SuperCare Health, Inc. faces a proposed class action over its apparent failure to safeguard the personally identifiable and protected health information of more than 318,000 current and former patients during a data breach last summer.
The 28-page case says SuperCare, a post-acute, in-home respiratory care provider in the Western U.S., first noticed “unauthorized activity” on its systems on July 27, 2021. Per the suit, a subsequent forensic investigation revealed that an unknown party had access to certain systems on SuperCare’s network from July 23 to July 27, 2021.
Although the incident took place last summer, SuperCare did not report the data breach to the U.S. Health and Human Services Office for Civil Rights until March 28, 2022, nearly eight months after it supposedly became aware of the hack, the lawsuit states. The case says that when SuperCare finally notified consumers, it failed to explain why it did not prevent the hack for four days, why it did not immediately notify those who might be affected or why its internal investigation took nearly six months to complete.
Moreover, SuperCare, despite claiming that it implemented additional security measures to protect its digital environment in the wake of the hack, has failed to detail how its previous systems were vulnerable enough to allow the breach to occur, the lawsuit says.
According to the complaint, the personal data potentially compromised in the SuperCare data breach includes current and former patient names; addresses; dates of birth; hospital or medical groups; patient account and medical record numbers; health insurance details; testing, diagnostic and treatment information, and other health-related specifics. SuperCare also reported that a “small subset” of individuals had their Social Security and/or driver’s license numbers exposed in the breach, the case relays.
“As a result of Defendant’s failure to provide reasonable and adequate data security, Plaintiff’s and Class Members’ [personally identifiable information] and [personal health information] have been exposed to those who should not have access to it,” the filing reads. “As a result, Plaintiff and putative class members are now at much higher risk of identity theft and for cybercrimes, especially considering the highly valuable, sensitive, and sought-after [personally identifiable information] and [protected health information] stolen here.”
The suit alleges SuperCare’s systems were inadequate to detect and prevent the unauthorized activity that led to the data breach, as the compromised information “was not stored in an encrypted manner as required by reasonable standards.”
Further, the complaint contends that the up to 12 months of free credit monitoring offered by SuperCare in the wake of the incident is not only insufficient in light of the lifelong threat of identity theft that victims now face, but it completely fails to remedy the exposure of current and former patients’ information.
The lawsuit aims to cover all individuals nationwide whose personally identifiable information or protected health information was actually or potentially compromised during the SuperCare data breach referenced in the notice sent by the company on or around March 25, 2022.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Camp Lejeune residents may soon have the opportunity to claim compensation for harm suffered from contaminated water.