Class action lawsuits were lately filed against Oregon Anesthesiology Group and Partnership Health Plan in Northern California because of ransomware attacks that resulted in the theft of sensitive patient/plan member information.
Partnership Health Plan of California
Partnership HealthPlan of California (PHC) is a not-for-profit community-based medical care provider serving more than 550,000 Medi-Cal beneficiaries located in Northern California. PHC reported in March 2022 that third-party forensic experts are helping to bring back the functionality of its networks after a cyberattack.
The Hive ransomware group professed it is behind the attack and purportedly copied 400GB of information before encrypting files. Those data files are claimed to include the sensitive information of 850,000 people such as names, addresses, birth dates, and Social Security numbers. The ransomware group claimed it has encrypted files on March 19, 2022, but deleted the listing from its information leak website after a couple of days.
The law agencies Janssen Malloy of Eureka and Whatley Kallas of San Diego took legal action against PHC on behalf of the unnamed plaintiff, John Doe, in the Humboldt County Superior Court. The lawsuit claims the healthcare provider was responsible for not implementing and maintaining proper cybersecurity actions to avoid ransomware attacks as well as data breaches. The lawsuit says that alerts were sent to the healthcare industry concerning the risk of Hive ransomware attacks since June 2021.
The law agencies presently represent one plaintiff, however, the action was taken on behalf of other people who were affected in the same way. More people are likely to join the legal action upon issuance of breach notification letters by PHC. Until April 29, 2022, the notification letters were not issued yet, even though covered entities like PHC need to send notification letters in 60 days since the uncovering of a data breach as per HIPAA.
The lawsuit claims breach of the Confidentiality of Medical Information Act, the Information Practices Act of 1977, invasion of privacy, illegal and unjust business practices, and wants a jury trial as well as a court order for declaratory, fair and/or injunctive relief. At this point, the plaintiff has not claimed damages yet.
Oregon Anesthesiology Group
Oregon Anesthesiology Group (OAG) based in Portland, OR is dealing with a class-action lawsuit because of a cyberattack and data security breach that impacted a lot of patients. OAG encountered a ransomware attack in July 2021 whereby the protected health information (PHI) of approximately 750,000 individuals and 522 employees was exposed. The attacker gained access to the system on July 3 and OAG detected the breach on July 11. By July 15, 2021, the attack was under control.
The FBI informed OAG in October 2021 that an account that contains patient and employee data files was taken from the HelloKitty Ukrainian ransomware group. The ransomware group probably took advantage of a weakness in its firewall to get access to its network. OAG already sent notification letters to impacted persons starting December 2021.
OAG stated the ransomware group possibly acquired patient data like names, date(s) of service, addresses, medical diagnosis and procedure codes with explanations, medical record numbers, insurance company names, and insurance identification numbers, and employee information such as names, Social Security numbers, addresses, and other information on W-2 forms. OAG has since improved its security programs, changed its firewall, integrated multi-factor authentication, and has provided patients a year of no-cost credit monitoring and identity theft restoration services, including an identity theft insurance coverage worth $1 million.
On April 7, 2022, legal action was filed in Multnomah County Circuit Court against OAG on behalf of plaintiff Parke Eldred seeking class-action status. As per the lawsuit, OAG was responsible for not safeguarding the sensitive information of at least 750,000 people and states the 5-months delay in sending notification letters violated Oregon legislation, which call for the issuance of notification letters within 60 days of knowing about the breach.
The plaintiff states that he discovered that his bank account had suspicious activity and got $700 to $800 of fraudulent charges in one day. The legal action wants class certification, damages, compensation of out-of-pocket expenditures, injunctive relief, and for OAG to pay for at least 3 years of credit monitoring services.