Solara Medical Supplies Sued Over 114,000-Record Data Breach
Solara Medical Supplies is facing legal action over a June 2019 data breach that saw the protected health information of more than 114,000 customers exposed and potentially stolen by an unauthorized individual who gained access to its email system.
Solara Medical Supplies, a supplier of medical devices and disposable medical products, discovered the breach on June 28, 2019. While initially believed to involve one email account, an investigation revealed several Office 365 email accounts had been compromised for a period of around 6 weeks, starting on April 2, 2019.
The types of information exposed as a result of the attack included names, addresses, birth dates, employee ID numbers, Social Security numbers, health insurance information, financial information, credit card/debit card numbers, passport details, state ID numbers, driver’s license numbers, password/PIN or account login information, claims data, billing information, and Medicare/Medicaid IDs.
Customers affected by the breach were notified in November and were offered complimentary credit monitoring and identity theft protection services; however, that was not enough to prevent legal action being taken over the exposure of customers’ sensitive information.
Multiple law firms are now seeking clients who have had their sensitive information exposed as a result of the phishing attack and one lawsuit has already been filed with the U.S District Court of the Southern District of California.
The plaintiff, Juan Maldonado, is a customer of Solara Medical Supplies who uses products supplied by the company to help manage his medical condition. The lawsuit states that the sensitive, personal information of Maldonado is now in the hands of cybercriminals which has placed him at considerable risk of identity theft and fraud and alleges Solara Medical Supplies was negligent for failing to protect the sensitive data of its customers.
While the lawsuit cites HIPAA, there is no private right of action under HIPAA so individuals affected by a data breach do not have the right to sue a HIPAA-covered entity for the exposure of their data or for any HIPAA violations that are believed to have occurred. Legal action can only be taken against covered entities by the HHS’ Office for Civil Rights and state attorneys general. The lawsuit alleges Solara Medical Supplies has violated state laws, including the California Consumer Privacy Act.
The lawsuit alleges Solara Medical Supplies did not have adequate computer systems and security practices in place to safeguard customers’ personal and medical information, did not have systems in place to allow data breaches to be detected promptly, and that the company failed to notify affected customers in a timely manner
It took more than 7 months from the date of the initial email account compromise for affected individuals to be notified, and more than 4 months after the breach was first detected. The lawsuit claims that Solara made no efforts during that time to warn customers about the risks they faced from the exposure of their data. During those four months, the lawsuit states that the attackers had ample opportunity to defraud its customers.
Solara found no evidence to suggest any data was stolen by the attackers and, at the time of issuing notifications, no reports had been received to indicate any customer information had been misused.
The lawsuit seeks class action status and appropriate monetary relief, injunctive relief, actual damages, punitive damages, attorneys’ fees, and payment for extended credit monitoring and identity theft protection services.
The lawsuit raises an important issue about breach notifications to individuals whose protected health information has been exposed or stolen. It is now common for HIPAA-covered entities to wait until they have completed the investigation of a breach before notifications are issued.
The HIPAA Breach Notification Rule states that notifications must be issued without undue delay and no later than 60 days after the discovery of a breach. Despite the HHS’ Office for Civil Rights having previously issued guidance on breach notifications, many covered entities are interpreting the notification requirement as 60 days from the date when they are informed by the forensics company they engaged to investigate the breach that patient information could have been accessed. That date can be several months after the breach was initially discovered.
Even then, notifications are often delayed further, with covered entities waiting up to 60 more days before notifications are sent to affected individuals. By taking this approach, covered entities are risking regulatory fines for unnecessary delaying breach notifications.