`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 1 of 49
`
`EXHIBIT A
`EXHIBIT A
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`
`Cause No.
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`
`
`
`
`IN THE SUPERIOR COURT OF THE STATE OF WASHINGTON
`IN AND FOR THE COUNTY OF KING
`
`
`ALAN HALL, individually and on behalf of all
`others similarly situated,
`
`Plaintiffs,
`
`v.
`
`SEA MAR COMMUNITY HEALTH
`CENTERS,
`
`Defendant.
`
`
`CLASS ACTION COMPLAINT
`
`Plaintiff Alan Hall, individually, and on behalf of all others similarly situated, brings this
`
`action against Defendant Sea Mar Community Health Centers (“SMCHC” or “Defendant”), a
`
`Washington corporation,” to obtain damages, restitution, and injunctive relief for the Class, as
`
`defined below, from Defendant. Plaintiff makes the following allegations upon information and
`
`belief, except as to his own actions, the investigation of his counsel, and the facts that are a matter
`
`of public record.
`
`NATURE OF THE ACTION
`
`1.
`
`SMCHC is a health-care provider that provides medical services to patients in the
`
`State of Washington.
`
`CLASS ACTION COMPLAINT - 1
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`FILED
`
`2021 NOV 12 03:55 PM
`
`KING COUNTY
`
`SUPERIOR COURT CLERK
`
`E-FILED
`
`CASE #: 21-2-15130-9 SEA
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 3 of 49
`
`
`
`2.
`
`Between the dates of December 2020 and March 2021, an unauthorized individual
`
`hacked SMCHC’s IT network and obtained unauthorized access to confidential files containing
`
`current and former patients’ Private Information (the “Data Breach”).
`
`3.
`
`For at least three months, the cybercriminals who hacked into SMCHC’s IT
`
`network had unfettered access to files containing information pertaining to SMCHC patients (like
`
`Plaintiff).
`
`4.
`
`Incredibly, the threat actor—known as the “Marketo gang”—stole 3 TB of sensitive
`
`data from SMCHC and thereafter posted it for sale on the “Marketo marketplace,” a marketplace
`
`where the cybercriminals sell their stolen data to the highest bidder on the dark web.
`
`5.
`
`Defendant only became aware of the hacking incident and Data Breach on June 24,
`
`2021, when the unauthorized actor informed Defendant that it had successfully copied the sensitive
`
`data from its digital environment.
`
`6.
`
`As a result of the Data Breach, Plaintiff and more than 650,000 Class Members
`
`suffered injury and ascertainable losses in the form of the present and imminent threat of fraud and
`
`identity theft, loss of the benefit of their bargain, out-of-pocket expenses and the value of their
`
`time reasonably incurred to remedy or mitigate the effects of the attack, and the loss of value of
`
`their personal information.
`
`7.
`
`In addition, Plaintiff’s and Class Members’ sensitive personal information—which
`
`was entrusted to Defendant—was compromised and unlawfully accessed due to the Data Breach.
`
`8.
`
`Information compromised in the Data Breach includes patient names, addresses,
`
`dates of birth, Social Security numbers, medical and clinical treatment information, insurance
`
`information, claims information and other protected health information as defined by the Health
`
`CLASS ACTION COMPLAINT - 2
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 4 of 49
`
`
`
`Insurance Portability and Accountability Act of 1996 (“HIPAA”) that Defendant collected and
`
`maintained (collectively the “Private Information”).
`
`9.
`
`SMCHC did not notify patients’ that their Private Information was subject to
`
`unauthorized access in the Data Breach until October 2021, approximately ten (10) months after
`
`the cyberattack was launched and approximately four (4) months after the Data Breach discovered.
`
`10.
`
`The Data Breach was a direct result of Defendant’s failure to implement adequate
`
`and reasonable cyber-security procedures and protocols necessary to protect patients’ and
`
`employees’ Private Information.
`
`11.
