Californian healthcare provider San Diego Health is facing multiple class-action lawsuits over a data breach impacting the protected health information (PHI) of 496,949 patients.
San Diego Health discovered suspicious activity in the email accounts of employees on March 12, 2021, and started an investigation. Based on investigation findings, it was confirmed on April 8, 2021 that unauthorized individuals accessed several email accounts having patients’ PHI from December 2, 2020 to April 8, 2021. An analysis of the breached email accounts showed they contain PHI including names, addresses, birth dates, email addresses, Social Security numbers, government ID numbers, financial account numbers, medical record numbers, and health data like lab test results, diagnoses, and prescription details.
Under HIPAA, covered entities need to send notification letters to affected persons 60 days after discovering a breach. San Diego Health had a substitute breach notice published on its web page on July 27, 2021 and began sending notification letters to patients on September 9, 2021. The healthcare provider also offered free one-year credit monitoring and identity theft protection services to affected patients with coverage of roughly $1 million identity theft insurance policy.
On September 20, patient Denise Menezes filed a lawsuit against San Diego Health allegedly for breach of contract, breach of implied contract, negligence, negligence per se, breach of confidence, unjust enrichment, and violation of the California Confidentiality of Medical Information Act, California Consumer Privacy, and the California Unfair Competition Law.
The lawsuit claims San Diego Health didn’t comply with its responsibilities to safeguard patient information as mandated by the HIPAA Security Rule. It is stated that suitable, industry-standard cybersecurity procedures like spam filtering that include SPF and DMARC weren’t put in place to avoid hackers from getting access to employee email accounts that contain patients’ PHI. Additionally, employees did not have adequate security awareness training that should have allowed them to recognize and steer clear of phishing attempts. Moreover, the lawsuit claims negligence for not being able to identify the data breach for 4 months and for not notifying impacted persons within a sensible period of time.
Patient Richard Hartley also filed another lawsuit on September 22 seeking class-action status. The lawsuit additionally claims negligence for similar pitfalls, and at the same time claims that San Diego Health only expelled the unauthorized persons from its email environment on April 8 when the potential data breach was noticed on March 12.
The lawsuit states negligence, breach of implied contract, invasion of privacy, unjust enrichment, breach of confidence, breach of fiduciary duty, and violation of the California Confidentiality of Medical Information Act and the California Consumer Privacy Act.
The plaintiff remarks to have endured an actual injury due to the breach. Supposed injuries consist of anxiety triggered by the theft of his private data and paying cash to San Diego Health for products and services that needed a disclosure of PHI which he would not have done if he knew there were not enough security measures to secure that data. The plaintiff additionally claims damages to and reduction of the value of sensitive data, loss of privacy, impending injury as a result of identity theft, and the time and cost of alleviating the impact of the breach.
The lawsuits want unspecified damages for the affected parties and all other class members whose private and health data might have been exposed in the attack, a jury trial, and an injunction forcing San Diego Health to improve cybersecurity to avert the same breaches later on.