Share this article on:
A lawsuit has been filed against the in-home respiratory care provider, SuperCare Health, over a cyberattack and data breach that was reported to the Department of Health and Human Services on March 28, 2022. The incident involved the exposure and potential theft of the protected health information of 318,400 patients, including names, addresses, birth dates patient account numbers, medical record numbers, health insurance information, testing, diagnostic, treatment, and claims information. A subset of individuals also had their Social Security numbers and/or driver’s license numbers exposed.
SuperCare Health said unauthorized individuals had access to its network between July 23, 2021, to July 27, 2021, but did not disclose the nature of the cyberattack. It took SuperCare Health until February 4, 2022, to determine that the files potentially accessed in the attack contained patients’ PHI. Notification letters were sent on March 25, 2022, and according to the notice provided to the California Attorney General, credit monitoring and identity theft protection services were offered to affected individuals.
It is becoming more common for lawsuits to be filed over healthcare data breaches. According to a recently published report from the law firm BakerHostetler, lawsuits are often now filed over relatively small healthcare data breaches and it is common for multiple lawsuits to be filed. In 2021, the law firm was involved in 23 incidents, and 58 lawsuits were filed in response to those breaches. 43 of the lawsuits were filed in response to healthcare data breaches, and 11 of the lawsuits were filed for breaches affecting fewer than 700,000 individuals.
The SuperCare Health lawsuit was filed in the United States District Court for the Central District of California on April 12, 2022, two weeks after notification letters were sent to patients. The lawsuit, Vickey Angulo v. SuperCare Health, alleges SuperCare Health had not implemented adequate and reasonable cybersecurity procedures and protocols to secure the personal and protected health information of the plaintiff and members of the class, despite a known risk of cyberattacks and data breaches at healthcare providers, which are at an all-time high. The lawsuit also alleges SuperCare Health failed to adhere to the security guidelines and standards of the National Institute of Standards and Technology, Federal Trade Commission, and Health Insurance Portability and Accountability Act (HIPAA), and violated state laws.
The lawsuit claims SuperCare Health only provided scant details to victims about the nature of the cyberattack and data breach and did not inform patients about the data breach for more than 6 months after it was detected. The plaintiff said she was notified that unauthorized individuals accessed her information, which included her electronic medical records, but was not offered adequate credit monitoring and identity theft protection services or appropriate compensation for the harm caused.
The plaintiff alleges she has suffered actual injury from the data breach, including damage to and diminution of the value of her private information, and a substantial and present, imminent, and impending injury from the increased risk of identity theft and fraud, and maintains that her personal and protected health information is still available to the public, which would make it possible for anyone to use the information for nefarious purposes.
The lawsuit seeks class action certification, a jury trial, an award of damages, reimbursement of out-of-pocket costs, and a lifetime of credit monitoring services, and for SuperCare Health to make improvements to its security systems and submit to future annual security audits.