`
`Plaintiff brings this class action lawsuit on behalf of those similarly situated to
`
`address Defendant’s inadequate safeguarding of Class Members’ Private Information that
`
`Defendant collected and maintained, and for failing to provide timely and adequate notice to
`
`Plaintiff and other Class Members that their information had been subject to the unauthorized
`
`access of an unknown third party.
`
`12.
`
`Defendant SMCHC maintained the Private Information in a reckless manner. In
`
`particular, the Private Information was maintained on Defendant’s computer network in a
`
`condition vulnerable to cyberattacks.
`
`13.
`
`Upon information and belief, the mechanism of the hacking and potential for
`
`improper disclosure of Plaintiff’s and Class Members’ Private Information was a known risk to
`
`Defendant, and thus Defendant was on notice that failing to take steps necessary to secure the
`
`Private Information from those risks left that property in a dangerous condition.
`
`14.
`
`Defendant disregarded the rights of Plaintiff and Class Members (defined below)
`
`by, inter alia, intentionally, willfully, recklessly, or negligently failing to take adequate and
`
`CLASS ACTION COMPLAINT - 3
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 5 of 49
`
`
`
`reasonable measures to ensure its data systems were protected against unauthorized intrusions;
`
`failing to disclose that it did not have adequately robust computer systems and security practices
`
`to safeguard patient Private Information; failing to take standard and reasonably available steps to
`
`prevent the Data Breach; and failing to provide Plaintiff and Class Members prompt notice of the
`
`Data Breach.
`
`15.
`
`In addition, Defendant and its employees failed to properly monitor the computer
`
`network and systems that housed the Private Information. Had Defendant properly monitored its
`
`property, it would have discovered the intrusion sooner, as opposed to letting cyberthieves roam
`
`freely in Defendant’s IT network for four (4) months.
`
`16.
`
`Plaintiff’s and Class Members’ identities are now at risk because of Defendant’s
`
`negligent conduct since the Private Information that Defendant collected and maintained is now in
`
`the hands of data thieves.
`
`17.
`
`Armed with the Private Information accessed in the Data Breach, data thieves can
`
`commit a variety of crimes including, e.g., opening new financial accounts in Class Members’
`
`names, taking out loans in Class Members’ names, using Class Members’ names to obtain medical
`
`services, using Class Members’ information to obtain government benefits, filing fraudulent tax
`
`returns using Class Members’ information, obtaining driver’s licenses in Class Members’ names
`
`but with another person’s photograph, and giving false information to police during an arrest.
`
`18.
`
`As a result of the Data Breach, Plaintiff and Class Members have been exposed to
`
`a present and imminent risk of fraud and identity theft. Plaintiff and Class Members must now and
`
`in the future closely monitor their financial accounts to guard against identity theft.
`
`19.
`
`Plaintiff and Class Members may also incur out of pocket costs for, e.g., purchasing
`
`CLASS ACTION COMPLAINT - 4
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 6 of 49
`
`
`
`credit monitoring services, credit freezes, credit reports, or other protective measures to deter and
`
`detect identity theft.
`
`20.
`
`Plaintiff seeks to remedy these harms on behalf of himself and all similarly situated
`
`individuals whose Private Information was accessed during the Data Breach.
`
`21.
`
`Plaintiff seeks remedies including, but not limited to, compensatory damages,
`
`nominal damages, reimbursement of out-of-pocket costs, and injunctive relief including
`
`improvements to SMCHC’s data security systems, future annual audits, and adequate credit
`
`monitoring services funded by Defendant.
`
`PARTIES
`
`22.
`
`Plaintiff Alan Hall is, and at all times mentioned herein was, an individual citizen
`
`of the State of Washington residing in the City of Bellingham. Plaintiff was a patient at SMCHC
`
`and received medical services and treatments from same. Plaintiff was notified of Defendant’s
`
`Data Breach and his Private Information being compromised upon receiving a notice letter dated
`
`October 26, 2021.
`
`23.
`
`Defendant SMCHC is a health-care services provider with its principal place of
`
`business at 1040 S. Henderson Street, Seattle, WA, 98108.
