor for suspicious activity
`
`on the network; and verify that third-party service providers have implemented reasonable security
`
`measures.
`
`52.
`
`The FTC has brought enforcement actions against businesses for failing to
`
`adequately and reasonably protect customer data, treating the failure to employ reasonable and
`
`
`23 Protecting Personal Information: A Guide for Business, Federal Trade Commission (2016). Available
`at https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-
`information.pdf (last visited Jan. 19, 2022).
`24 Id.
`
`
`
`11
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 12 of 42 PAGEID #: 12
`
`appropriate measures to protect against unauthorized access to confidential consumer data as an
`
`unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”), 15
`
`U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses must take
`
`to meet their data security obligations.
`
`53.
`
`These FTC enforcement actions include actions against healthcare providers like
`
`Defendant. See, e.g., In the Matter of Labmd, Inc., A Corp, 2016-2 Trade Cas. (CCH) ¶ 79708,
`
`2016 WL 4128215, at *32 (MSNET July 28, 2016) (“[T]he Commission concludes that LabMD’s
`
`data security practices were unreasonable and constitute an unfair act or practice in violation of
`
`Section 5 of the FTC Act.”)
`
`54.
`
`55.
`
`Defendant failed to properly implement basic data security practices.
`
`Defendant’s failure to employ reasonable and appropriate measures to protect
`
`against unauthorized access to customers’ PII and PHI constitutes an unfair act or practice
`
`prohibited by Section 5 of the FTC Act, 15 U.S.C. § 45.
`
`56.
`
`Defendant was at all times fully aware of its obligation to protect the PII and PHI
`
`of their customers. Defendant was also aware of the significant repercussions that would result
`
`from its failure to do so.
`
`Defendant Fails to Comply with Industry Standards
`
`57.
`
`As shown above, experts studying cyber security routinely identify healthcare
`
`providers as being particularly vulnerable to cyberattacks because of the value of the PII and PHI
`
`which they collect and maintain.
`
`58.
`
`Several best practices have been identified that at a minimum should be
`
`implemented by healthcare providers like Defendant, including but not limited to: educating all
`
`employees; strong passwords; multi-layer security, including firewalls, anti-virus, and anti-
`
`
`
`12
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 13 of 42 PAGEID #: 13
`
`malware software; encryption, making data unreadable without a key; multi-factor authentication;
`
`backup data, and; limiting which employees can access sensitive data.
`
`59.
`
`Other best cybersecurity practices that are standard in the healthcare industry
`
`include installing appropriate malware detection software; monitoring and limiting the network
`
`ports; protecting web browsers and email management systems; setting up network systems such
`
`as firewalls, switches and routers; monitoring and protection of physical security systems;
`
`protection against any possible communication system; training staff regarding critical points.
`
`60.
`
`Defendant failed to meet the minimum standards of any of the following
`
`frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation
`
`PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5,
`
`PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for
`
`Internet Security’s Critical Security Controls (CIS CSC), which are all established standards in
`
`reasonable cybersecurity readiness.
`
`61.
`
`These foregoing frameworks are existing and applicable industry standards in the
`
`healthcare industry, and Defendant failed to comply with these accepted standards, thereby
`
`opening the door to the cyber incident and causing the data breach.
`
`Defendant’s Conduct Violates HIPAA and Evidences Its Insufficient Data Security
`
`62.
`
`HIPAA requires covered entities to protect against reasonably anticipated threats
`
`to the security of sensitive patient health information.
`
`63.
`
`Covered entities must implement safeguards to ensure the confidentiality, integrity,
`
`and availability of PHI. Safeguards must include physical, technical, and administrative
`
`components.
`
`64.
`
`Title II of HIPAA contains what are known as the Administrative Simplification
`
`
`
`13
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 14 of 42 PAGEID #: 14
`
`provisions. 42 U.S.C. §§ 1301, et seq. These provisions require, among other things, that the
`
`Department of Health and Human Services (“HHS”) create rules to streamline the standards for
`
`handling PII like the data Defendant left unguarded. The HHS subsequently promulgated multiple
`
`regulations under authority of the Administrative Simplification provisions of HIPAA. These rules
`
`include 45 C.F.R. § 164.306(a)(1-4); 45 C.F.R. § 164.312(a)(1); 45 C.F.R. § 164.308(a)(1)(i); 45
`
`C.F.R. § 164.308(a)(1)(ii)(D), and 45 C.F.R. § 164.530(b).
`
`65.
`
`A Data Breach such as the one Defendant experienced, is considered a breach under
`
`the HIPAA Rules because there is an access of PHI not permitted under the HIPAA Privacy Rule:
`
`A breach under the HIPAA Rules is defined as, “...the acquisition,
`access, use, or disclosure of PHI in a manner not permitted under
`the [HIPAA Privacy Rule] which compromises the security or
`privacy of the PHI.” See 45 C.F.R. 164.40
`
`Defendant’s Data Breach resulted from a combination of insufficiencies that
`
`66.
`
`demonstrate Memorial Health failed to comply with safeguards mandated by HIPAA regulations.
`
`DEFENDANT’S BREACH
`
`67.
`
`Defendant breached its obligations to Plaintiff and Class Members and/or was
`
`otherwise negligent and reckless because it failed to properly maintain and safeguard its computer
`
`systems and data. Defendant’s unlawful conduct includes, but is not limited to, the following acts
`
`and/or omissions:
`
`a.
`
`Failing to maintain an adequate data security system to reduce the risk of
`
`data breaches and cyber-attacks;
`
`Failing to adequately protect customers’ Private Information;
`
`Failing to properly monitor its own data security systems for existing
`
`b.
`
`c.
`
`intrusions;
`
`
`
`14
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 15 of 42 PAGEID #: 15
`
`d.
