`
`
`
`
`Plaintiff,
`
`
`UNITED STATES DISTRICT COURT
`FOR THE DISTRICT OF UTAH
`James T. Buechler, and all others similarly
`
`Case No.
`situated,
`
`
`
`
`CLASS ACTION COMPLAINT
`
`
`JURY TRIAL DEMANDED
`
`
`v.
`
`MedQuest Pharmacy, Inc., a Utah
`Corporation,
`
`Innovations Group, Inc., a Delaware
`Corporation,
`
`and
`
`UpHealth, Inc., a Delaware Corporation,
`
`
`Defendants.
`
`
`
`
`
`Plaintiff James T. Buechler (“Plaintiff”), individually and on behalf of all other
`
`similarly situated individuals, and by and through his undersigned counsel files this Class
`
`Action Complaint against MedQuest Pharmacy, Inc. (“MedQuest”), Innovations Group, Inc.
`
`(“IGI”), a subsidiary of UpHealth, Inc. (“UpHealth”), and UpHealth (collectively,
`
`“Defendants”), and alleges the following based upon personal knowledge of facts and upon
`
`information and belief based upon the investigation of counsel as to all other matters.
`
`NATURE OF THE ACTION
`With this action, Plaintiff seeks to hold Defendants responsible for the harms
`
`1.
`
`they caused Plaintiff and the nearly 40,000 similarly situated persons in the massive and
`
`preventable data breach that took place between October 27, 2021, and October 30, 2021, by
`
`4894-5345-1823.v1
`
`1
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.4 Page 2 of 47
`
`
`which cybercriminals gained access to Defendants’ inadequately protected systems where
`
`sensitive personal information was kept unprotected (the “Data Breach” or “Breach”).1
`
`2.
`
`The cybercriminals gained access to Defendants’ system with the apparent
`
`intention of stealing protected personal information and protected health information of
`
`thousands of individuals whose information was stored on Defendants’ computer systems.
`
`3.
`
`UpHealth is a digital health technology platform that partners with providers,
`
`hospitals, health systems, healthcare facilities, and payors to manage care for customers.2
`
`UpHealth is a publicly traded company registered with the U.S. Security and Exchange
`
`Commission.
`
`4.
`
`MedQuest and IGI are subsidiary companies of UpHealth. MedQuest retails
`
`prescription and non-prescription medicines. MedQuest serves customers in the State of Utah
`
`and is licensed to dispense to patients in all 50 states.3
`
`5.
`
`MedQuest collaborates with its partners and affiliates to develop a “customized
`
`approach to medication…known as personalized healthcare” to customize medications to the
`
`needs of individual patients.4
`
`6.
`
`Plaintiff and Class members are required, as patients of Defendants and their
`
`affiliate partners, to provide Defendants with their “Personal and Medical Information”
`
`(defined below), with the assurance that such information will be kept safe from unauthorized
`
`access. By taking possession and control of Plaintiff’s and Class members’ Personal and
`
`
`1 See https://www.hipaajournal.com/memorial-health-system-confirms-216k-patients-affected-by-august-2021-
`ransomware-
`attack/#:~:text=MedQuest%20Pharmacy%20Data%20Breach%20Affects,detected%20on%20November%2018
`%2C%202021.
`2 See https://www.crunchbase.com/organization/uphealth-22eb
`3 See https://medquest.com/
`4 See https://medquest.com/
`
`4894-5345-1823.v1
`
`2
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.5 Page 3 of 47
`
`
`Medical Information, Defendants assume a duty to securely store the Personal and Medical
`
`Information of Plaintiff and the Class.
`
`7.
`
`Defendants breached this duty and betrayed the trust of Plaintiff and Class
`
`members by failing to properly safeguard and protect their Personal and Medical Information,
`
`thus enabling cybercriminals to compromise their systems and steal this sensitive information.
`
`8.
`
`The compromised Personal and Medical Information at issue includes (i)
`
`patient contact information (such as patient name, guarantor name, address, email address,
`
`gender, and date of birth); (2) Social Security number, driver’s license number, state
`
`identification number, and/or financial account information; (3) health insurance information
`
`(payor name, payor contract dates, policy information including type and deductible amount
`
`and subscriber/Medicare/Medicaid number); (4) medical and/or treatment information (dates
`
`of service, location, services requested or procedures performed, medical record numbers,
`
`diagnosis, prescription information, physician names, referring doctor names, and Medical
`
`Record Numbers); and (5) billing and claims information (invoices, submitted claims and
`
`appeals, and patient account identifiers used by the patient’s provider).5 Specifically, Plaintiff’s
`
`9.