`
`JURISDICTION AND VENUE
`
`24.
`
`This Court has jurisdiction over Defendant because Defendant is organized under
`
`the laws of the State of Washington and the causes of action alleged herein arise from Defendant
`
`transacting business in Washington.
`
`25.
`
`Venue is proper in this Court as a substantial portion of the acts and transactions
`
`that constitute violations of law complained of herein occurred in King County and Defendant
`
`CLASS ACTION COMPLAINT - 5
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 7 of 49
`
`
`
`conducts substantial business throughout King County.
`
`DEFENDANT’S BUSINESS
`
`26.
`
`Defendant SMCHC is an organization that provides health, human, housing,
`
`educational and cultural services to communities in the State of Washington.
`
`27.
`
`In the ordinary course of receiving treatment and health care services from
`
`SMCHC, patients are required to provide sensitive personal and private information such as:
`
` Names;
`
` Dates of birth;
`
` Social Security numbers;
`
` Driver's license numbers;
`
` Financial account information;
`
` Payment card information;
`
` Medical histories;
`
` Treatment information;
`
` Medication or prescription information;
`
` Beneficiary information;
`
` Address, phone number, and email address, and;
`
` Health insurance information, including health insurance plan member IDs.
`
`28.
`
`Prior to receiving care and treatment from SMCHC, Plaintiff was required to and
`
`did in fact turn over much (if not all) of the private and confidential information listed above.
`
`29.
`
`Additionally, SMCHC may receive private and personal information from other
`
`individuals and/or organizations that are part of a patient’s “circle of care,” such as referring
`
`CLASS ACTION COMPLAINT - 6
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 8 of 49
`
`
`
`physicians, patients’ other doctors, patient’s health plan(s), close friends, and/or family members.
`
`30.
`
`SMCHC also creates and maintains a considerable amount of Protected Health
`
`Information (PHI) in the course of providing medical care and treatment.
`
`31.
`
`On information and belief, SMCHC provides each of its patients with a HIPAA
`
`compliant notice of its privacy practices (the “Privacy Notice”) in respect to how they handle
`
`patients’ sensitive and confidential information.
`
`32.
`
`A copy of the Privacy Notice is maintained on SMCHC’s website, and may be
`
`found here: https://www.seamar.org/notice.html.
`
`33.
`
`Due to the highly sensitive and personal nature of the information SMCHC acquires
`
`and stores with respect to its patients, SMCHC recognizes patients’ Rights to Privacy in its Privacy
`
`Notice, and promises in its Privacy Notice, to, among other things, maintain the privacy of patients’
`
`protected health information.
`
`34.
`
`SMCHC promises to maintain the confidentiality of patients’ health, financial, and
`
`non-public personal information, ensure compliance with federal and state laws and regulations,
`
`and not to use or disclose patients’ health information for any reasons other than those expressly
`
`listed in the Privacy Notice without written authorization.
`
`35.
`
`As a condition or receiving medical care and treatment at Defendant’s facilities,
`
`Defendant requires that each of its patients (including Plaintiff) sign a Notice of Privacy Practices
`
`Acknowledgment, which
`
`can
`
`be
`
`found
`
`here:
`
`https://www.seamar.org/seamar-
`
`downloads/covid/PatientAcknow_ENG.pdf.
`
`36.
`
`Upon information and belief, Plaintiff did in fact sign a Notice of Privacy Practices
`
`Acknowledgment prior to receiving care or treatment from Defendant.
`
`CLASS ACTION COMPLAINT - 7
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 9 of 49
`
`
`
`37.
`
`As a condition of receiving medical care and treatment at Defendant’s facilities,
`
`Defendant requires that its patients entrust it with highly sensitive personal information.
`
`38.
`
`By obtaining, collecting, using, and deriving a benefit from Plaintiff’s and Class
`
`Members’ Private Information, Defendant assumed legal and equitable duties and knew or should
`
`have known that it was responsible for protecting Plaintiff’s and Class Members’ Private
`
`Information from unauthorized disclosure.
