Share this article on:
Class action lawsuits were recently filed against Partnership Health Plan in Northern California and Oregon Anesthesiology Group in response to ransomware attacks and the theft of sensitive patient/plan member data.
California Partnership Health Plan
Partnership HealthPlan of California (PHC) is a nonprofit community health care organization that serves more than 550,000 Medi-Cal beneficiaries in Northern California. In March 2022, PHC announced that it was working with third-party forensic specialists to restore the functionality of its systems following a cyberattack.
Ransomware group Hive claimed responsibility for the attack and allegedly exfiltrated 400 GB of data before encrypting the files. These files would contain the sensitive data of 850,000 people, including names, dates of birth, addresses and social security numbers. The ransomware gang claimed to have encrypted files on March 19, 2022, although it deleted the list from its data leak site after a few days.
Last week, law firms Whatley Kallas of San Diego and Janssen Malloy of Eureka filed a lawsuit against PHC on behalf of the anonymous plaintiff, John Doe, in Humboldt County Superior Court. The lawsuit alleges that the healthcare organization was negligent for failing to implement and maintain proper cybersecurity measures to prevent ransomware attacks and data breaches. The lawsuit says warnings had been issued to the healthcare industry about the threat of Hive ransomware attacks as early as June 2021.
The law firms are currently representing a plaintiff, but the action was brought on behalf of others who were similarly affected. Others are expected to join the lawsuit when notice of violation letters are issued by PHC. As of April 29, 2022, no notification letters have been issued, although under HIPAA covered entities such as PHC must issue notification letters within 60 days of discovering a data breach.
The lawsuit alleges violations of the Information Practices Act of 1977, the Medical Information Privacy Act, invasion of privacy, unlawful and unfair business practices, and seeks a trial by jury and a court order for declaratory, equitable and/or injunctive relief. Damages have not been claimed by the plaintiff at this stage.
Oregon Anesthesiology Group
The Oregon Anesthesiology Group (OAG), based in Portland, OR, is facing a class action lawsuit over a cyberattack and data breach that affected hundreds of thousands of patients. In July 2021, OAG suffered a ransomware attack in which the protected health information of approximately 750,000 patients and 522 employees was compromised. Network access was obtained on July 3, the flaw was detected on July 11, and the attack was contained on July 15, 2021.
The FBI informed the OAG in October 2021 that an account containing patient and employee records had been seized from the Ukrainian ransomware group, HelloKitty, and that the ransomware gang had most likely exploited a vulnerability in its firewall. to access its systems. Notification letters were sent to affected individuals in December 2021.
OAG said the ransomware gang potentially obtained patient information such as names, addresses, dates of service, diagnostic and procedure codes with descriptions, medical record numbers, insurer names and patient identification numbers. insurance, as well as employee data, including names, addresses, Social Security numbers, and other details from W-2 forms. OAG has since upgraded its security systems, replaced its firewall, implemented multi-factor authentication and offered those affected 12 months of free credit monitoring and identity restoration services, which include a credit card policy. million dollar identity theft insurance.
On April 7, 2022, a lawsuit was filed against OAG on behalf of plaintiff Parke Eldred in the Multnomah County Circuit Court seeking class action status. The lawsuit alleges that the OAG was negligent for failing to protect the sensitive data of at least 750,000 people and claims that the 5-month delay in issuing the notification letters was in violation of state laws. Oregon, which require notification letters to be issued within 60 days of discovery of the breach.
The plaintiff claims to have identified suspicious activity in his bank account and incurred between $700 and $800 in fraudulent charges in a single day. The lawsuit seeks class certification, damages, reimbursement of out-of-pocket expenses, an injunction and for the OAG to cover the cost of at least 3 years of credit monitoring services.