`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`UNITED STATES DISTRICT COURT
`WESTERN DISTRICT OF WASHINGTON
`JULIE MACK, JOANNE MULLINS, and
`INGRID COX on behalf of themselves and all
`others similarly situated,
`
`Case No.
`
`vs.
`MCG Health, LLC,
`
`Plaintiffs,
`
`Defendant.
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`Plaintiffs Julie Mack, Joanne Mullins, and Ingrid Cox (collectively “Plaintiffs”)
`individually and on behalf of all others similarly situated, through undersigned counsel, hereby
`allege the following against Defendant MCG Health, LLC (“MCG Health” or “Defendant”). The
`facts pertaining to Plaintiffs are alleged based upon personal knowledge, and all other facts
`herein are alleged based upon information and belief and the investigation of Plaintiffs’ counsel.
`NATURE OF THE ACTION
`This is a class action for damages with respect to MCG Health, LLC for its failure
`1.
`to exercise reasonable care in securing and safeguarding patients’ sensitive personal data—
`including names, Social Security numbers, medical codes, postal addresses, telephone numbers,
`email addresses, dates of birth, and gender (“PII” or “Private Information”).
`2.
`This class action is brought on behalf of patients whose sensitive PII was stolen
`by cybercriminals in a cyber-attack on MCG Health’s systems that took place in or around
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`CLASS ACTION COMPLAINT- 1
`
`
`
`Case 2:22-cv-00935 Document 1 Filed 07/06/22 Page 2 of 58
`
`
`
`March 25, 2020 and which resulted in the access and exfiltration of sensitive patient information
`(the “Data Breach”).1
`3.
`MCG Health reported to Plaintiffs and members of the putative “Class” (defined
`below) that information compromised in the Data Breach included their PII.
`4.
`Plaintiffs and Class members were not notified of the data breach until, at the
`earliest, June of 2022—at least two years after their Private Information was first accessed.
`5.
`As a result of the Data Breach and Defendant’s failure to promptly notify
`Plaintiffs and Class members of the Data Breach, Plaintiffs and Class members have experienced
`and will experience various types of misuse of their PII in the coming months and years,
`including but not limited to, unauthorized credit card charges, unauthorized access to email
`accounts, identity theft, and other fraudulent use of their Private Information.
`6.
`There has been no assurance offered by MCG Health that all personal data or
`copies of data have been recovered or destroyed.
`7.
`Accordingly, Plaintiffs assert claims for negligence, breach of contract, breach of
`implied contract, breach of fiduciary duty, declaratory and injunctive relief, and state consumer
`protection claims.
`
`PARTIES
`
`A.
`
`Plaintiff Julie Mack
`8.
`Plaintiff Julie Mack is a resident and citizen of Dallas, Texas and brings this
`action in her individual capacity and on behalf of all others similarly situated. Plaintiff Mack
`was an employee at Dallas Medical Center and has also received healthcare services through
`Dallas Medical Center in the past, including a visit to the hospital’s emergency department in
`early 2020. To receive services at MCG Health, Plaintiff Mack was required to disclose her
`Private Information, which was then entered into MCG Health’s database and maintained
`without her knowledge. In maintaining her Private Information, Defendant expressly and
`
`1 MCG Health, LLC Data Breach Notification Listing, MT. DEP’T OF JUSTICE, https://dojmt.gov/consumer/databreach/
`(follow “View Data Breaches Reported to Montana Office of Consumer Protection” hyperlink; then search for “MCG
`Health, LLC”) (last visited July 5, 2022).
`
`CLASS ACTION COMPLAINT- 2
`
`
`
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:22-cv-00935 Document 1 Filed 07/06/22 Page 3 of 58
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`impliedly promised to safeguard Plaintiff Mack’s Private Information. Defendant, however, did
`not take proper care of Plaintiff Mack’s Private Information, leading to its exposure to, and
`exfiltration by cybercriminals as a direct result of Defendant’s inadequate security measures.
