Tandem Diabetes Care Facing Class Action Lawsuit over January 2020 Phishing Attack

The San Diego medical device manufacturer, Tandem Diabetes Care Inc., is facing a class action lawsuit in California over a January 2020 data breach that resulted in the exposure and possible theft of the protected health information of more than 140,000 individuals.

The breach was the result of a phishing attack that gave unauthorized individuals access to the email account of an employee between January 17 and January 20, 2020. The information in the email account varied from patient to patient but included a range of private and confidential information including names, dates of birth, insurance information, billing information, healthcare data, and Social Security numbers.

The incident was reported to the HHS’ Office for Civil Rights on March 17, 2020 as affecting 140,781 individuals. Notification letters started to be sent to those individuals the same day.

The lawsuit was filed in the United States District Court in the Southern District of California and alleges violations of the Confidentiality of Medical Information Act (CMIA). The plaintiff and class members seek damages for the negligent disclosure of their personal and healthcare data and injunctive relief.

CMIA requires healthcare service providers to implement measures to ensure the confidentiality of individually identifiable medical information and prohibits the disclosure to that data without prior authorization from patients. In contrast to HIPAA, CMIA includes a private cause of action which allows patients to take legal action over the negligent disclosure of their confidential health data.

The lawsuit names the plaintiff as C.H, and the putative class divided into two subclasses: All California citizens whose identities, personal data, and medical information were contained in the email account and all other individuals whose information was exposed.

The lawsuit alleges negligence for failing to protect individually identifiable health information. “By making Defendant’s email account accessible to third parties, Defendant negligently created, maintained, preserved, stored, and then exposed Plaintiff’ and the Class members’ individual identifiable “medical information,” states the lawsuit.

The lawsuit alleges Tandem Diabetes Care failed to maintain adequate technological safeguards, which directly and proximately caused foreseeable risk of patient data loss and harm, including identity theft and other economic losses.

The lawsuit alleges patients have suffered damages as a result of the unauthorized release of their personal and protected health information and seeks nominal damages of $1,000 per class member, reimbursement for actual damages suffered, damages provided by the common law, and legal costs.

The lawsuit was filed by Joshua B. Swigart of the law firm Swigart Law Group, who is seeking class action status and a jury trial

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.