`
`Defendants’ misconduct – failing to timely implement adequate and reasonable
`
`measures to protect Plaintiff’s Personal and Medical Information, failing to timely detect the
`
`Data Breach, failing to take adequate steps to prevent and stop the Data Breach, failing to
`
`disclose the material facts that they did not have adequate security practices in place to
`
`safeguard the Personal and Medical Information, failing to honor their promises and
`
`representations to protect Plaintiff’s and Class members’ Personal and Medical Information,
`
`
`5 See https://www.hipaajournal.com/memorial-health-system-confirms-216k-patients-affected-by-august-2021-
`ransomware-
`attack/#:~:text=MedQuest%20Pharmacy%20Data%20Breach%20Affects,detected%20on%20November%2018
`%2C%202021.
`
`4894-5345-1823.v1
`
`3
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.6 Page 4 of 47
`
`
`and failing to provide timely and adequate notice of the Data Breach – caused substantial harm
`
`and injuries to Plaintiff and Class members across the United States.
`
`10.
`
`Due to Defendants’ negligence and failures, cybercriminals obtained and now
`
`possess everything they need to commit personal and medical identity theft and wreak havoc
`
`on the financial and personal lives of nearly 40,000 individuals for decades to come.
`
`11.
`
`As a result of the Data Breach, Plaintiff and Class members have already
`
`suffered damages. For example, now that their Personal and Medical Information has been
`
`released into the criminal cyber domains, Plaintiff and Class members are at imminent and
`
`impending risk of identity theft. This risk will continue for the rest of their lives, as Plaintiff
`
`and Class members are now forced to deal with the danger of identity thieves possessing and
`
`using their Personal and Medical Information. Additionally, Plaintiff and Class members have
`
`already lost time and money responding to and mitigating the impact of the Data Breach.
`
`12.
`
`Plaintiff brings this action individually and on behalf of the Class and seeks
`
`actual damages, statutory damages, punitive damages, restitution, and injunctive and
`
`declaratory relief (including significant improvements to Defendants’ data security systems
`
`and protocols), reasonable attorney fees, costs, and expenses incurred in bringing this action,
`
`and all other remedies this Court deems proper.
`
`THE PARTIES
`
`Plaintiff James T. Buechler
`
`13.
`
`14.
`
`15.
`
`Plaintiff James T. Buechler is a citizen and resident of Maryland.
`
`Plaintiff is a patient of MedQuest.
`
`Plaintiff received a letter from MedQuest dated December 23, 2021, informing
`
`him that his first and last name, date of birth, mailing address, email address, telephone number,
`
`4894-5345-1823.v1
`
`4
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.7 Page 5 of 47
`
`
`gender, Social Security number, driver’s license number, medical record number, health
`
`information (including prescription information), referring doctor, date(s) of treatment, health
`
`insurance policy information or policy number (including Medicare number, if applicable),
`
`health insurance claim number or claim or appeal information, internal MedQuest
`
`identification number, financial account or payment card information (including expiration
`
`date, access code, and CVV), and account login credentials were or could have been
`
`compromised in the Data Breach. See Exhibit 1, the “Notice.”
`
`16.
`
`Plaintiff was required to provide Defendants with highly sensitive personal,
`
`health, and insurance information, including his Personal and Medical Information
`
`compromised in the Data Breach. Plaintiff believes this is a standard practice required of all
`
`Defendants’ patients.
`
`17.
`
`Because of Defendants’ negligence leading to the Data Breach, Plaintiff’s
`
`Personal and Medical Information is now in the hands of cyber criminals and Plaintiff is now
`
`under imminent risk of identity theft and fraud, including medical identity theft and medical
`
`fraud.
`
`18.
`
`The imminent risk of medical identity theft and fraud that Plaintiff now faces is
`
`substantial, certainly impending, and continuous and ongoing because of the negligence of
`
`Defendants, which negligence led to the Data Breach. Plaintiff has already been forced to spend
`
`time and money responding to the Data Breach in an attempt to mitigate the harms of the
`
`Breach and determine how best to protect himself from identity theft and medical information
`
`fraud. These efforts are continuous and ongoing.
`
`4894-5345-1823.v1
`
`5
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.8 Page 6 of 47
`
`
`19.