`9.
`In June of 2022, Plaintiff Mack received a notification letter from Defendant
`stating that her Private Information was compromised by cybercriminals.
`10.
`Plaintiff Mack and Class members have faced and will continue to face a certainly
`impending and substantial risk of a slew of future harms as a result of Defendant’s ineffective
`data security measures, as further set forth herein. Some of these harms will include fraudulent
`charges, medical procedures ordered in patients’ names without their permission, and targeted
`advertising without patient consent.
`11.
`Some of these harms will not materialize for years after the Data Breach incident,
`rendering Defendant’s notice letter woefully inadequate to prevent the fraud that will continue to
`occur through the misuse of Class members’ information.
`12.
`Plaintiff Mack greatly values her privacy, especially while receiving medical
`services, and would not have paid the amount that she did to receive medical services had she
`known that her healthcare providers’ data processor, MCG Health, would negligently maintain
`her Private Information as it did.
`B.
`Plaintiff Joanne Mullins
`13.
`Plaintiff Joanne Mullins is a resident and citizen of Bellville, Texas, and brings
`this action in her individual capacity and behalf of all others similarly situated. Plaintiff Mullins
`is a regular patient of Catholic Health Initiatives medical facilities including the Catholic Health
`Initiatives St. Joseph Health facility in Bellville, Texas for regular doctor and specialist visits. To
`receive services at MCG Health, Plaintiff Mullins was required to disclose her Private
`Information, which was then entered into MCG Health’s database and maintained without her
`knowledge. In maintaining her Private Information, Defendant expressly and impliedly promised
`to safeguard Plaintiff Mullins’ Private Information. Defendant, however, did not take proper
`
`CLASS ACTION COMPLAINT- 3
`
`
`
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`
`
`Case 2:22-cv-00935 Document 1 Filed 07/06/22 Page 4 of 58
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`care of Plaintiff Mullins’ Private Information, leading to its exposure to, and exfiltration by
`cybercriminals as a direct result of Defendant’s inadequate security measures.
`14.
`In June of 2022, Plaintiff Mullins received a notification letter from Defendant
`stating that her Private Information was compromised by cybercriminals.
`15.
`Plaintiff Mullins and Class members have faced and will continue to face a
`certainly impending and substantial risk of a slew of future harms as a result of Defendant’s
`ineffective data security measures, as further set forth herein. Some of these harms will include
`fraudulent charges, medical procedures ordered in patients’ names without their permission, and
`targeted advertising without patient consent.
`16.
`These harms are not just theoretical. On September 23, 2021, an unauthorized
`actor used Plaintiff Mullins’ PayPal account to charge $375 to her credit card for a denim jacket
`from a vendor called “Axel Arigato AB.” Plaintiff Mullins did not make or authorize these
`charges. The product was scheduled to be shipped to an address in Bellflower, California.
`Plaintiff Mullins noticed the fraudulent charges on her account, and was able to file a “return to
`sender” request through UPS to send the item back to the seller before it was delivered to the
`fraudulently entered address that the hacker entered in her PayPal account. The credit card
`charge, however, remained on her account statement, resulting in Plaintiff Mullins spending
`approximately three hours reporting this fraudulent charge to PayPal customer service and filing
`an identity theft report with the Federal Trade Commission.
`17.
`Given the fact that Plaintiff Mullins’ Private Information was used to effectuate
`fraudulent charges on her credit card, she has suffered misuse of her information as a result of
`data breach on MCG Health’s systems.
`18.
`Fraudulent charges on a person’s credit card are just one example of how
`cybercriminals can use individual’s Private Information to perpetrate identity theft. Some of
`these harms will not materialize for years after the Data Breach incident, rendering Defendant’s
`notice letter woefully inadequate to prevent the fraud that will continue to occur through the
`misuse of Class members’ information.
`
`CLASS ACTION COMPLAINT- 4
`
`
`
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`
`
`Case 2:22-cv-00935 Document 1 Filed 07/06/22 Page 5 of 58
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`19.
