A late-2020 data breach is the subject of a proposed class action filed in California against Neighborhood Healthcare, Health Center Partners of Southern California and Netgain Technology, LLC.
Brought by a pseudonymous Jane Doe plaintiff who claims to have been a victim of the breach, the 44-page case contends that the defendants’ failure to implement adequate data security measures allowed unauthorized parties to gain access to HCP and Neighborhood Healthcare patients’ sensitive information.
Exposed in the breach, which reportedly occurred between October 22 and December 3, 2020 by way of a ransomware attack, were patient names, dates of birth, addresses, Social Security numbers, insurance coverage details, physicians and treatment codes, the lawsuit says, stressing that the incident has exposed proposed class members to an increased risk of identity theft and fraud.
The lawsuit claims the defendants breached their duties under California law and the Health Insurance Portability and Accountability Act (HIPAA) to protect from unauthorized access the sensitive medical and personal information with which they were entrusted.
At the center of the suit is a December 2020 ransomware attack experienced by Netgain, who provided cloud hosting and IT services to Health Center Partners of Southern California and Neighborhood Healthcare. The lawsuit explains that Netgain discovered in November 2020 a security incident involving unauthorized access to portions of its and its clients’ environments, upon which the company “began taking steps to investigate this incident.”
According to the case, however, the unauthorized intruder launched a ransomware attack on Netgain on November 3 by encrypting a subset of the company’s data and demanding payment, which Netgain allegedly paid, in exchange for a promise that the data would be destroyed.
The lawsuit alleges Neighborhood Healthcare and HCP stored patients’ information in an unencrypted format and disclosed the data to Netgain without the individuals’ written authorization to do so. Moreover, HCP and Neighborhood Healthcare had a duty to vet any potential service providers to ensure they were equipped to safeguard the sensitive information in their care, the suit relays.
According to the complaint, the data breach of Netgain’s systems is the result of the defendants’ failure to preserve the confidentiality of patients’ medical information despite having the resources to do so and being fully aware of the risk that vulnerabilities in their systems could be exploited by hackers.
The case alleges that none of the defendants have offered any compensation to data breach victims for the unauthorized disclosure of their information.
The defendants, in effect, are “shirking [their] responsibility” for the harm caused by the breach while “shifting the burdens and costs of [their] wrongful conduct” onto patients, the lawsuit attests.
The suit looks to represent anyone to whom Health Center Partners of Southern California sent a notification letter of a data security incident that occurred between October 22 and December 3, 2020, as well as a proposed subclass of those to whom Neighborhood Healthcare sent a notification letter of a data security incident that occurred between November 24 and December 3, 2020.
Initially filed in San Diego County Superior Court on June 1, the lawsuit was removed to California’s Southern District Court on September 9.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.