Share this article on:
Class action lawsuits have recently been filed against Partnership Health Plan in Northern California and Oregon Anesthesiology Group in response to ransomware attacks and the theft of sensitive patient/plan member data.
Partnership Health Plan of California
Partnership HealthPlan of California (PHC) is a non-profit community-based healthcare organization that serves over 550,000 Medi-Cal beneficiaries in Northern California. In March 2022, PHC announced that it was working with third-party forensic specialists to restore the functionality of its systems following a cyberattack.
The Hive ransomware group claimed responsibility for the attack and allegedly exfiltrated 400GB of data prior to encrypting files. Those files are alleged to contain the sensitive data of 850,000 individuals including names, dates of birth, addresses, and Social Security numbers. The ransomware gang claimed to have encrypted files on March 19, 2022, although removed the listing from its data leak site after a few days.
Last week, the law firms Whatley Kallas of San Diego and Janssen Malloy of Eureka filed a lawsuit against PHC on behalf of the anonymous plaintiff, John Doe, in the Superior Court of Humboldt County. The lawsuit alleges the healthcare organization was negligent for failing to implement and maintain appropriate cybersecurity measures to prevent ransomware attacks and data breaches. The lawsuit states that warnings had been issued to the healthcare sector about the threat of Hive ransomware attacks as early as June 2021.
The law firms are currently representing one plaintiff, but the action has been brought on behalf of others that have similarly been affected. Others are expected to join the lawsuit when breach notification letters are issued by PHC. As of April 29, 2022, notification letters had not been issued, although under HIPAA, covered entities such as PHC must issue notification letters within 60 days of the discovery of a data breach.
The lawsuit alleges violations of the Information Practices Act of 1977, Confidentiality of Medical Information Act, invasion of privacy, unlawful and unfair business practices, and seeks a jury trial and an order from the court for declaratory, equitable and/or injunctive relief. Damages have not been claimed by the plaintiff at this stage.
Oregon Anesthesiology Group
Portland, OR-based Oregon Anesthesiology Group (OAG) is facing a class action lawsuit over a cyberattack and data breach that affected hundreds of thousands of patients. In July 2021, OAG suffered a ransomware attack in which the protected health information of around 750,000 patients and 522 employees was compromised. Access to the network was gained on July 3, the breach was detected on July 11, and the attack was contained on July 15, 2021.
The FBI notified OAG in October 2021 that an account containing patient and employee files had been seized from the Ukrainian ransomware group, HelloKitty, and that the ransomware gang most likely exploited a vulnerability in its firewall to gain access to its systems. Notification letters were sent to affected individuals in December 2021.
OAG said the ransomware gang potentially obtained patient information such as names, addresses, date(s) of service, diagnosis and procedure codes with descriptions, medical record numbers, insurance provider names, and insurance ID numbers, and employee data including names, addresses, Social Security numbers and other details from W-2 forms. OAG has since upgraded its security systems, replaced its firewall, implemented multi-factor authentication, and has offered affected individuals 12 months of free credit monitoring and identify theft restoration services, which include a $1 million identity theft insurance policy.
On April 7, 2022, a lawsuit was filed against OAG on behalf of plaintiff Parke Eldred in Multnomah County Circuit Court that seeks class action status. The lawsuit alleges OAG was negligent for failing to protect the sensitive data of at least 750,000 individuals and claims the delay of 5 months in issuing notification letters was in violation of Oregon laws, which require notification letters to be issued within 60 days of the discovery of the breach.
The plaintiff claims to have identified suspicious activity in his bank account and incurred between $700 and $800 of fraudulent charges on a single day. The lawsuit seeks class certification, damages, reimbursement of out-of-pocket expenses, injunctive relief, and for OAG to cover the cost of at least 3 years of credit monitoring services.