`Plaintiff Mullins greatly values her privacy, especially while receiving medical
`services, and would not have paid the amount that she did to receive medical services had she
`known that her healthcare providers’ data processor, MCG Health, would negligently maintain
`her Private Information as it did.
`C.
`Plaintiff Ingrid Cox
`20.
`Plaintiff Ingrid Cox is a citizen and resident of Slidell, Louisiana, and brings this
`action in her individual capacity and behalf of all others similarly situated. Plaintiff Cox is a
`regular patient of medical facilities around Slidell, Louisiana for regular doctor and specialist
`visits, but otherwise does not know how MCG Health would have obtained her information. To
`receive services at MCG Health, Plaintiff Cox was required to disclose her Private Information,
`which was then entered into MCG Health’s database and maintained without her knowledge. In
`maintaining her Private Information, Defendant expressly and impliedly promised to safeguard
`Plaintiff Cox’s Private Information. Defendant, however, did not take proper care of Plaintiff
`Cox’s Private Information, leading to its exposure to, and exfiltration by cybercriminals as a
`direct result of Defendant’s inadequate security measures.
`21.
`In June of 2022, Plaintiff Cox received a notification letter from Defendant stating
`that her Private Information was compromised by cybercriminals.
`22.
`Plaintiff Cox and Class members have faced and will continue to face a certainly
`impending and substantial risk of a slew of future harms as a result of Defendant’s ineffective
`data security measures, as further set forth herein. Some of these harms will include fraudulent
`charges, medical procedures ordered in patients’ names without their permission, and targeted
`advertising without patient consent.
`23.
`Some of these harms will not materialize for years after the Data Breach incident,
`rendering Defendant’s notice letter woefully inadequate to prevent the fraud that will continue to
`occur through the misuse of Class members’ information.
`24.
`Plaintiff Cox greatly values her privacy, especially while receiving medical
`services, and would not have paid the amount that she did to receive medical services had she
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`CLASS ACTION COMPLAINT- 5
`
`
`
`
`
`
`Case 2:22-cv-00935 Document 1 Filed 07/06/22 Page 6 of 58
`
`
`
`known that her healthcare providers’ data processor, MCG Health, would negligently maintain
`her Private Information as it did.
`D.
`Defendant MCG Health
`25.
`Defendant MCG Health is a clinical guidance company that uses software to
`apply medical literature and data to patient information at healthcare organizations and insurance
`companies to create care guidelines. MCG Health has a principal place of business at 901 5th
`Avenue, Suite 120, in Seattle, Washington. MCG Health’s corporate policies and practices,
`including those used for data privacy, are established in, and emanate from the state of
`Washington.
`
`JURISDICTION AND VENUE
`26.
`The Court has jurisdiction over Plaintiffs’ claims under 28 U.S.C. § 1332(d)(2),
`because (a) there are 100 or more Class members, (b) at least one Class member is a citizen of a
`state that is diverse from Defendant’s citizenship, and (c) the matter in controversy exceeds
`$5,000,000, exclusive of interest and costs.
`27.
`The Court has personal jurisdiction over Defendant because Defendant’s principal
`place of business is located in this District.
`28.
`Venue is proper in this district under 28 U.S.C. § 1391(b)(1) because Defendant
`maintains its principal place of business in this District and therefore resides in this District
`pursuant to 28 U.S.C. § 1391(c)(2). A substantial part of the events or omissions giving rise to
`the Class’s claims also occurred in this District.
`FACTS
`29.
`Defendant provides software services to healthcare facilities and insurance
`companies. As part of its business, Defendant was entrusted with, and obligated to safeguard
`and protect the Private Information of, Plaintiffs and the Class in accordance with all applicable
`laws.
`
`
`
`
`CLASS ACTION COMPLAINT- 6
`
`
`
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:22-cv-00935 Document 1 Filed 07/06/22 Page 7 of 58
`
`
`
`30.
