Share this article on:
Seattle, WA-based Sea Mar Community Health Centers is facing a class action lawsuit over a cyberattack in which the protected health information of 688,000 individuals was compromised. The breach came to light in June 2021 when files stolen in the attack were posted on the Marketo dark web leak site.
Databreaches.net spotted the leaked data on the Marketo data leak site in June 2021 and contacted Sea Mar. In October 2021, Sea Mar sent notification letters to affected individuals and explained that the hackers gained access to its network between December 2020 and March 2021 and exfiltrated sensitive data including names, addresses, Social Security numbers, dates of birth, and health information. The data breach was reported to the HHS’ Office for Civil Rights the same month as affecting 688,000 current and former patients. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 12 months.
According to Databreaches.net, the threat group behind the attack claimed to have stolen 3TB of data from Sea Mar. There may also have been a further disclosure of the stolen data by a threat group known as Snatch Team. Databreaches.net found multiple references to Sea Mar in a 22TB set of data, as did a researcher at Intel. In addition to being posted on dark web leak sites, Databreaches.net said the stolen data had also been posted on at least two clear net leak sites – Those operated by Marketo and Snatch Team.
The latest lawsuit – Hall v. Sea Mar Community Health Centers – was filed in Washington state superior court on behalf of former Sea Mar patient Alan Hall and “more than 650,000” others affected by the data breach.
The lawsuit alleges Sea Mar was negligent for failing to implement adequate and reasonable cybersecurity procedures and protocols to protect patient and employee information and maintained sensitive patient data “in a reckless manner.” Sea Mar is alleged to have failed to disclose it did not have adequately robust computer systems and security practices and was not properly monitoring its network for intrusions, which allowed the threat actors to access its systems for four months. The lawsuit also alleges Sea Mar delayed issuing breach notifications, which were sent around 10 months after the initial intrusion and 4 months after the data breach was discovered.
The lawsuit alleges the plaintiff and class members are exposed to a present and imminent risk of fraud and identity theft because their sensitive data is in the hands of data thieves and has been made available to other cybercriminals through the leaking of the data on the dark web.
The plaintiffs and class members are alleged to have suffered injury and ascertainable losses due to the threat of fraud and identity theft, loss of the benefit of their bargain, out-of-pocket expenses, the value of their time spent mitigating the effects of the cyberattack and data breach, and loss of value of their personal information.
The lawsuit seeks compensatory damages, nominal damages, reimbursement of out-of-pocket expenses, and injunctive relief, including investment in cybersecurity to better protect patient and employee data, submitting to future annual data security audits, and the provision of at least three years of identity theft and credit monitoring services to victims of the data breach.