A former Sunshine Behavioral Health Group patient has filed a proposed class action lawsuit over a data breach he claims exposed the private personal and medical information of approximately 3,500 patients to “anyone with access to an internet search engine.”
According to the case, Sunshine Behavioral Health, which operates three “luxury” drug and alcohol rehabilitation centers in California, Colorado and Texas, was made aware on September 4, 2019 of a security vulnerability that allowed certain sensitive data on the company’s patients to be “searchable, findable, viewable, and downloadable” through internet search engines. Among the allegedly exposed information were patients’ names, addresses, credit and debit card information, insurance details, medical information, and Social Security numbers.
The lawsuit alleges that the defendant, despite learning of the breach in September 2019, waited until January 21, 2020 to publicly disclose the incident. Patient data was exposed for a total of 30 months, as the complaint says California’s attorney general found that the breach began back in March 2017. Moreover, the suit notes that Sunshine “did not discover the data breach itself.” An individual “not affiliated with the defendant” notified the company of the incident, the case says.
The case claims the defendant had a particular duty under HIPAA (the Health Insurance Portability and Accountability Act) to protect patients’ private health information, as well as disclose any breach of its security within 60 days of learning of such. The case charges Sunshine Behavioral Health Group failed to comply with the law despite being fully aware of both its HIPAA obligation and the threat of data breaches within the healthcare industry. The lawsuit alleges that Sunshine was aware that encrypting its computer systems would provide necessary protection and security for patients’ data yet neglected to do so.
The lawsuit says that although Sunshine Behavioral Health has provided affected patients with 24 months of credit monitoring services and offered advice about how to mitigate the danger of identity theft and fraud, the company has yet to compensate proposed class members for their injuries, including by offering fraud insurance. The plaintiff questions Sunshine’s response to the breach, noting that none of the defendant’s recommendations require the company to “expend any effort” to protect patients’ sensitive information.
“If Defendant truly understood the importance of safeguarding Affected Patients’ Personal and Medical Information, it would acknowledge its responsibility for the harm it has caused,” the complaint reads, “and would compensate Class Members, provide long-term protection for Plaintiff and Class Members, agree to Court-ordered and enforceable changes to its cybersecurity policies and procedures, and adopt regular and intensive training to ensure that a data breach like this never happens again.”
The case looks to cover anyone in the U.S. whose personal and medical information was compromised in the Sunshine data breach announced in January 2020, with proposed subclasses of California and Pennsylvania residents.