`In March of 2022, Defendant first learned of an unauthorized activity on its
`network, which contained patients’ Private Information. Defendant posted the following form
`notice on the Montana Attorney General’s data breach monitoring page:2
`
`
`MCG Health, LLC (“MCG”) provides patient care guidelines to
`health care providers and health plans, including . . . We are writing
`on behalf of . . . to notify you of a recent data security issue at MCG
`that affects certain of your personal information.
`
`MCG determined on March 25, 2022 that an unauthorized party
`previously obtained certain of your personal information that
`matched data stored on MCG’s systems. The affected patient or
`member data included some or all of the following data elements:
`names, Social Security numbers, medical codes, postal addresses,
`telephone numbers, email addresses, dates of birth and gender.
`
`Upon learning of this issue, we took steps to understand its nature
`and scope. A leading forensic investigation firm was retained to
`assist in the investigation. Additionally, we are coordinating with
`the FBI. We have deployed additional monitoring tools and will
`continue to enhance the security of our systems.
`
`We regret any concern this issue may cause. We are alerting you
`about this issue so you can take steps to help protect your
`information. You are entitled under U.S. law to one free credit
`report annually from each of the three nationwide consumer
`reporting agencies. To order your free credit report, visit
`www.annualcreditreport.com or call toll-free at 1-877-322-8228.
`We encourage you to remain vigilant by reviewing your account
`statements and monitoring your free credit reports.
`
`In addition, we have arranged to offer you identity protection and
`credit monitoring services for two years at no cost to you. The
`attached Reference Guide provides information on activation and
`recommendations by the U.S. Federal Trade Commission on the
`protection of personal information
`
`
`
`2 MCG Health, LLC Data Breach Notification, https://media.dojmt.gov/wp-content/uploads/Consumer-Notification-
`Letter-182.pdf (last visited July 5, 2022) [hereinafter Data Breach Notice].
`
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`CLASS ACTION COMPLAINT- 7
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:22-cv-00935 Document 1 Filed 07/06/22 Page 8 of 58
`
`
`
`31.
`Upon learning of the Data Breach that occurred in February of 2020, Defendant
`investigated and began sending notification of the incident to affected patients.3 Plaintiffs were
`not notified that their information was affected in the Data Breach until June of 2022.
`32.
`In June of 2022, approximately two years after the Data Breach, Defendant first
`announced that it suffered a cyberattack that allowed an unauthorized individual to obtain the
`Private Information of patients within the company’s computer systems. The June 2022
`notification that Defendant posted on the Health and Human Services portal did not explain what
`type of attack had occurred, what type of information had been affected, or any of the other
`circumstances surrounding the data breach.
`33.
`In addition, Defendant offered no explanation for the delay between the initial
`discovery of the Breach and the belated notification to affected customers, which resulted in
`Plaintiffs and Class members suffering harm they otherwise could have avoided had a timely
`disclosure been made.
`
`34.
`Defendant’s delay in notifying its customers affected by the Data Breach violated
`the provisions of, inter alia, Washington Rev. Code § 19.25.010, et seq., requiring Defendant to
`provide prompt and direct notice of a data security breach to affected consumers within 30 days.
`35. MCG Health’s notice of the Data Breach was woefully deficient, failing to
`provide basic details, including but not limited to, how unauthorized parties accessed its
`networks, whether the information was encrypted or otherwise protected, how it learned of the
`Data Breach, whether the breach occurred system-wide, whether servers storing information
`were accessed, and how many customers were affected by the Data Breach. Even worse, MCG
`Health offered only two years of identity monitoring to Plaintiffs and Class members, which
`required the disclosure of additional PII that MCG Health had just demonstrated it could not be
`trusted with.
`
`
`3See Cases Currently Under Investigation, U.S. DEP’T OF HEALTH & HUMAN SERVS.: BREACH PORTAL,
`https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf [hereinafter Breach Portal] (last visited July 5, 2022).