`
`As a direct and proximate result of the Data Breach, Plaintiff received multiple
`
`emails and letters from his bank and credit card companies alerting him to possible fraud and
`
`fraud attempts on his accounts.
`
`20.
`
`As a direct and proximate result of the Data Breach, Plaintiff had to obtain a
`
`new Bank of America card because Bank of America informed Plaintiff his card had been
`
`compromised. His current card was deactivated while he waited on his new card to arrive,
`
`depriving him of use of that account.
`
`21.
`
`As a direct and proximate result of the Data Breach, an unknown external
`
`device attempted to access his Bookings.com account, and Bookings.com locked in his account
`
`until he reset his password.
`
`22.
`
`As a direct and proximate result of the Data Breach, someone attempted to
`
`access Plaintiff’s USAA account a number of times which resulted in USAA locking his online
`
`banking profile. USAA then gave him a mere twenty-four (24) hours to verify his online
`
`banking profile online in order to continue using it.
`
`23.
`
`24.
`
`25.
`
`All of these attempts were committed after the date of the Data Breach.
`
`Plaintiff has had to spent at least five (5) hours responding to the Data Breach.
`
`As a direct and proximate result of the Data Breach, Plaintiff has had to use a
`
`subscription identity theft protection and credit monitoring service in order to protect himself
`
`from medical identity theft and other types of fraud of which he is now substantially at risk.
`
`This subscription will need to be renewed yearly for the rest of his lifetime.
`
`26.
`
`Plaintiff Buechler has also suffered injury directly and proximately caused by
`
`the Data Breach, including damages and diminution in value of his Personal and Medical
`
`Information that was entrusted to Defendants for the sole purpose of obtaining medical services
`
`4894-5345-1823.v1
`
`6
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.9 Page 7 of 47
`
`
`necessary for his health and well-being, with the understanding that Defendants would
`
`safeguard this information against disclosure. Additionally, Plaintiff’s Personal and Medical
`
`Information is at continued risk of compromise and unauthorized disclosure as it remains in
`
`the possession of Defendants and is subject to further breaches so long as Defendants fails to
`
`undertake appropriate and adequate measures to protect it.
`
`27.
`
`Plaintiff Buechler has never been a victim of any type of identity theft. To
`
`Plaintiff’s knowledge, the Personal and Medical Information compromised in this Data Breach
`
`has not been compromised in any prior data breach.
`
`Defendants MedQuest, IGI, and UpHealth
`
`28.
`
`Defendants MedQuest and IGI are both headquartered in North Salt Lake, Utah.
`
`Defendant MedQuest is incorporated in the State of Delaware.6 Defendant IGI is incorporated
`
`in the State of Utah.7 Defendant UpHealth is incorporated in the State of Delaware and
`
`headquartered in Delray, Florida.8
`
`29.
`
`Founded in 1996, Defendant IGI is a healthcare organization that partners with
`
`providers, hospitals, health systems and healthcare facilities to offer clinical services spanning
`
`care, contract manufacturing of nutritional supplements and medications, patient engagement,
`
`education and training solutions.9
`
`30. MedQuest’s website contains a “HIPAA Privacy Policy,” in which it assures its
`
`patients it is “committed to compliance with all federal and state laws that pertain to any aspect
`
`
`6 See https://secure.utah.gov/bes/displayDetails.html
`7 See https://secure.utah.gov/bes/displayDetails.html
`8 See https://search.sunbiz.org/Inquiry/CorporationSearch/GetDocument?aggregateId=forp-f21000005884-
`3d8de819-c96a-4ba4-842b-6474f7eb6968&transactionId=f21000005884-ac00faed-c332-4fa7-9210-
`1b383f0eac2f&formatType=PDF
`9 See https://www.linkedin.com/company/innovations-group-inc-igi-/about/
`
`4894-5345-1823.v1
`
`7
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.10 Page 8 of 47
`
`
`of the clinical practices or the business procedures of this pharmacy,” and that its privacy
`
`procedures are “in complete compliance with [HIPAA].”10
`
`JURISDICTION AND VENUE
`
`31.
`
`This Court has diversity jurisdiction over this action under the Class Action
`
`Fairness Act (CAFA), 28 U.S.C. § 1332(d), because this is a class action involving more than
`
`100 class members, the amount in controversy exceeds $5,000,000, exclusive of interest and
`
`costs, and Plaintiff and members of the Class are citizens of states that differ from Defendants.
