Two healthcare business associates and one covered entity are facing multiple class-action lawsuits, centered around the theft of patient data and alleged security failings. QRS, TTEC, and Sea Mar Community Health Centers were hit with separate lawsuits in the last week.
Each of the lawsuits make claims of inadequate security policies as the prime cause of the reported incidents. As healthcare data breach lawsuits become increasingly commonplace, covered entities should review current privacy and security policies and procedures.
Sea Mar Community Health facing multiple lawsuits
Multiple class-action breach lawsuits have been filed against Sea Mar Community Health following a breach notice to 688,000 patients, issued more than five months after the provider discovered a near-yearlong hack of its systems. Sea Mar is a nonprofit entity serving underserved patients in Washington.
Patients were informed in November 2021 that their data was accessed, exfiltrated, and leaked on the dark web. The hack began nearly a year earlier in December 2020, but wasn’t discovered until June 2020. At that time, Sea Mar was notified that some data was copied from its digital environment by a threat actor.
A subsequent forensic analysis confirmed that the data was exfiltrated from the impacted systems between December 2020 and March 2021. The stolen patient information varied by patient and included Social Security numbers, client identification numbers, treatments, dates of birth, insurance information, claims data, and dental images.
Patient notices were sent on Oct. 29, 10 months after the initial hack. The notice does not explain the additional 120 days taken to send patient notices after identifying contact details.
Filed in the Superior Court of King County, Washington, one of the lawsuits filed against Sea Mar takes issue with the provider’s alleged failure to provide timely notice.
The lawsuit also claims that the hacking incident was only detected by Sea Mar, after the threat actors directly contacted the provider about the data theft. The initial breach notice does not include that information.
Further, the suit argues the hack was caused by a “failure to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect” the impacted data.
Sea Mar “and its employees failed to properly monitor the computer network and systems that housed the private Information. Had [Sea Mar] properly monitored its property, it would have discovered the intrusion sooner, as opposed to letting cyberthieves roam freely in [their] IT network for four months,” according to the lawsuit.
Specifically, the breach victims claim Sea Mar failed to meet the minimum standards of NIST and Center for Internet Security’s Critical Security Control frameworks. Sea Mar is also accused of not effectively training workforce members on its security measures.
The victims’ claims of harm are directly tied to diminished value of their data, lost time, increased likelihood of fraud or identity theft, and “lost opportunity costs.” Many of these claims are similar to the breach lawsuit against Practicefirst. A judge recently moved to dismiss the suit as the victims failed to establish “actual harm”, as required by a June Supreme Court decision.
The lawsuit is seeking compensatory and nominal damages, as well as reimbursement for out-of-pocket recovery costs. The suit also seeks improvements to Sea Mar’s security and requirements for annual audits and adequate credit monitoring services.
Some of the 86,305 patients affected by a ransomware attack, hacking incident, and data exfiltration reported by TTEC Healthcare Solutions on Jan. 7. The ransomware incident and service disruptions were first disclosed in September 2021, later confirmed as an exfiltration incident. TTEC is a customer support and online sales management vendor.
The cyberattack was first discovered on a number of systems on Sept. 12 and quickly isolated by the security team. The initial attack caused disruptions for several customers over the course of five days. The attack forced TTEC to rebuild and strengthen its infrastructure and processes.
A TTEC client posted its own notice about the incident that revealed further insights, including that the attacker viewed or downloaded some client files stored in TTEC systems. The potentially stolen information included names, Social Security numbers, contact details, dates of birth, and Medicare ID numbers.
Filed earlier this month in the US District Court of Arizona, the lawsuit argues TTEC failed to provide timely and adequate notice that the breach occurred and that their personal information was lost, possibly in the possession of threat actors. The breach victims claim the data was stolen due to the vendor’s “negligent or careless acts, omissions,” and inadequate security.
Further, the incident could have been prevented if the impacted files and servers were properly secured and encrypted. The lawsuit also calls out TTEC’s data retention policies, alleging the company keeps employee and patient information even after the relationships end. The victims argue that the TTEC should “have destroyed the data, especially data from former employees.”
Much like the Sea Mar lawsuit, the lawsuit’s evidence of harm is tied to the recovery efforts and the likelihood of identity theft or other fraudulent activities.
New lawsuit filed against QRS
QRS is facing another class-action lawsuit tied to a November 2021 systems hack and data theft impacting 319,778 patients. A fresh lawsuit filed against the technology services vendor and its client Psych Care Consultants (PCC) claims that the companies’ inadequate security led to the theft and dark web leak of mental health data.
QRS hosts the electronic patient portal for healthcare provider clients and provides related services. The third-party vendor was similarly sued on Jan. 3.
The lawsuits stem from a November notice that revealed a cyberattack led to the possible access or theft of protected health information. The hack was first discovered in August, where a threat actor exploited a single patient portal server to acquire the data.
A forensic review confirmed the hack occurred over three days between Aug. 23 and Aug. 26, allowing the hacker to access and possibly steal files belonging to QRS clients. No other QRS systems or client systems were compromised by the attacker. The data included Social Security numbers, patient ID numbers, dates of birth, treatments, diagnosis, and user credentials.
The latest lawsuit against QRS and its client again asserts the data theft would not have occurred if not for the vendor’s alleged security failings. The breach victims also note that the stolen data was posted on the dark web, after a ransomware group claimed the hack.
The victims claim that the breach could have been prevented if the entities limited the amount of patient information shared between them and employed “reasonable measures” to ensure business associates implemented basic, adequate security protocols to secure patient data.
During the hacking incident, the entities “maintained their medical record systems in a condition vulnerable to unknown, unsupervised, and unauthorized access by people with neither the required right of nor the need to access those records.”
“The mechanisms of the unauthorized disclosures of [patient data] were known risks to PCC and QRS, and, thus, PCC and QRS were on notice that failing to take steps necessary to secure their medical record systems from those risks left that property in a dangerous condition,” according to the suit.
The entities are also accused of failing to properly monitor their vendors’ systems. If effective monitoring had been in place, the suit claims PCC would have prevented the hack or found the attacker sooner.
QRS and PCC “failed in their basic, legally bound, and expressly-promised obligation to secure and safeguard PCC’s patients’ protected health information,” according to the lawsuit. As a result of those failures, patients’ “sensitive medical and psychiatric information has been exposed and have suffered a loss of value of their PHI.”
The breach victims also argue they’ve been exposed to and are at imminent, significant risk of identity theft, financial fraud, and other identity-related fraud into the foreseeable future. Among compensatory damages, the breach victims are seeking injunctive relief that includes requirements for PCC and QRS to bolster their security programs and perform annual audits.