Four Californian Medical Groups Sued over Data Breach Affecting 3.3 Million Patients
Four Californian medical groups have been named in a class action lawsuit that alleges a failure to implement reasonable and appropriate cybersecurity measures, resulting in a cyberattack and data breach involving the personal and protected health information of 3,300,638 current and former patients. The lawsuit names Regal Medical Group Inc., Lakeside Medical Organization, A Medical Group Inc., Affiliated Doctors of Orange County Medical Group, Inc., and Greater Covina Medical Group, Inc., and claims the cyberattack and data breach were foreseeable and could – and should – have been prevented.
The cyberattack in question occurred on December 1, 2022. Hackers gained access to the medical groups’ IT systems, preventing access to certain servers on December 2, 2022. The cyberattack was detected on December 8, 2022, by which time the hackers had access to a huge amount of sensitive patient data, including full names, contact information, Social Security numbers, diagnoses, treatment information, medications, lab test results, radiology reports, and health insurance information. Affected individuals were notified about the data breach in February 2023 and were offered complimentary credit monitoring services.
In addition to failing to prevent the breach, the lawsuit alleges IT systems were not being monitored, and that if they were, the attack could have been detected and stopped more quickly. The lawsuit also alleges the medical groups failed to issue timely notifications, waiting almost two months after the breach was discovered to send notification letters to victims, and then failed to disclose important information, such as for how long hackers had access to their data. The lawsuit claims the delay in issuing notifications meant cybercriminals had plenty of time to monetize and misuse the data before the victims knew they should take steps to protect their identities.
It is common for lawsuits to be filed after healthcare data breaches and oftentimes lawsuits are filed before there has been any misuse of the stolen data. In this case, two of the plaintiffs allege attempts were made to misuse their information soon after the data breach. One plaintiff claimed multiple fraudulent charges were attempted on her credit card and another claimed there was an attempt to register a new credit card in her name and that she had received a fraud alert informing her that her Social Security number had been compromised. The attempted fraudulent activity occurred between December 2022 and February 2023, before being informed by the defendants about the data breach. The lawsuit alleges the plaintiffs and class members now face a lifelong risk of identity theft, medical identity theft, and fraud as a result of the cyberattack and data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit alleges negligence, negligence per se, breach of implied contract, intrusion upon seclusion, unjust enrichment, violations of the California Confidentiality of Medical Information Act, California Consumer Privacy Act, California Consumer Records Act, and California Unfair Competition Law, and violations of state data breach statutes. The lawsuit seeks class action status, a jury trial, compensatory, consequential, and general damages, statutory, punitive, and exemplary damages, and legal fees.
The lawsuit names Shannon Masser Downs, M.B (a minor), and Maria Hinestrosa as plaintiffs. The plaintiffs are represented by Jonathan M. Rotter and Pavithra Rajesh of Glancy Prongay & Murry LLP and Daniel O. Herrera and Nickolas J. Hagman of Cafferty Clobes Meriwether & Sprengel LLP.