`
`39.
`
`Plaintiff and the Class Members have taken reasonable steps to maintain the
`
`confidentiality of their Private Information.
`
`40.
`
`Plaintiff and the Class Members relied on Defendant to keep their Private
`
`Information confidential and securely maintained, to use this information for business and health
`
`purposes only, and to make only authorized disclosures of this information.
`
`THE ATTACK AND DATA BREACH
`
`41.
`
`On June 24, 2021, SMCHC was informed that certain data had been copied from
`
`its digital environment by an unauthorized actor.
`
`42.
`
`Upon review and investigation, SMCHC determined that an unauthorized party
`
`gained access to SMCHC’s IT network between the dates of December 2020 and March 2021.
`
`43.
`
`On information and belief, and according to reports, the unauthorized actor who
`
`accessed SMCHC’s IT network was the infamous Marketo gang.1 The Marketo gang is notorious
`
`for hacking businesses, exfiltrating sensitive and valuable data, and then extorting them to pay
`
`ransoms in several ways, including, but not limited to, the following:
`
`
`1 https://www.databreaches.net/wa-sea-mar-community-health-centers-discloses-breach-that-began-last-
`year/.
`
`CLASS ACTION COMPLAINT - 8
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 10 of 49
`
`
`
`i. Marketo has been observed sending samples of compromised data to the
`
`competitors, clients, and partners of their victims.
`
`ii. Marketo publicly shames organizations that have not contacted the group stating
`
`the organization does not care about data security.
`
`iii. Marketo will share subsets of data with victims as a way to prove the validity of
`
`their claims.
`
`iv. Marketo publishes data incrementally until all information is public.2
`
`44.
`
`The Marketo gang also offers up for sale the stolen data they steal on their
`
`marketplace, selling the sensitive data to the highest bidder on the Dark Web.3
`
`45.
`
`Consistent with the Marketo gang’s modus operandi of exfiltrating and stealing
`
`data, SMCHC admits that the unauthorized party “copied” the sensitive data “from its digital
`
`environment.”4
`
`46.
`
`Indeed, following the Data Breach, the prized data was posted on Marketo’s
`
`marketplace for sale to cybercriminals, as depicted in the following image5:
`
`
`2 https://www.digitalshadows.com/blog-and-research/marketo-a-return-to-simple-extortion/.
`3 https://thedigitalhacker.com/irony-at-its-peak-marketo-gang-claims-to-have-bids-on-stolen-data-of-an-it-
`service-company-fujitsu/.
`4 https://www.prnewswire.com/news-releases/sea-mar-community-health-centers-provides-notice-of-data-
`security-incident-301412308.html.
`5 https://www.databreaches.net/wa-sea-mar-community-health-centers-discloses-breach-that-began-last-
`year/.
`
`CLASS ACTION COMPLAINT - 9
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 11 of 49
`
`
`
`
`
`47.
`
`The information stolen in the Data Breach included patient names, address, Social
`
`Security number, date of birth, client identification number, medical / vision / dental / orthodontic
`
`diagnostic and treatment information, medical / vision / dental insurance information, claims
`
`information, and / or images associated with dental treatment.
`
`48.
`
`The Private Information contained in the files accessed by hackers was not
`
`encrypted.
`
`49.
`
`Upon information and belief, the Data Breach was targeted at Defendant due to its
`
`status as a healthcare entity that collects, creates, and maintains both PII and PHI.
`
`50.
`
`Upon information and belief, the targeted Data Breach was expressly designed to
`
`gain access to and exfiltrate private and confidential data, including (among other things) the PII
`
`and PHI of patients, like Plaintiff and the Class Members.
`
`51. While SMCHC stated in notice letters sent to Plaintiff and Class Members (as well
`
`CLASS ACTION COMPLAINT - 10
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 12 of 49
`
`
`
`as on its website) that it learned of the Ransomware Attack on June 24, 2021, SMCHC did not
`
`begin notifying impacted patients, such as Plaintiff and Class Members, until October 2021 –
`
`nearly 4 months after discovering the Data Breach.