`
`32.
`
`This Court has personal jurisdiction over Defendants because Defendants
`
`MedQuest and IGI maintain their headquarters in Utah and have sufficient minimum contacts
`
`with Utah. Also, upon information and belief, the Data Breach at issue occurred through email
`
`accounts being used by Defendants’ employees physically located in North Salt Lake, Utah.
`
`33.
`
`Venue is likewise proper as to Defendants in this District under 28 U.S.C.
`
`§ 1391(a)(1) because a substantial part of the events or omissions giving rise to the claims
`
`asserted herein occurred in this District. Defendants are based in this District, conduct business
`
`through this District (including promoting, selling, marketing, and distributing the MedQuest
`
`and IGI brands and services at issue), and maintained Plaintiff’s and Class members’ Personal
`
`and Medical Information in this District.
`
`FACTUAL ALLEGATIONS
`
`A. The Data Breach and Defendants’ Failed Response
`
`34.
`
`On or about October 30, 2021, Defendants discovered that unauthorized third-
`
`party hackers gained access to certain computer systems.
`
`
`10 See https://medquest.com/hipaa-privacy-policy/.
`
`4894-5345-1823.v1
`
`8
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.11 Page 9 of 47
`
`
`35.
`
`It is apparent from the Notice sent to Plaintiff and the Class that the Personal
`
`and Medical Information contained within these systems was not encrypted.
`
`36.
`
`Following the unauthorized access, Defendants blocked access to its
`
`environment on October 30, 2021. Defendant then began working with a forensic firm to
`
`investigate the Breach. Based upon the investigation, the hackers were able to access Plaintiff’s
`
`and Class members’ Personal and Medical Information, unencrypted and unprotected.
`
`37.
`
`Upon information and belief, the unauthorized third-party gained access to the
`
`Personal and Medical Information and has engaged in (and will continue to engage in) misuse
`
`of the Personal and Medical Information, including marketing and selling Plaintiff’s and Class
`
`members’ Personal and Medical Information on the dark web.
`
`38.
`
`Despite knowing that thousands of patients across the nation were in danger as
`
`a result of the Data Breach, Defendants did nothing to warn Plaintiff or Class members until
`
`nearly a month after learning of the Data Breach.
`
`39.
`
`In spite of the severity of the Data Breach, Defendants have done very little to
`
`protect Plaintiff and the Class. In the Notice, Defendants encourage victims “remain vigilant
`
`by checking [their] credit reports periodically.” The Notice also includes a complimentary one-
`
`year membership to a credit monitoring service.
`
`40.
`
`In effect, Defendants are shirking their responsibility for the harm and increased
`
`risk of harm they have caused Plaintiff and members of the Class, including the distress and
`
`financial burdens the Data Breach has placed upon the shoulders of the Data Breach victims,
`
`and risk that will long outlast the one-year subscription offered to a credit monitoring service.
`
`41.
`
`Defendants failed to adequately safeguard Plaintiff’s and Class members’
`
`Personal and Medical Information, allowing cyber criminals to access this wealth of priceless
`
`4894-5345-1823.v1
`
`9
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.12 Page 10 of 47
`
`
`information for three (3) days before securing the network and then waiting nearly a month
`
`before warning the criminals’ victims to be on the lookout.
`
`42.
`
`Defendants failed to spend sufficient resources on monitoring and safeguarding
`
`its computer systems from hacking threats and defend against them.
`
`43.
`
`Defendants had obligations created by the Health Insurance Portability and
`
`Accountability Act (“HIPAA”), reasonable industry standards, common law, state statutory
`
`law, and their assurances and representations to their patients to keep patients’ Personal and
`
`Medical Information confidential and to protect such Personal and Medical Information from
`
`unauthorized access.
`
`44.
`
`Plaintiff and Class members were required to provide their Personal and
`
`Medical Information to Defendants with the reasonable expectation and mutual understanding
`
`that they would comply with their obligations to keep such information confidential and secure
`
`from unauthorized access.
`
`45.
`
`The stolen Personal and Medical Information at issue has great value to the
`
`hackers, due to the large number of individuals affected and the fact that health insurance
`
`information and Social Security numbers were part of the data that was compromised.
`
`B. Defendants had an Obligation to Protect Personal and Medical Information under
`Federal Law and the Applicable Standard of Care
`
`46.
