Share this article on:
Multiple class action lawsuits have been filed against the Californian healthcare provider San Diego Health over a data breach involving the protected health information of 496,949 patients.
On March 12, 2021, San Diego Health identified suspicious activity in employee email accounts and launched an investigation. On April 8, 2021, it was determined multiple email accounts containing patients’ protected health information had been accessed by unauthorized individuals between December 2, 2020 and April 8, 2021. A review of the compromised email accounts confirmed them to contain protected health information such as names, addresses, dates of birth, email addresses, medical record numbers, government ID numbers, Social Security numbers, financial account numbers, and health information such as test results, diagnoses, and prescription information.
HIPAA requires covered entities to issue notifications to affected individuals within 60 days of the discovery of a breach. San Diego Health published a substitute breach notice on its website on July 27, 2021 and started issuing individual notifications to patients on September 9, 2021. Patients have been offered complimentary credit monitoring and identity theft protection services for 12 months and coverage under a $1 million identity theft insurance policy.
A lawsuit was filed against San Diego Health on behalf of patient Denise Menezes on September 20 alleging negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, breach of confidence, and violations of the California Consumer Privacy, California Confidentiality of Medical Information Act, and a violation of California Unfair Competition Law.
The lawsuit alleges San Diego Health failed to comply with its obligations to protect patient data as required by the HIPAA Security Rule. It is alleged that appropriate, industry-standard cybersecurity measures such as spam filtering including SPF and DMARC was not implemented to prevent hackers from gaining access to email accounts where patients’ protected health information was stored. Also, that sufficient security awareness training had not been provided to employees to help them identify and avoid phishing attempts. Additionally, the lawsuit alleges negligence for failing to detect the breach for 4 months and for failing to notify affected individuals within a reasonable amount of time.
A second lawsuit, which also seeks class action status, was filed on behalf of patient Richard Hartley on September 22. The lawsuit also alleges negligence for the same failures, and also states that a potential data breach was detected by San Diego Health on March 12, but it took until April 8 to expel the unauthorized individuals from its email environment.
The lawsuit alleges negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and violations of the California Consumer Privacy Act and California Confidentiality of Medical Information Act.
The plaintiff claims to have suffered actual injury as a result of the breach. Alleged injuries include anxiety caused by the theft of his personal information and paying monies to San Diego Health for goods and services that required a disclosure of PHI which would not have been made if he was aware inadequate security measures were in place to protect that information. The plaintiff also alleges damages to and diminution of the value of sensitive information, loss of privacy, impending and imminent injury due to identity theft, and the time and expense of mitigating the effects of the breach.
The lawsuits seek unspecified damages for the plaintiffs and all other class members whose personal and medical information may have been compromised in the attack, a jury trial, and an injunction compelling San Diego Health to enhance cybersecurity to prevent similar breaches in the future.