`
`52.
`
`Defendant SMCHC admits that its cybersecurity practices were inadequate. Indeed
`
`SMCHC admits that it is now taking the appropriate “steps to prevent a similar incident from
`
`occurring in the future,” which is an implicit admission these security measures were not in place
`
`to begin with. Moreover, SMCHC stated that it “deeply regrets” that any inconvenience the Data
`
`Breach caused Plaintiff and Class Members.6
`
`53.
`
`Due to Defendant’s incompetent security measures, Plaintiff and the Class
`
`Members now face a present and immediate risk of fraud and identity theft and must deal with that
`
`threat forever.
`
`54.
`
`Plaintiff believes his Private Information was stolen in the Data Breach and that
`
`said information was subsequently posted for sale on the dark web following the Data Breach, as
`
`that is the modus operandi of all cybercriminals, and especially the Marketo gang.
`
`55.
`
`Defendant had obligations created by HIPAA, contract, industry standards,
`
`common law, and its own promises and representations made to Plaintiff and Class Members to
`
`keep their Private Information confidential and to protect it from unauthorized access and
`
`disclosure.
`
`56.
`
`Plaintiff and Class Members provided their Private Information to Defendant with
`
`the reasonable expectation and mutual understanding that Defendant would comply with its
`
`
`6 https://www.prnewswire.com/news-releases/sea-mar-community-health-centers-provides-notice-of-data-
`security-incident-301412308.html.
`
`CLASS ACTION COMPLAINT - 11
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 13 of 49
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`obligations to keep such information confidential and secure from unauthorized access.
`
`57.
`
`Defendant’s data security obligations were particularly important given the
`
`substantial increase in ransomware attacks and/or data breaches in the healthcare industry
`
`preceding the date of the breach.
`
`58.
`
`In 2019, a record 1,473 data breaches occurred, resulting in approximately
`
`164,683,455 sensitive records being exposed, a 17% increase from 2018.7 Of the 1,473 recorded
`
`data breaches, 525 of them, or 35.64%, were in the medical or healthcare industry.8 The 525
`
`reported breaches reported in 2019 exposed nearly 40 million sensitive records (39,378,157),
`
`compared to only 369 breaches that exposed just over 10 million sensitive records (10,632,600) in
`
`2018.9
`
`59.
`
`In light of recent high profile cybersecurity incidents at other healthcare partner and
`
`provider companies, including, American Medical Collection Agency (25 million patients, March
`
`2019) University of Washington Medicine (974,000 patients, December 2018), Florida Orthopedic
`
`Institute (640,000 patients, July 2020), Wolverine Solutions Group (600,000 patients, September
`
`2018), Oregon Department of Human Services (645,000 patients, March 2019), Elite Emergency
`
`Physicians (550,000 patients, June 2020), Magellan Health (365,000 patients, April 2020), BJC
`
`Health System (286,876 patients, March 2020), Defendant knew or should have known that its
`
`electronic records would be targeted by cybercriminals.
`
`60.
`
`In 2021 alone there have been over 220 data breach incidents.10 These
`
`
`7 https://www.idtheftcenter.org/wp-content/uploads/2020/01/01.28.2020_ITRC_2019-End-of-Year-Data-
`Breach-Report_FINAL_Highres-Appendix.pdf (last accessed June 1, 2021)
`8 Id.
`9 Id at p15.
`10 See Kim Delmonico, Another (!) Orthopedic Practice Reports Data Breach, Orthopedics This Week (May
`24, 2021), https://ryortho.com/breaking/another-orthopedic-practice-reports-data-breach/.
`
`CLASS ACTION COMPLAINT - 12
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 14 of 49
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`approximately 220 data breach incidents have impacted nearly 15 million individuals.11
`
`61.