`
`Defendants are covered by HIPAA (45 C.F.R. § 160.102). As such, they are
`
`required to comply with the HIPAA Privacy Rule and Security Rule, 45 C.F.R. Part 160 and
`
`Part 164, Subparts A and E (“Standards for Privacy of Individually Identifiable Health
`
`Information”), and Security Rule (“Security Standards for the Protection of Electronic
`
`Protected Health Information”), 45 C.F.R. Part 160 and Part 164, Subparts A and C.
`
`4894-5345-1823.v1
`
`10
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.13 Page 11 of 47
`
`
`47.
`
`HIPAA’s Privacy Rule or Standards for Privacy of Individually Identifiable
`
`Health Information establishes national standards for the protection of health information.
`
`48.
`
`HIPAA’s Privacy Rule or Security Standards for the Protection of Electronic
`
`Protected Health Information establishes a national set of security standards for protecting
`
`health information that is kept or transferred in electronic form.
`
`49.
`
`HIPAA requires Defendants to “comply with the applicable standards,
`
`implementation specifications, and requirements” of HIPAA “with respect to electronic
`
`protected health information.” 45 C.F.R. § 164.302.
`
`50.
`
`“Electronic protected health information” is “individually identifiable health
`
`information … that is (i) transmitted by electronic media; maintained in electronic media.” 45
`
`C.F.R. § 160.103.
`
`51.
`
`HIPAA’s Security Rule requires Defendants to do the following:
`
`a.
`
`Ensure the confidentiality, integrity, and availability of all electronic
`
`protected health information the covered entity or business associate
`
`creates, receives, maintains, or transmits;
`
`b.
`
`Protect against any reasonably anticipated threats or hazards to the
`
`security or integrity of such information;
`
`c.
`
`Protect against any reasonably anticipated uses or disclosures of such
`
`information that are not permitted; and
`
`d.
`
`Ensure compliance by their workforce.
`
`52.
`
`HIPAA also requires Defendants to “review and modify the security measures
`
`implemented … as needed to continue provision of reasonable and appropriate protection of
`
`electronic protected health information.” 45 C.F.R. § 164.306(e).
`
`4894-5345-1823.v1
`
`11
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.14 Page 12 of 47
`
`
`53.
`
`HIPAA also requires Defendants to “[i]mplement technical policies and
`
`procedures for electronic information systems that maintain electronic protected health
`
`information to allow access only to those persons or software programs that have been granted
`
`access rights.” 45 C.F.R. § 164.312(a)(1).
`
`54.
`
`Defendants were also prohibited by the Federal Trade Commission Act (the
`
`“FTC Act”) (15 U.S.C. § 45) from engaging in “unfair or deceptive acts or practices in or
`
`affecting commerce.” The Federal Trade Commission (the “FTC”) has concluded that a
`
`company’s failure to maintain reasonable and appropriate data security for consumers’
`
`sensitive personal information is an “unfair practice” in violation of the FTC Act. See, e.g.,
`
`FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).
`
`55.
`
`In addition to their obligations under federal and state laws, Defendants owed a
`
`duty to Plaintiff and Class members to exercise reasonable care in obtaining, retaining,
`
`securing, safeguarding, deleting, and protecting the Personal and Medical Information in their
`
`possession from being compromised, lost, stolen, accessed, and misused by unauthorized
`
`persons. Defendants owed a duty to Plaintiff and Class members to provide reasonable
`
`security, including consistency with industry standards and requirements, and to ensure that
`
`their computer systems, networks, and protocols adequately protected the Personal and
`
`Medical Information of the Class.
`
`56.
`
`Defendants owed a duty to Plaintiff and the Class to design, maintain, and test
`
`their computer and email systems to ensure that the Personal and Medical Information in
`
`Defendants’ possession was adequately secured and protected.
`
`57.
`
`Defendants owed a duty to Plaintiff and the Class to create and implement
`
`reasonable data security practices and procedures to protect the Personal and Medical
`
`4894-5345-1823.v1
`
`12
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.15 Page 13 of 47
`
`
`Information in their possession, including adequately training their employees and others who
`
`accessed Personal and Medical Information within their computer systems on how to
`
`adequately protect Personal and Medical Information.
`
`58.
`
`Defendants owed a duty to Plaintiff and the Class to implement processes that
`
`would detect a breach on their data security systems in a timely manner.
`
`59.
`
`Defendants owed a duty to Plaintiff and the Class to act upon data security
`
`warnings and alerts in a timely fashion.