`
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`CLASS ACTION COMPLAINT- 8
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:22-cv-00935 Document 1 Filed 07/06/22 Page 9 of 58
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`36.
`In light of the types of personal information at issue, and the fact that the Private
`Information was specifically targeted by cybercriminals with the intent to steal and misuse it, it
`can reasonably assumed that Plaintiffs’ and Class members’ PII is being sold on the dark web,
`meaning that unauthorized parties have accessed, viewed, and exfiltrated Plaintiffs’ and Class
`members’ unencrypted, unredacted, sensitive personal information, including names, addresses,
`email addresses, dates of birth, Social Security numbers, member ID numbers, policyholder
`names, employer names, policy numbers, and more as a result of Defendant’s lax data security
`practices and protocols.
`37.
`The Data Breach occurred because Defendant failed to take reasonable measures
`to protect the PII it collected and stored. Among other things, Defendant failed to implement data
`security measures designed to prevent this attack, despite repeated warnings to the healthcare
`industry, insurance companies, and associated entities about the risk of cyberattacks and the
`highly publicized occurrence of many similar attacks in the recent past on other healthcare
`providers.
`38.
`Defendant disregarded the rights of Plaintiffs and Class members by intentionally,
`willfully, recklessly, or negligently failing to take and implement adequate and reasonable
`measures to ensure that Plaintiffs and Class members’ PII was safeguarded, failing to take
`available steps to prevent an unauthorized disclosure of data, and failing to follow applicable,
`required and appropriate protocols, policies and procedures regarding the encryption of data,
`even for internal use. As a result, the PII of Plaintiffs and Class members was compromised
`through unauthorized access by an unknown third party. Plaintiffs and Class members have a
`continuing interest in ensuring that their information is and remains safe.
`
`A.
`
`Defendant Failed to Maintain Reasonable and Adequate Security Measures to
`Safeguard Patient Private Information
`39.
`As noted above, MCG Health acquires, collects, and stores a massive amount of
`its customers’ patients’ protected PII, including health information and other personally
`identifiable data.
`
`CLASS ACTION COMPLAINT- 9
`
`
`
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`
`
`Case 2:22-cv-00935 Document 1 Filed 07/06/22 Page 10 of 58
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`40.
`As a condition of engaging in health-related services, MCG Health requires that
`its customers entrust it with their patients’ highly confidential Private Information.
`41.
`By obtaining, collecting, using, and deriving a benefit from Plaintiffs and Class
`members’ Private Information, MCG Health assumed legal and equitable duties and knew or
`should have known that it was responsible for protecting Plaintiffs and Class members’ Private
`Information from disclosure.
`42.
`Defendant had obligations created by the Health Insurance Portability and
`Accountability Act (42 U.S.C. § 1320d et seq.) (“HIPAA”), Washington law (Wash. Rev. Code.
`§ 19.255.010, et seq.), industry standards, common law, and representations made to Class
`members, to keep Class members’ Private Information confidential and to protect it from
`unauthorized access and disclosure.
`43.
`As evidenced by Defendant’s failure to comply with its legal obligations
`established by HIPAA and Washington law, Defendant failed to properly safeguard Class
`members’ Private Information, allowing hackers to access their Private Information.
`44.
`Plaintiffs and Class members provided their Private Information to Defendant
`with the reasonable expectation and mutual understanding that Defendant and any of its affiliates
`would comply with their obligation to keep such information confidential and secure from
`unauthorized access.
`45.
`Prior to and during the Data Breach, Defendant promised its customers that their
`patients’ Private Information would be kept confidential.
`46.
`Defendant’s failure to provide adequate security measures to safeguard patients’
`Private Information is especially egregious because Defendant operates in a field which has
`recently been a frequent target of scammers attempting to fraudulently gain access to customers’
`highly confidential Private Information.
`47.
