Breach Notification , Incident & Breach Response , Security Operations
Lawsuit Filed Against SuperCare in Breach Affecting 318,000Proposed Class Action Litigation Follows a Familiar Trend, Experts Say
A proposed class action lawsuit filed this week in a California federal court alleges, among other claims, that in-home respiratory care provider SuperCare Health Inc. was negligent in failing to protect sensitive health information from a 2021 hacking incident affecting more than 300,000 patients.
The lawsuit complaint was filed on Tuesday by Vickey Angulo, a resident of California and a SuperCare patient, on behalf of herself and others similarly situated.
The litigation against SuperCare follows a widening trend in class action lawsuits quickly being filed in the wake of major health data breaches, some experts say.
For instance, a recent study by law firm BakerHostetler found that out of security incidents in 2021 the firm examined across all sectors, 23 incidents resulted in 58 lawsuits being filed - with many duplicative lawsuits involving the same incidents.
Of those 58 lawsuits, 43 lawsuits were filed against healthcare organizations, the law firm's 2022 "Digital Assets and Data Management - Resilience and Perseverance" report says.
"We are witnessing the 21st-century equivalent of ambulance chasing as litigators race to the courthouse to be the first to file a class action lawsuit when a company sends out breach notifications letters to individuals that may have been affected," says privacy attorney David Holtzman of the consulting firm HITprivacy LLC, who is not involved in the SuperCare case.
Downey, California-based SuperCare on March 28 reported to the U.S. Department of Health and Human Services a hacking/IT incident involving a network server affecting nearly 318,400 individuals, according to the HHS Office for Civil Rights' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals (see: Big Hacks: 5 Health Data Breaches Affect 1.2 Million).
In a breach notification statement posted on its website, SuperCare says it discovered unauthorized activity on its systems on July 27, 2021.
In response, SuperCare says it immediately began containment, mitigation and restoration efforts to terminate the activity and to secure its network, systems and data.
The forensic investigation revealed that an unknown party had access to certain systems on its network from July 23 through July 27, 2021, the statement says. On Feb. 4, 2022, SuperCare determined that the potentially affected files contained some information relating to certain patients. In some cases, that information included Social Security numbers, SuperCare says.
The company does not say in its breach statement the type of hacking incident that occurred.
SuperCare did not immediately respond to Information Security Media Group's request for additional information about the incident and for comment about the lawsuit.
The lawsuit complaint also alleges that SuperCare's breach notification statement provides "scant detail" about the nature, severity or duration of the attack. "Even worse, SuperCare Health did not inform their patients of the data breach until over six months after the data breach occurred," the complaint alleges.
"Defendant owed a duty of care to safeguard the personally identifiable information and protected health information of Plaintiff and Class members in its custody," it says.
"This duty of care arises because Defendant knew of a foreseeable risk to the data security systems it used. Defendant knew of this foreseeable risk because of the explosion of ransomware and data breach incidents … Despite its knowledge of this foreseeable risk, Defendant failed to implement reasonable security measures," the complaint alleges.
The lawsuit alleges, among other claims, that SuperCare "was negligent, by failing to use reasonable measures to protect the Class members’ PHI and PII." The lawsuit also alleges that SuperCare failed to follow security guidelines and standards, including those of the National Institute of Standards and Technology, the Federal Trade Commission, and HIPAA, as well as violating various California laws.
The plaintiff alleges she suffered "actual injury from having her private Information compromised as a result of the data breach including, but not limited to damage to and diminution in the value of her private information … violation of her privacy rights; and present, imminent and impending injury arising from the increased risk of identity theft and fraud."
Other class members' claims are similar, "because plaintiff’s PHI, like that of every other class member, was compromised by the data breach," the lawsuit alleges.
Among other relief, the lawsuit seeks an award of damages, lifetime credit monitoring services for the plaintiff and the class members, and an order compelling SuperCare "to utilize appropriate methods and policies with respect to consumer data collection, storage, and safety, and to disclose with specificity the type of PII and PHI compromised during the breach."
The complaint filed in the SuperCare lawsuit does not allege that the plaintiff suffered certain actual damages, such as documented financial or reputational harm, Holtzman says.
"The Supreme Court’s June 2021 decision in TransUnion LLC v. Ramirez suggested that exposure to the risk of future harm, like that claimed by the plaintiff in SuperCare would not allow a lawsuit claiming retrospective damages to move forward," he says.
While many class action lawsuits involving data breach lawsuits often get dismissed due to a lack of documented injury to plaintiffs and class members, some experts say the general trend in litigation against organizations experiencing data compromises could potentially incentivize some entities to improve their security posture.
“The cost and risks associated with private lawsuits rooted in health information breaches may be more effective than HHS OCR enforcement action in alerting covered entities to the urgency of HIPAA compliance," says regulatory attorney Paul Hales of the Hales Law Group, who is not involved in the SuperCare litigation.
SuperCare did not disclose in its breach notification whether its data breach involved ransomware. But the BakerHostetler report highlights ways the surge in ransomware attacks have been especially challenging for many healthcare sector entities.
Factors contributing to the difficulties include ransomware attacks resulting in potential "life or death" disruption involving patient care, as well as compliance with stringent HIPAA breach notification requirements, which often involves notifying a very broad base of potentially affected individuals.
"Lack of forensic evidence can lead to notification to entire patient populations," the report says.
Also, ransomware attacks on healthcare providers can potentially jeopardize Medicare payments by HHS' Centers for Medicare and Medicaid Services to healthcare entities, the report says.
"In a striking departure from years past, in 2021, the CMS began issuing blanket denials to Extraordinary Circumstances Exceptions requests made by healthcare providers seeking extensions for CMS filing deadlines due to ransomware attacks that limited access to their systems and data," according to the report.
The reason cited by CMS for these denials? "The providers 'could have feasibly received information describing how to prevent the occurrence of the cyberattack and did not address the risks in a complete and timely fashion,'" the report says.
"This new trend emphasizes the need for healthcare providers to quickly identify important, upcoming regulatory filing deadlines if there is a concern that a data security incident will prevent them from accessing the required information for the filing," it adds.
BakerHostetler did not immediately respond to ISMG's request for additional comment about its report.