`
`60.
`
`Defendants owed a duty to Plaintiff and the Class to adequately train and
`
`supervise their employees to identify and avoid any phishing emails that make it past their
`
`email filtering service.
`
`61.
`
`Defendants owed a duty to Plaintiff and the Class to disclose if their computer
`
`systems and data security practices were inadequate to safeguard individuals’ Personal and
`
`Medical Information from theft because such an inadequacy would be a material fact in the
`
`decision to entrust Personal and Medical Information with Defendants.
`
`62.
`
`Defendants owed a duty to Plaintiff and the Class to disclose in a timely and
`
`accurate manner when data breaches occurred.
`
`63.
`
`Defendants owed a duty of care to Plaintiff and the Class because they were
`
`foreseeable and probable victims of any inadequate data security practices.
`
`C. Defendants were on Notice of Cyber Attack Threats in the Healthcare Industry
`and of the Inadequacy of their Data Security
`
`64.
`
`Defendants were on notice that companies in the healthcare industry were
`
`targets for cyberattacks.
`
`65.
`
`Defendants were on notice that the FBI has recently been concerned about data
`
`security in the healthcare industry. In August 2014, after a cyberattack on Community Health
`
`4894-5345-1823.v1
`
`13
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.16 Page 14 of 47
`
`
`Systems, Inc., the FBI warned companies within the healthcare industry that hackers were
`
`targeting them. The warning stated that “[t]he FBI has observed malicious actors targeting
`
`healthcare related systems, perhaps for the purpose of obtaining the Protected Healthcare
`
`Information (PHI) and/or Personally Identifiable Information (PII).”11
`
`66.
`
`The American Medical Association (“AMA”) has also warned healthcare
`
`companies about the importance of protecting their patients’ confidential information:
`
`Cybersecurity is not just a technical issue; it’s a patient safety issue. AMA
`research has revealed that 83% of physicians work in a practice that has
`experienced some kind of cyberattack. Unfortunately, practices are learning
`that cyberattacks not only threaten the privacy and security of patients’
`health and financial information, but also patient access to care.12
`
`As implied by the above quote from the AMA, stolen Personal and Medical
`
`67.
`
`Information can be used to interrupt important medical services themselves. This is an
`
`imminent and certainly impending risk for Plaintiff and Class members.
`
`68.
`
`Defendants were on notice that the federal government has been concerned
`
`about healthcare company data encryption.
`
`69.
`
`The United States Department of Health and Human Services’ Office for Civil
`
`Rights urges the use of encryption of data containing sensitive personal information. As long
`
`ago as 2014, the Department fined two healthcare companies approximately two million
`
`dollars for failing to encrypt laptops containing sensitive personal information. In announcing
`
`the fines, Susan McAndrew, the DHHS’s Office of Human Rights’ deputy director of health
`
`
`11 Jim Finkle, FBI Warns Healthcare Firms that they are Targeted by Hackers, REUTERS (Aug. 2014),
`http://www.reuters.com/article/2014/08/20/us-cybersecurity-healthcare-fbi-idUSKBN0GK24U20140820.
`12Andis Robeznieks, Cybersecurity: Ransomware attacks shut down clinics, hospitals, AM. MED. ASS’N (Oct. 4,
`2019), https://www.ama-assn.org/practice-management/sustainability/cybersecurity-ransomeware-attacks-shut-
`down-clinics-hospitals.
`
`4894-5345-1823.v1
`
`14
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.17 Page 15 of 47
`
`
`information privacy, stated “[o]ur message to these organizations is simple: encryption is your
`
`best defense against these incidents.”13
`
`70.
`
`One of the best protections against hacking related threats is security awareness
`
`training and testing on a regular basis. This should be a key part of a company’s ongoing
`
`training of its employees.
`
`D. Cybercriminals Will Use Plaintiff’s and Class Members’ Personal and Medical
`Information to Defraud Them
`
`71.
`
`Plaintiff and Class members’ Personal and Medical Information is of great
`
`value to hackers and cyber criminals, and the data stolen in the Data Breach has been used and
`
`will continue to be used in a variety of sordid ways for criminals to exploit Plaintiff and the
`
`Class members and to profit off their misfortune.
`
`72.
