CLASS ACTION LAWSUIT ALLEGES PHC DISCLOSED DATA OF UP TO 850,000 ENROLLEES IN A RANSOMWARE ATTACK
Updated: May 8, 2022
On May 5, 2022, a member of PARTNERSHIP HEALTHPLAN OF CALIFORNIA (“PHC”), a healthcare coverage provider based in Northern California, filed a class action lawsuit in Humboldt County Superior Court challenging PHC’s failure to adequately store and protect sensitive medical information of up to 850,000 enrollees and failing to give notice of the breach to all impacted enrollees. When compared to the data reported by HHS Office of Civil Rights for the last 24 months, this would be the second largest health plan data breach in the United States during that time.
According to the Complaint, on March 29, 2022, the Hive ransomware group posted a message on its HiveLeaks site declaring the group had been able to access the personal private information of up to 850,000 patients of PHC on or about March 19, 2022. This data included at least the names, addresses and Social Security Numbers of their patients.
A copy of the filed Complaint can be found here.
The FBI and U.S. Dept. of Health and Human Services issued warnings about the Hive ransomware group and its targeting of healthcare organizations on July 30, 2021, August 25, 2021, October 21, 2021, and April 18, 2022. The FBI issued a Flash Alert about the group on August 25, 2021.
The Complaint further alleges PHC, to date, has failed to provide notice of this breach to consumers, or even acknowledge this massive data breach occurred. While PHC’s website was taken offline following the breach, its replacement message did not tell patients that there had been a breach nor a ransomware attack regarding patient data.
According to the Complaint, on April 15, 2022, the PHC website was back online, and included a notice that website functionality was restored. The only hint of the breach to consumers on that page -- “The safe restoration of systems follows the detection of anomalous activity within areas of the organization’s network.”
The Complaint alleges violations of the Information Practices Act of 1977 the Confidentiality of Medical Information Act, Article I, Section 1 of the California Constitution (Invasion of Privacy), California Business and Professions Code § 17200 et seq. (Unfair and Unlawful Business Practices), and Declaratory Relief.
If you are a patient of PARTNERSHIP HEALTHPLAN OF CALIFORNIA and are concerned about this breach of your personal data and what your options are, please fill out the form found here.