HIPAA itself does not contain a private right of action for individuals following unauthorized disclosures of medical information. Yet, HIPAA does not prohibit individuals from seeking remedies through state or other law. Each U.S. state’s tort law system can potentially allow individuals to pursue reparations when they are harmed by a data breach. With the rise of data breaches, private citizens (read – plaintiffs attorneys) are increasingly seeking to take legal action through state laws, leading to an ever-growing number of class action lawsuits around the country.
In California, for example, there are laws that specifically protect personal information – the California Consumer Privacy Act (CCPA) and the California Customer Records Act (CCRA). If personal information is left unencrypted and a breach occurs because a business didn’t fulfill its duty to maintain reasonable security, affected California residents can sue to protect their rights under CCPA and CCRA. State laws like these have allowed for the recent class action suit brought against Partnership HealthPlan of California (PHC).
On May 5th, 2022, a class action lawsuit was filed in Humboldt County Superior Court by a member of PHC claiming that the healthcare provider did not protect the patient data of up to 850,000 individuals, or notify all impacted individuals of the breach. The complaint alleges that on March 29th, the Hive ransomware group posted a message declaring the group had exfiltrated sensitive data (names, birth date, addresses, and Social Security numbers) of 850,000 patients by encrypting PHC’s system.
The lawsuit accuses PHC of neglecting to guard their patient’s medical information, alleging they were aware of the surge of cyberattacks and breaches in the healthcare industry. Further, the complaint notes that PHC was aware of government reports warning the healthcare industry about the threat of Hive ransomware attacks as early as July 2021.
The lawsuit also alleges that PHC has not given notice to the 850,000 individuals or so whose sensitive information has been compromised (as required by HIPAA and California law). Allegedly, the only communication from PHC was a message posted on their website, in March 2022, noting that they are working with third party forensic specialists to restore their website and systems.
Covered entities and business associates are increasingly being threatened by class action lawsuits that pose considerable financial risks. The Health Law Partners has significant experience assisting regulated entities with their HIPAA compliance, responding to data breaches, and defending against alleged patients alleging harm.
Contact Clinton Mikel, Esq. (firstname.lastname@example.org; (248) 996-8510) or your current Health Law Partners attorney, for additional information or assistance.