`
`Indeed, cyberattacks have become so notorious that the Federal Bureau of
`
`Investigation (“FBI”) and U.S. Secret Service have issued a warning to potential targets so they
`
`are aware of, and prepared for, a potential attack. As one report explained, “[e]ntities like smaller
`
`municipalities and hospitals are attractive to ransomware criminals… because they often have
`
`lesser IT defenses and a high incentive to regain access to their data quickly.”12
`
`62.
`
`In fact, according to the cybersecurity firm Mimecast, 90% of healthcare
`
`organizations experienced cyberattacks in the past year.13
`
`63.
`
`Therefore, the increase in such attacks, and attendant risk of future attacks, was
`
`widely known to the public and to anyone in Defendant’s industry, including Defendant.
`
`Defendant Fails to Comply with FTC Guidelines
`
`64.
`
`The Federal Trade Commission (“FTC”) has promulgated numerous guides for
`
`businesses which highlight the importance of implementing reasonable data security practices.
`
`According to the FTC, the need for data security should be factored into all business decision-
`
`making.
`
`65.
`
`In 2016, the FTC updated its publication, Protecting Personal Information: A
`
`Guide for Business, which established cyber-security guidelines for businesses. The guidelines
`
`note that businesses should protect the personal patient information that they keep; properly
`
`dispose of personal information that is no longer needed; encrypt information stored on computer
`
`
`
`11 Id.
`12
`2019),
`18,
`(Nov.
`Law360
`Targeted,
`of
`Service Warn
`Secret
`FBI,
`https://www.law360.com/articles/1220974/fbi-secret-service-warn-of-targeted-ransomware (last visited
`July 2, 2021).
`13 See Maria Henriquez, Iowa City Hospital Suffers Phishing Attack, Security Magazine (Nov. 23, 2020),
`https://www.securitymagazine.com/articles/93988-iowa-city-hospital-suffers-phishing-attack.
`
`CLASS ACTION COMPLAINT - 13
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 15 of 49
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`networks; understand their network’s vulnerabilities; and implement policies to correct any
`
`security problems.14 The guidelines also recommend that businesses use an intrusion detection
`
`system to expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating
`
`someone is attempting to hack the system; watch for large amounts of data being transmitted from
`
`the system; and have a response plan ready in the event of a breach.15
`
`66.
`
`The FTC further recommends that companies not maintain PII longer than is
`
`needed for authorization of a transaction; limit access to sensitive data; require complex passwords
`
`to be used on networks; use industry-tested methods for security; monitor for suspicious activity
`
`on the network; and verify that third-party service providers have implemented reasonable security
`
`measures.
`
`67.
`
`The FTC has brought enforcement actions against businesses for failing to
`
`adequately and reasonably protect patient data, treating the failure to employ reasonable and
`
`appropriate measures to protect against unauthorized access to confidential consumer data as an
`
`unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”), 15
`
`U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses must take
`
`to meet their data security obligations.
`
`68.
`
`These FTC enforcement actions include actions against healthcare providers like
`
`Defendant. See, e.g., In the Matter of Labmd, Inc., A Corp, 2016-2 Trade Cas. (CCH) ¶ 79708,
`
`2016 WL 4128215, at *32 (MSNET July 28, 2016) (“[T]he Commission concludes that LabMD’s
`
`data security practices were unreasonable and constitute an unfair act or practice in violation of
`
`
`14 Protecting Personal Information: A Guide for Business, Federal Trade Commission (2016). Available at
`https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-personal-information.pdf
`(last visited June 15, 2021).
`15 Id.
`
`CLASS ACTION COMPLAINT - 14
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 16 of 49
`
`
`
`Section 5 of the FTC Act.”)
`
`69.
`
`70.
`
`Defendant failed to properly implement basic data security practices.
`
`Defendant’s failure to employ reasonable and appropriate measures to protect
`
`against unauthorized access to patients’ PII and PHI constitutes an unfair act or practice prohibited
`
`by Section 5 of the FTC Act, 15 U.S.C. § 45.
`
`71.
