A lawsuit has been filed against the in-home respiratory care provider, SuperCare Health, as a result of a cyberattack and data security breach report submitted to the Department of Health and Human Services on March 28, 2022. The incident involved the exposure and possible theft of the protected health information (PHI) of 318,400 patients, comprising names, birth dates, addresses, medical record numbers, patient account numbers, testing, diagnostic, and treatment information, health insurance details, and claims data. Some of the individuals additionally had their driver’s license numbers, and/or Social Security numbers exposed.
SuperCare Health stated unauthorized people got access to its network from July 23, 2021 to July 27, 2021, yet did not reveal the nature of the cyberattack. SuperCare Health was only able to determine on February 4, 2022 that the files possibly accessed in the attack included patients’ sensitive data. It sent notification letters on March 25, 2022, and based on the notice presented to the California Attorney General, the affected individuals were given credit monitoring and identity theft protection services.
Lawsuits filed over healthcare data breaches is becoming more common. Based on a newly published report by the law agency BakerHostetler, lawsuits are frequently now filed relating to somewhat small healthcare data breaches and it is typical to file multiple legal cases. In 2021, the law company was involved in 23 incidents, and 58 lawsuits were submitted with regard to those breaches. 43 of the legal cases were sent in concerning healthcare data breaches, and 11 of the lawsuits were submitted for breaches that affected fewer than 700,000 persons.
The SuperCare Health legal action was submitted to the United States District Court for the Central District of California on April 12, 2022, two weeks following the issuance of breach notification letters to patients. The lawsuit, Vickey Angulo v. SuperCare Health, claims SuperCare Health failed to implement enough and reasonable cybersecurity measures and protocols to secure the personal data and protected health information of the plaintiff and members of the class, in spite of a known risk of cyberattacks and information breaches at healthcare providers, which are at a record high. The legal action likewise states SuperCare Health didn’t keep to the security rules and standards of the Federal Trade Commission, Health Insurance Portability and Accountability Act (HIPAA), National Institute of Standards and Technology, and did not follow state legislation.
The lawsuit alleges SuperCare Health simply presented scant information to victims regarding the nature of the attack and data breach and failed to notify patients concerning the data breach for more than 6 months subsequent to its detection. The plaintiff explained she received notification that unauthorized people viewed her data, which comprised her electronic medical records, however, was not provided sufficient credit monitoring and identity theft protection services or proper payment for the injury caused.
The plaintiff states she has endured an actual injury due to the data breach, such as damage to and diminution of the significance of her private details, and a sizeable and present, impending injury from the increased threat of identity theft and fraud, and states that her personal data and PHI remains available to the general public, which would enable anybody to utilize the information for nefarious purposes.
The lawsuit seeks class-action certification, a jury trial, payment of damages, compensation of out-of-pocket expenses, and a lifetime of credit monitoring services, and for SuperCare Health to improve its security systems and submit to upcoming annual security reviews.