The lawsuit asserts that the cyberattack and data breach were predictable and could have—and should have—been avoided.
The aforementioned cyberattack took place on December 1, 2022. On December 2, 2022, access to several servers was blocked after hackers obtained access to the Computer systems of the medical groups. By the time the cyberattack was discovered on December 8, 2022, the hackers had gained access to a vast amount of protected health information (PHI), including full names, contact details, Social Security numbers, diagnoses, treatment information, medication information, lab test results, radiology reports, and health insurance details. In February 2023, the affected people received notice of the data leak and were offered free credit monitoring services.
The lawsuit claims that in addition to failing to stop the breach, IT systems were not being monitored, and that if they had been, the attack could have been discovered and stopped sooner.
The medical groups are also accused of:
- failing to provide victims with timely notices;
- waiting over two months after the breach was discovered to send victims letters of notification; and
- failing to provide victims with crucial information, such as how long hackers had access to personal data.
According to the lawsuit, because notices were not given right away, cybercriminals had plenty of time to profit from and abuse the data before the victims were informed to take precautions to protect their identities.
The case makes claims of carelessness, negligence, implied contract breach, invasion of privacy, unjust enrichment, violations of the California Consumer Privacy Act, California Consumer Records Act, California Unfair Competition Law, and violations of state laws governing data breaches. A jury trial, class action status, compensatory, consequential, and general damages, statutory, punitive, and exemplary damages, as well as legal costs are demanded in the claim.