`
`Defendant was at all times fully aware of its obligation to protect the PII and PHI
`
`of its patients. Defendant was also aware of the significant repercussions that would result from
`
`its failure to do so.
`
`Defendant Fails to Comply with Industry Standards
`
`72.
`
`As shown above, experts studying cyber security routinely identify healthcare
`
`providers as being particularly vulnerable to cyberattacks because of the value of the PII and PHI
`
`which they collect and maintain.
`
`73.
`
`Several best practices have been identified that a minimum should be implemented
`
`by healthcare providers like Defendant, including but not limited to: educating all employees;
`
`strong passwords; multi-layer security, including firewalls, anti-virus, and anti-malware software;
`
`encryption, making data unreadable without a key; multi-factor authentication; backup data, and;
`
`limiting which employees can access sensitive data.
`
`74.
`
`Other best cybersecurity practices that are standard in the healthcare industry
`
`include installing appropriate malware detection software; monitoring and limiting the network
`
`ports; protecting web browsers and email management systems; setting up network systems such
`
`as firewalls, switches and routers; monitoring and protection of physical security systems;
`
`protection against any possible communication system; training staff regarding critical points.
`
`CLASS ACTION COMPLAINT - 15
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 17 of 49
`
`
`
`75.
`
`Defendant failed to meet the minimum standards of any of the following
`
`frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation
`
`PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5,
`
`PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for
`
`Internet Security’s Critical Security Controls (CIS CSC), which are all established standards in
`
`reasonable cybersecurity readiness.
`
`76.
`
`These foregoing frameworks are existing and applicable industry standards in the
`
`healthcare industry, and Defendant failed to comply with these accepted standards, thereby
`
`opening the door to and causing the Ransomware Attack.
`
`Defendant’s Conduct Violates HIPAA and Evidences Its Insufficient Data Security
`
`77.
`
`HIPAA requires covered entities such as Defendant to protect against reasonably
`
`anticipated threats to the security of sensitive patient health information.
`
`78.
`
`Covered entities must implement safeguards to ensure the confidentiality, integrity,
`
`and availability of PHI. Safeguards must include physical, technical, and administrative
`
`components.
`
`79.
`
`Title II of HIPAA contains what are known as the Administrative Simplification
`
`provisions. 42 U.S.C. §§ 1301, et seq. These provisions require, among other things, that the
`
`Department of Health and Human Services (“HHS”) create rules to streamline the standards for
`
`handling PII like the data Defendant left unguarded. The HHS subsequently promulgated multiple
`
`regulations under authority of the Administrative Simplification provisions of HIPAA. These rules
`
`include 45 C.F.R. § 164.306(a)(1-4); 45 C.F.R. § 164.312(a)(1); 45 C.F.R. § 164.308(a)(1)(i); 45
`
`C.F.R. § 164.308(a)(1)(ii)(D), and 45 C.F.R. § 164.530(b).
`
`CLASS ACTION COMPLAINT - 16
`
`
`FRANK FREED
`SUBIT & THOMAS LLP
`Suite 1200 Hoge Building, 705 Second Avenue
`Seattle, Washington 98104-1798 ~ (206) 682-6711
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`
`
`
`
`Case 2:22-cv-00184 Document 1-2 Filed 02/16/22 Page 18 of 49
`
`
`
`80.
`
`A breach such as the one Defendant experienced, is also considered a breach under
`
`the HIPAA Rules because there is an access of PHI not permitted under the HIPAA Privacy Rule:
`
`A breach under the HIPAA Rules is defined as, “...the acquisition,
`access, use, or disclosure of PHI in a manner not permitted under
`the [HIPAA Privacy Rule] which compromises the security or
`privacy of the PHI.” See 45 C.F.R. 164.40
`
`Defendant’s Data Breach resulted from a combination of insufficiencies that
`
`81.
`
`demonstrate it failed to comply with safeguards mandated by HIPAA regulations.
`
`DEFENDANT’S BREACH
`
`82.
`
`Defendant breached its obligations to Plaintiff and Class Members and was
`
`otherwise