`In fact, Defendant has been on notice for years that the healthcare industry is a
`prime target for scammers because of the amount of confidential patient information maintained.
`
`
`CLASS ACTION COMPLAINT- 10
`
`
`
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`
`
`Case 2:22-cv-00935 Document 1 Filed 07/06/22 Page 11 of 58
`
`
`
`48.
`Defendant was also on notice that the FBI has been concerned about data security
`in the healthcare industry. In August 2014, after a cyberattack on Community Health Systems,
`Inc., the FBI warned companies within the healthcare industry that hackers were targeting them.
`The warning stated that “[t]he FBI has observed malicious actors targeting healthcare related
`systems, perhaps for the purpose of obtaining the Protected Healthcare Information (PHI) and/or
`Personally Identifiable Information (PII).”4
`49.
`The American Medical Association (“AMA”) has also warned healthcare
`companies about the important of protecting their patients’ confidential information:
`
`Cybersecurity is not just a technical issue; it’s a patient safety issue.
`AMA research has revealed that 83% of physicians work in a
`practice
`that has experienced some kind of cyberattack.
`Unfortunately, practices are learning that cyberattacks not only
`threaten the privacy and security of patients’ health and financial
`information, but also patient access to care.5
`
`50.
`The number of US data breaches surpassed 1,000 in 2016, a record high and a
`forty percent increase in the number of data breaches from the previous year.6 In 2017, a new
`record high of 1,579 breaches were reported—representing a 44.7 percent increase.7 That trend
`continues.
`51.
`The healthcare sector reported the second largest number of breaches among all
`measured sectors in 2018, with the highest rate of exposure per breach.8 Indeed, when
`compromised, healthcare related data is among the most sensitive and personally consequential.
`
`
`4 Jim Finkle, FBI Warns Healthcare Firms that they are Targeted by Hackers, REUTERS (Aug. 2014),
`https://www.reuters.com/article/us-cybersecurity-healthcare-fbi/fbi-warnshealthcare-firms-they-are-targeted-by-
`hackers-idUSKBN0GK24U20140820 (last visited July 5, 2022).
`5 Andis Robeznieks, Cybersecurity: Ransomware attacks shut down clinics, hospitals, AM. MED. ASS’N (Oct. 4,
`2019), https://www.ama-assn.org/practice-management/sustainability/cybersecurity-ransomware-attacks-shut-down-
`clinics-hospitals (last visited July 5, 2022).
`6 Identity Theft Resource Center, Data Breaches Increase 40 Percent in 2016, Finds New Report From
`Identity Theft Resource Center and CyberScout (Jan. 19, 2017), https://www.idtheftcenter.org/surveys-studys (last
`visited July 5, 2022).
`7 Identity Theft Resource Center, 2017 Annual Data Breach Year-End Review, https://www.idtheftcenter.org/2017-
`data-breaches/ (last visited July 5, 2022).
`8 Identity Theft Resource Center, 2018 End -of-Year Data Breach Report, https://www.idtheftcenter.org/2018-data-
`breaches/ (last visited July 5, 2022).
`
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`CLASS ACTION COMPLAINT- 11
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:22-cv-00935 Document 1 Filed 07/06/22 Page 12 of 58
`
`
`
`A report focusing on healthcare breaches found that the “average total cost to resolve an identity
`theft-related incident . . . came to about $20,000,” and that the victims were often forced to pay
`out-of-pocket costs for healthcare they did not receive in order to restore coverage.9 Almost 50
`percent of the victims lost their healthcare coverage as a result of the incident, while nearly 30
`percent said their insurance premiums went up after the event. Forty percent of the customers
`were never able to resolve their identity theft at all. Data breaches and identity theft have a
`crippling effect on individuals and detrimentally impact the economy as a whole.10
`52.
`A 2017 study conducted by HIMSS Analytics showed that email was the most
`likely cause of a data breach, with 78 percent of providers stating that they experienced a
`healthcare ransomware or malware attack in the past 12 months.
`53.
