Sea Mar Community Health Centers located in Seattle, WA is confronted with a class-action lawsuit because of a cyberattack that led to the exposure of the protected health information (PHI) of 688,000 persons. The breach was uncovered in June 2021 because information stolen during the attack was shared on the Marketo dark web leak page.
Databreaches.net came across the leaked details on the Marketo data leak site in June 2021 and got in touch with Sea Mar. In October 2021, Sea Mar mailed notification letters to impacted persons and mentioned that the attackers obtained access to its system between December 2020 and March 2021 and exfiltrated sensitive records such as names, addresses, birth dates, medical data, and Social Security numbers. The data breach report was sent to the HHS’ Office for Civil Rights the same month as having an effect on 688,000 present and past patients. Impacted persons were given one-year free credit monitoring and identity theft protection services.
As per Databreaches.net, the threat group associated with the attack said they have ripped off 3TB of data files from Sea Mar. There might at the same time be another exposure of the stolen records by a threat gang referred to as Snatch Team. Databreaches.net identified a number of references to Sea Mar in a 22TB set of information. Aside from being published on dark web leak pages, Databreaches.net mentioned the stolen information was additionally shared on no less than two clear net leak web pages – Those run by Marketo and Snatch Team.
The newest lawsuit – Hall v. Sea Mar Community Health Centers – was submitted in Washington state superior court with plaintiff previous Sea Mar patient Alan Hall and over 650,000 other individuals impacted by the data incident.
The lawsuit states Sea Mar was negligent for not implementing enough and acceptable cybersecurity processes and protocols to safeguard patient and worker details and kept sensitive patient records in a careless manner. Sea Mar is alleged to have failed to make known it didn’t have thoroughly robust computer solutions and security practices and wasn’t appropriately tracking its system for attacks, which made it possible for the threat actors to obtain access to its systems for 4 months. The lawsuit furthermore states Sea Mar was late in sending breach notification letters, which were mailed approximately 10 months after the first attack and 4 months after learning about the data breach.
The lawsuit states the plaintiff and class members are open to the existing and impending danger of fraud and identity theft considering that their sensitive information is in the possession of information thieves and was offered to other cybercriminals by means of the leaking of the records on the dark web.
The plaintiffs and class members claimed that they sustained injury and ascertainable losses as a result of the risk of fraud and identity theft, loss of the advantage of their bargain, out-of-pocket expenditures, the valuation of their time spent managing the consequences of the cyberattack, and data breach, and decrease of the value of their personal data.
The lawsuit would like nominal damages, compensatory damages, return of out-of-pocket costs, and injunctive relief, such as funding in cybersecurity to better secure patient and employee records, submitting to potential yearly data security reviews, and the availability of no less than 3 years of identity theft and credit monitoring services to impacted persons of the data breach.