Some of the 318,379 patients whose health data was accessed during a July 2021 hack of SuperCare filed two separate lawsuits, claiming inadequate security led to the exposure in possible violation of Federal Trade Commission and The Health Insurance Portability and Accountability Act regulations.
As previously reported, SuperCare recently notified certain patients of a four-day systems’ hack discovered on July 27 and contained within four days of discovery. But the investigation determined the attacker accessed certain systems containing patient files during the dwell time.
The March 25 notice shows SuperCare’s investigation concluded on Feb. 4 that patient files were involved in the compromised data.
The exposed data varied by patient but could include contact details, dates of birth, patient and/or medical account numbers, hospital or medical groups, health insurance details, testing, diagnostics, treatments, and claims data, among other health information. Social Security numbers and driver’s licenses were involved for a small subset of patients.
The lengthy investigation and notice wording could explain why the notices were sent long after the hack was discovered, but the issue is a key component of both lawsuits. Both argue SuperCare failed to provide breach victims with adequate notice.
Filed separately in the Clark County, Nevada, District Court and U.S. District Court of Central California, the lawsuits claim the breach was a “direct result” of SuperCare’s “failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect” patient data.
“Despite professing to take the privacy and security of its patients’ confidential and health information seriously, has not offered to provide affected individuals with adequate credit monitoring service or compensation for the damages they have suffered as a result of the breach,” according to the California suit.
Specifically, the provider is accused of violating the FTC Act, as it failed to maintain reasonable and appropriate security for consumers’ personal information, or an “unfair practice.” The lawsuits also outline several alleged HIPAA violations, which include failing to timely notify, failing to “protect against reasonably anticipated threats,” and failing to comply with the rule.
“SuperCare’s notice… was not just untimely but woefully deficient, failing to provide basic details, including but not limited to, how unauthorized parties accessed its networks, whether the information was encrypted…, how it learned of the data breach, whether [it] occurred system-wide, and whether servers storing information were accessed.”
The lawsuit claims the provider did not comply with its own security policies and failed to comply with industry standards “or even implement rudimentary security practices,” which led to patients’ data being “substantially less safe than had it been entrusted with similar companies.”
SuperCare’s “wrongful actions and/or inaction constitute common law negligence, invasion of privacy by the public disclosure of private facts, breach of contract, and breach of implied contract,” the Nevada lawsuit argues.
The breach victims are seeking actual, economic, emotional distress, statutory, nominal, and/or exemplary damages, as well as injunctive relief and litigation fees.
The lawsuit joins the near-weekly healthcare breach-related filings, confirming BakerHostetler research that showed healthcare breach lawsuits have exponentially increased in the last year.