A class action lawsuit has been named against four Californian medical groups, alleging that they failed to take reasonable and appropriate cybersecurity precautions, leading to a cyberattack and data breach involving the private information and protected health information of 3,300,638 current and former patients.
The lawsuit asserts that the cyberattack and data breach were predictable and could have—and should have—been avoided.
The Cyberattack
The aforementioned cyberattack took place on December 1, 2022. On December 2, 2022, access to several servers was blocked after hackers obtained access to the Computer systems of the medical groups. By the time the cyberattack was discovered on December 8, 2022, the hackers had gained access to a vast amount of protected health information (PHI), including full names, contact details, Social Security numbers, diagnoses, treatment information, medication information, lab test results, radiology reports, and health insurance details. In February 2023, the affected people received notice of the data leak and were offered free credit monitoring services.
The Lawsuit
The lawsuit claims that in addition to failing to stop the breach, IT systems were not being monitored, and that if they had been, the attack could have been discovered and stopped sooner.
The medical groups are also accused of:
- failing to provide victims with timely notices;
- waiting over two months after the breach was discovered to send victims letters of notification; and
- failing to provide victims with crucial information, such as how long hackers had access to personal data.
According to the lawsuit, because notices were not given right away, cybercriminals had plenty of time to profit from and abuse the data before the victims were informed to take precautions to protect their identities.
The case makes claims of carelessness, negligence, implied contract breach, invasion of privacy, unjust enrichment, violations of the California Consumer Privacy Act, California Consumer Records Act, California Unfair Competition Law, and violations of state laws governing data breaches. A jury trial, class action status, compensatory, consequential, and general damages, statutory, punitive, and exemplary damages, as well as legal costs are demanded in the claim.
How HIPAA Compliance Could Have Helped
Although these cases were not brought up under HIPAA, if the medical groups were HIPAA compliant, they may have saved themselves from the lawsuit and potentially the breach itself.
For one, the HIPAA breach notification rule requires healthcare organizations to report breaches in a timely manner, and provides strict guidelines on the information that should be included in a breach notice.
HIPAA compliant organizations are also generally more secure as HIPAA dictates security measures be in place to protect patient information. Ultimately, HIPAA and cybersecurity go hand-in-hand.