`
`Each year, identity theft causes tens of billions of dollars of losses to victims in
`
`the United States.14 For example, with the Personal and Medical Information stolen in the Data
`
`Breach, including Social Security numbers, identity thieves can open financial accounts, apply
`
`for credit, file fraudulent tax returns, commit crimes, create false driver’s licenses and other
`
`forms of identification and sell them to other criminals or undocumented immigrants, steal
`
`government benefits, give breach victims’ names to police during arrests, and many other
`
`harmful forms of identity theft.15 These criminal activities have and will result in devastating
`
`financial and personal losses to Plaintiff and the Class members.
`
`
`13“Stolen Laptops Lead to Important HIPAA Settlements,” U.S. Dep’t of Health and Human Services (Apr. 22,
`2014), available at https://wayback.archive-
`it.org/3926/20170127085330/https://www.hhs.gov/about/news/2014/04/22/stolen-laptops-lead-to-important-
`hipaa-settlements.html.
`14“Facts + Statistics: Identity Theft and Cybercrime,” Insurance Info. Inst., https://www.iii.org/fact-statistic/facts-
`statistics-identity-theft-and-cybercrime (discussing Javelin Strategy & Research’s report “2018 Identity Fraud:
`Fraud Enters a New Era of Complexity”).
`15See, e.g., Christine DiGangi, 5 Ways an Identity Thief Can Use Your Social Security Number, Nov. 2, 2017,
`https://blog.credit.com/2017/11/5-things-an-identity-thief-can-do-with-your-social-security-number-108597/.
`
`4894-5345-1823.v1
`
`15
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.18 Page 16 of 47
`
`
`73.
`
`Personal and Medical Information is such a valuable commodity to identity
`
`thieves that once it has been compromised, criminals will use it and trade the information on
`
`the cyber black-market for years.16
`
`74.
`
`For example, it is believed that certain Personal and Medical Information
`
`compromised in the 2017 Experian data breach was being used, three years later, by identity
`
`thieves to apply for COVID-19-related unemployment benefits in the state of Oklahoma.17
`
`75.
`
`The Personal and Medical Information exposed in this Data Breach are valuable
`
`to identity thieves for use in the kinds of criminal activity described herein.
`
`76.
`
`These risks are both certainly impending and substantial. As the FTC has
`
`reported, if hackers get access to personally identifiable information, they will use it.18
`
`77.
`
`Hackers may not use the information right away. According to the U.S.
`
`Government Accountability Office, which conducted a study regarding data breaches:
`
`[I]n some cases, stolen data may be held for up to a year or more before being
`used to commit identity theft. Further, once stolen data have been sold or posted
`on the Web, fraudulent use of that information may continue for years. As a
`result, studies that attempt to measure the harm resulting from data breaches
`cannot necessarily rule out all future harm.19
`
`78.
`
`For instance, with a stolen Social Security number, which is part of the Personal
`
`and Medical Information compromised in the Data Breach, someone can open financial
`
`accounts, get medical care, file fraudulent tax returns, commit crimes, and steal benefits.20
`
`Identity thieves can also use the information stolen from Plaintiff and Class members to qualify
`
`
`16 Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is
`Unknown, GAO, July 5, 2007, https://www.gao.gov/assets/270/262904.htmlu
`17 See https://www.engadget.com/stolen-data-used-for-unemployment-fraud-ring-174618050.html; see also
`https://www.wired.com/story/nigerian-scammers-unemployment-system-scattered-canary/
`18Ari Lazarus, How fast will identity thieves use stolen info?, FED. TRADE COMM’N (May 24, 2017),
`https://www.consumer.ftc.gov/blog/2017/05/how-fast-will-identity-thieves-use-stolen-info.
`19Data Breaches Are Frequent, supra note 11.
`20 See, e.g., Christine DiGangi, 5 Ways an Identity Thief Can Use Your Social Security Number, Nov. 2, 2017,
`https://blog.credit.com/2017/11/5-things-an-identity-thief-can-do-with-your-social-security-number-108597/.
`
`4894-5345-1823.v1
`
`16
`
`
`
`Case 2:22-cv-00540-CMR Document 2 Filed 08/24/22 PageID.19 Page 17 of 47
`
`
`for expensive medical care and leave them and their contracted health insurers on the hook for
`
`massive medical bills.
`
`79. Medical identity theft is one of the most common, most expensive, and most
`
`difficult to prevent forms of identity theft. According to Kaiser Health News, “medical-related
`
`identity theft accounted for 43 percent of all identity thefts reported in the United States in
`
`2013,” which is more than identity thefts involving banking and finance, the government and
`
`the military, or educatio