Smile Brands Inc. and affiliate office Sahawneh Dental Corporation face a proposed class action over an April 2021 ransomware attack that reportedly exposed patients’ personal and health information.
The data breach, according to the 30-page case, was a result of the defendants’ failure to maintain adequate cybersecurity practices. The lawsuit alleges the incident has subjected victims to a heightened risk of identity theft and fraud given their private information, including names, addresses, telephone numbers, dates of birth, Social Security numbers, personal financial information, government-issued identification numbers and personal health details, fell into “the hands of malicious actors.”
“Defendants negligently left their computer systems open to attack,” the complaint scathes. “Thus, once the unauthorized user gained access to Defendants’ systems, the contents of those systems (including Plaintiff and Class members’ [protected health information/personally identifiable information]) were available for the unauthorized person(s) to access, view, acquire and exfiltrate for their nefarious use.”
The lawsuit explains that Smile Brands, one of the largest dental service organizations in the U.S., and Sahawneh Dental, one of Smile’s 700 affiliated dental offices, discovered around April 24, 2021 that they had been the victims of a ransomware attack that exposed to unauthorized access “certain systems” on which patients’ personal information was stored. In letters sent to patients in late September 2021, the defendants noted that “certain data appears to have been acquired by an unauthorized party” and that an investigation had been launched into the incident, the case relays.
According to the suit, the data breach notice sent by Smile Brands and Sahawneh Dental was “misleading and inadequate” in that it provided no information about the timing and completion of the companies’ investigation or the scope of the breach, and failed to explain why the defendants waited over five months to notify those affected.
“Defendants’ vague description of the Data Breach leaves Plaintiff and Class members at continuing risk,” the complaint alleges. “By failing to adequately inform Plaintiff and Class members of the details surrounding the breach Plaintiff and Class members are unable to adequately protect themselves against the imminent and continued risk of identity theft and other damages.”
Moreover, the case says the letters to California residents failed to identify their rights under the California Consumer Privacy Act, and instead referred victims to the California Office of Privacy Protection’s website for “additional information on protection against identity theft.”
The lawsuit goes on to argue that the defendants’ offer of a one-year subscription to an Experian identity theft protection program is “insufficient” given victims of the breach will remain at an increased risk of identity theft for years to come.
The case was initially filed in Orange County, California Superior Court before being removed to the state’s Central District Court on December 23, 2021.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Camp Lejeune residents may soon have the opportunity to claim compensation for harm suffered from contaminated water.