DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Sunshine Behavioral Health Group Faces Class Action Under CCPA After Data Breach Affecting 3,500 Patients

Posted on March 13, 2020 by Dissent

Linn F. Freedman of Robinson & Cole LLP writes that Sunshine Behavioral Health Group is facing a potential class action lawsuit. The case is Fuentes v. Sunshine Behavioral Health Group LLC and it was filed this week in the Central District of California. The case is drawing some attention because it it one of the first suits to be filed under California’s new Consumer Privacy Act (CCPA). As Freedman explains, if the plaintiff can show he was injured and the injury was due to the defendant violating the law, the plaintiff might survive a motion to dismiss.

The plaintiff, Hector Fuentes, claims that since the data breach, which the complaint alleges began on March 1,  2017:

someone has attempted to fraudulently open a credit card in Mr. Fuentes’ name. Since the Data Breach, Mr. Fuentes has begun receiving magazine subscriptions in his name that he did not purchase and receiving invoices for those magazine subscriptions. Since learning of the Data Breach, Mr. Fuentes has become worried that he will become a victim of identity theft or other fraud which is causing him stress and anxiety. Since learning of the Data Breach, Mr. Fuentes has spent in excess of 10 hours of his own time trying to make sure he has not and does not become victimized because of the Data Breach.

So Fuentes is alleging damages, and claims that the damages were due to Sunshine not having adequate security in place, despite having been put on notice by federal law enforcement and HHS about the risk of hacks.  As Freedman notes, however, it is not clear from the complaint whether Fuentes provided 30 days notice to Sunshine to implement security measures before he filed suit seeking to require them to implement security measures.

But there also appear to be other problems with the plaintiff’s complaint.

As regular readers may recall, DataBreaches.net broke the story of the data leak after being tipped to it by a researcher. This site first notified Sunshine of their leak on September 4, 2019 and followed up when they did not take immediate action. The second phone call resulted in them taking some steps to protect the data. But when Sunshine did not disclose the breach by 60 days after this site notified them, DataBreaches.net went public about the leak and what this site found in the data. This site also reported the fact that in November, it notified Sunshine again after realizing that their files were still available for download without any login required if one had already noted the urls for the files during the initial leak. Given that Sunshine Behavioral Health deals with the treatment of alcohol and drug addiction, its patient population and patient records are very sensitive.

Was the exposed data exfiltrated, as the Fuentes’s complaint alleges? Certainly it must have been exfiltrated by at least one party, as this site had been provided a copy of the data by the whitehat researcher who had discovered the leak. But how many other entities accessed, viewed, and/or exfiltrated their data? Sunshine Behavioral Health did not respond to inquiries by DataBreaches.net until their external counsel got involved and contacted this site to inquire as to whether we would destroy any data and certify that we had destroyed it. It was only then that this site was able to get statements confirming that Sunshine Behavioral Health had reported the incident to HHS/OCR and to affected patients, but no other information was provided.

From a quick skim of the complaint, it appears that a lot of the complaint seems to be premised on treating this as a hacking case resulting from the defendant’s’s negligence, but this wasn’t a hacking case. Not to minimize the seriousness of  a leak of sensitive information, but this was a data leak or help yourself situation, and the risk of becoming a fraud victim or identity theft victim from a leak may not be the same as the risks of those outcomes from a hack situation.

The complaint also raises the issue that Sunshine’s notification to patients was not timely under either HIPAA or California’s Confidentiality of Medical Information Act (CMIA). And also of concern to the plaintiff, Sunshine allegedly did not offer those affected any fraud insurance or mitigation for those who might become fraud victims. According to the complaint, Sunshine (only) offered those affected 24 months of credit monitoring, which is not the same thing.

The complaint is confusing in that regard, because Sunshine’s notification on their website dated January 21 (well before the complaint was filed), includes this statement:

If we have confirmed that your personal information was affected by the incident, we are offering MyIDCare protection through ID Experts for 24 months at no cost.

MyIDCare does appear to include the kind of mitigation help the plaintiff is asking for– identity recovery and assistance and $1 million ID theft insurance.

Sunshine Behavioral Health was asked if they wished to comment on the litigation but did not respond at all by publication time.

 

 

Category: Breach IncidentsExposureHealth DataU.S.

Post navigation

← NC: Randleman Eye Center Discloses Malware Attack
Czech hospital hit by cyberattack while in the midst of a COVID-19 outbreak →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.