Solara Medical Supplies is confronted with a lawsuit involving a data breach in June 2019 resulting in the exposure of the protected health information (PHI) of over 114,000 customers and the potential data theft by an unauthorized person who accessed its email system.
Solara Medical Supplies is a vendor of medical devices and disposable medical goods. It found out about the breach on June 28, 2019. Initially, it was believed that only one email account was involved. However, the breach investigation showed a number of Office 365 email accounts were compromised for about 6 weeks, beginning on April 2, 2019.
The types of data compromised because of the attack included names, addresses, dates of birth, Social Security numbers, employee ID numbers, medical insurance details, financial data, credit card/debit card numbers, passport information, driver’s license numbers, state ID numbers, password/PIN or account login data, claims information, billing details, and Medicare/Medicaid IDs.
Solara Medical Supplies notified the customers impacted by the breach in November and offered them free credit monitoring and identity theft protection services; nevertheless, that action did not stop the filing of legal action against the company over the compromise of customers’ sensitive data.
Several law agencies are currently looking for clients whose sensitive data were exposed because of the phishing attack. Thus far, one lawsuit has been submitted with the U.S District Court of the Southern District of California.
Juan Maldonado, the plaintiff, is a client of Solara Medical Supplies using products provided by the company for the management of his health condition. The lawsuit claims that Maldonado’s sensitive, personal data is now in the possession of cybercriminals and his identity is at considerable risk of theft and fraud. In addition, it was alleged that Solara Medical Supplies was negligent in protecting the sensitive information of its clients.
Although the lawsuit mentions HIPAA, HIPAA has no provision for a private right of action, therefore people impacted by a data breach have no right to file suit against a HIPAA-covered entity with respect to the compromise of their information or for any HIPAA violations. Only the HHS’ Office for Civil Rights and state attorneys general may file suit against covered entities. The lawsuit also claims that Solara Medical Supplies violated state laws, which include the California Consumer Privacy Act.
The lawsuit additionally states that Solara Medical Supplies had the following violations: no sufficient computer systems nor security controls to protect customers’ personal and health data; no system is in place for detecting data breaches promptly and failure to inform impacted customers promptly
Solar Medical Supplies notified affected people more than 7 months after the date of initial email account compromise, and over 4 months after first detecting the breach. The lawsuit alleges that during that time Solara did not attempt to alert its clients regarding the risks brought about by the data exposure. In those four months, the attackers had plenty of chances to defraud its clients.
Solara claims that it found no proof that indicates data theft and, during the issuance of notifications, there was no report received that suggests the misuse of any customer data.
The lawsuit intends to get class-action status and appropriate monetary relief, injunctive relief, punitive damages, actual damages, attorneys’ fees, and payment of costs for lengthened credit monitoring and identity theft protection services.
The lawsuit highlights a critical issue regarding breach notifications to people whose PHI was compromised or stolen. HIPAA-covered entities today often wait and send notifications only after the breach investigation is complete.
According to the HIPAA Breach Notification Rule, notifications should be released without undue delay and not after 60 days following the breach discovery. In spite of the previous guidance on breach notifications issued by the HHS’ Office for Civil Rights, a lot of covered entities interpret the notification requirement as 60 days after the date when the forensics company confirmed the breach of patient data. That date could be a couple of months after the initial discovery o the breach. With this interpretation, covered entities are at risk of regulatory penalties for unnecessary stalling the issuance of breach notifications.