`
`Failing to ensure that its vendors with access to its computer systems and
`
`data employed reasonable security procedures;
`
`e.
`
`Failing to train its employees in the proper handling of emails containing
`
`PII and PHI and maintain adequate email security practices;
`
`f.
`
`Failing to ensure the confidentiality and integrity of electronic PHI it
`
`created, received, maintained, and/or transmitted, in violation of 45 C.F.R.
`
`§ 164.306(a)(1);
`
`g.
`
`Failing to implement technical policies and procedures for electronic
`
`information systems that maintain electronic PHI to allow access only to
`
`those persons or software programs that have been granted access rights in
`
`violation of 45 C.F.R. § 164.312(a)(1);
`
`h.
`
`Failing to implement policies and procedures to prevent, detect, contain,
`
`and correct security violations in violation of 45 C.F.R. § 164.308(a)(1)(i);
`
`i.
`
`Failing to implement procedures to review records of information system
`
`activity regularly, such as audit logs, access reports, and security incident
`
`tracking reports in violation of 45 C.F.R. § 164.308(a)(1)(ii)(D);
`
`j.
`
`Failing to protect against reasonably anticipated threats or hazards to the
`
`security or integrity of electronic PHI in violation of 45 C.F.R. §
`
`164.306(a)(2);
`
`k.
`
`Failing to protect against reasonably anticipated uses or disclosures of
`
`electronic PHI that are not permitted under the privacy rules regarding
`
`individually identifiable health information in violation of 45 C.F.R. §
`
`164.306(a)(3);
`
`
`
`15
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 16 of 42 PAGEID #: 16
`
`l.
`
`Failing to ensure compliance with HIPAA security standard rules by its
`
`workforces in violation of 45 C.F.R. § 164.306(a)(4);
`
`m.
`
`Failing to train all members of its workforces effectively on the policies and
`
`procedures regarding PHI as necessary and appropriate for the members of
`
`its workforces to carry out their functions and to maintain security of PHI,
`
`in violation of 45 C.F.R. § 164.530(b);
`
`n.
`
`Failing to render the electronic PHI it maintained unusable, unreadable, or
`
`indecipherable to unauthorized individuals, as it had not encrypted the
`
`electronic PHI as specified in the HIPAA Security Rule by “the use of an
`
`algorithmic process to transform data into a form in which there is a low
`
`probability of assigning meaning without use of a confidential process or
`
`key” (45 CFR § 164.304’s definition of “encryption”);
`
`o.
`
`Failing to comply with FTC guidelines for cybersecurity, in violation of
`
`Section 5 of the FTC Act, and;
`
`p.
`
`q.
`
`Failing to adhere to industry standards for cybersecurity as discussed above.
`
`Otherwise breached its duties and obligations to protect Plaintiff’s and Class
`
`Members’ Sensitive Information.
`
`68.
`
`Defendant negligently and unlawfully failed to safeguard Plaintiff and Class
`
`Members’ Private Information by allowing cyberthieves to access Memorial Health’s computer
`
`network and systems which contained unsecured and unencrypted PII.
`
`69.
`
`Accordingly, as outlined below, Plaintiff and Class Members now face an increased
`
`risk of fraud and identity theft. In addition, Plaintiff and the Class Members also lost the benefit
`
`of the bargain they made with Defendant.
`
`
`
`16
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 17 of 42 PAGEID #: 17
`
`Cyberattacks and Data Breaches Cause Disruption and
`Put Consumers at an Increased Risk of Fraud and Identity Theft
`
`Cyberattacks and data breaches at healthcare providers like Defendant are
`
`70.
`
`especially problematic because they can negatively impact the overall daily lives of individuals
`
`affected by the attack.
`
`71.
`
`Researchers have found that among medical service providers that experience a
`
`data security incident, the death rate among patients increased in the months and years after the
`
`attack.25
`
`72.
`
`Researchers have further found that at medical service providers that experienced
`
`a data security incident, the incident was associated with deterioration in timeliness and patient
`
`outcomes, generally.26
`
`73.
`
`The United States Government Accountability Office released a report in 2007
`
`regarding data breaches (“GAO Report”) in which it noted that victims of identity theft will face
`
`“substantial costs and time to repair the damage to their good name and credit record.”27
`
`74.
`
`That is because any victim of a data breach is exposed to serious ramifications
`
`regardless of the nature of the data. Indeed, the reason criminals steal personally identifiable
`
`information is to monetize it. They do this by selling the spoils of their cyberattacks on the black
`
`market to identity thieves who desire to extort and harass victims, take over victims’ identities in
`
`order to engage in illegal financial transactions under the victims’ names. Because a person’s
`
`
`25 See Nsikan Akpan, Ransomware and Data Breaches Linked to Uptick in Fatal Heart Attacks, PBS (Oct.
`24, 2019), https://www.pbs.org/newshour/science/ransomware-and-other-data-breaches-linked-to-uptick-
`in-fatal-heart-attacks.
`26 See Sung J. Choi et al., Data Breach Remediation Efforts and Their Implications for Hospital Quality,
`54
`Health
`Services
`Research
`971,
`971-980
`(2019).
`Available
`at
`https://onlinelibrary.wiley.com/doi/full/10.1111/1475-6773.13203.
`27 See U.S. Gov. Accounting Office, GAO-07-737, Personal Information: Data Breaches Are Frequent, but
`Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown (2007). Available
`at https://www.gao.gov/new.items/d07737.pdf.
`
`
`
`17
`
`
`
`Case: 2:22-cv-00184-SDM-EPD Doc #: 1 Filed: 01/19/22 Page: 18 of 42 PAGEID #: 18
`
`identity is akin to a puzzle, the more accurate pieces of data an identity thief obtains about a person,
`
`the easier it is for the thie