`Healthcare related data breaches continued to rapidly increase into 2020 when
`MCG Health was breached.11
`54.
`In the Healthcare industry, the number one threat vector from a cyber security
`standpoint is phishing. Cybersecurity firm Proofpoint reports that “phishing is the initial point of
`compromise in most significant [healthcare] security incidents,” according to a recent report
`from the Healthcare Information and Management Systems Society (HIMSS). And yet, 18% of
`healthcare organizations fail to conduct phishing tests, a finding HIMSS describes as
`“incredible.”12
`55.
`As explained by the Federal Bureau of Investigation, “[p]revention is the most
`effective defense against ransomware and it is critical to take precaution for protection.”13
`
`
`9 Elinor Mills, Study: Medical identity theft is costly for victims, CNET (March 3, 2010),
`https://www.cnet.com/news/privacy/study-medical-identity-theft-is-costly-for-victims/ (last visited July 5, 2022).
`10 Id.
`11 2019 HIMSS Cybersecurity Survey,
`https://www.himss.org/sites/hde/files/d7/u132196/2019_HIMSS_Cybersecurity_Survey_Final_Report.pdf (last
`visited July 5, 2022).
`
`12 Aaron Jensen, Healthcare Phishing Statistics: 2019 HIMSS Survey Results, PROOFPOINT (Mar. 27, 2019),
`https://www.proofpoint.com/us/security-awareness/post/healthcare-phishing-statistics-2019-himss-survey-results
`(last visited July 5, 2022).
`13 See How to Protect Your Networks from RANSOMWARE, FBI (2016) https ://www. fbi.gov/file-
`repository/ransomware-prevention-and-response-for-cisos.pdf/view (last visited July 5, 2022).
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`CLASS ACTION COMPLAINT- 12
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`
`
`Case 2:22-cv-00935 Document 1 Filed 07/06/22 Page 13 of 58
`
`
`
`56.
`To prevent and detect ransomware attacks, including the ransomware attack that
`resulted in the Data Breach, Defendant could and should have implemented, as recommended by
`the United States Government, the following measures:
`
`Implement an awareness and training program. Because end
`users are targets, employees and individuals should be aware of
`the threat of ransomware and how it is delivered.
`
`
`
`
`
` Enable strong spam filters to prevent phishing emails from
`reaching the end users and authenticate inbound email using
`technologies like Sender Policy Framework (SPF), Domain
`Message Authentication Reporting and Conformance
`(DMARC), and DomainKeys Identified Mail (DKIM) to
`prevent email spoofing.
`
` Scan all incoming and outgoing emails to detect threats and
`filter executable files from reaching end users.
`
` Configure firewalls to block access to known malicious IP
`addresses.
`
` Patch operating systems, software, and firmware on devices.
`Consider using a centralized patch management system.
`
`
`
`
`
`
`
`
`
` Set anti-virus and anti-malware programs to conduct regular
`scans automatically.
`
`
`
` Manage the use of privileged accounts based on the principle
`of least privilege; no users should be assigned administrative
`access unless absolutely needed; and those with a need for
`administrator accounts should only use them when necessary.
` Configure access controls—including file, directory, and
`network share permissions—with least privilege in mind. If a
`user only needs to read specific files, the user should not have
`write access to those files, directories, or shares.
`
`
`
` Disable macro scripts from office files transmitted via email.
`Consider using Office Viewer software to open Microsoft
`Office files transmitted via email instead of full office suite
`applications.
`
`
`
`
`
`Implement Software Restriction Policies (SRP) or other
`controls to prevent programs from executing from common
`ransomware locations, such as temporary folders supporting
`TERRELL MARSHALL LAW GROUP PLLC
`936 North 34th Street, Suite 300
`Seattle, Washington 98103-8869
`TEL. 206.816.6603 FAX 206.319.5450
`www.terrellmarshall.com
`
`CLASS ACTION COMPLAINT- 13
`
`
`
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`
`