DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Sea Mar Community Health Centers Hit with Class Action Suits Over 2021 Data Breach

Posted on February 19, 2022 by Dissent

Kendal Enz reports:

Sea Mar Community Health Centers is facing numerous class action complaints for alleged inadequate cyber security procedures that resulted in a data breach of more than 650,000 class members’ sensitive information. The complaints, which were filed in November 2021 in King County Superior Court, were removed to Washington’s Western District Court this week.

The Washington healthcare provider was hacked by the infamous Marketo gang sometime between December 2020 and March 2021, and had 3 terabytes of patient’s sensitive information stolen, including names, addresses, birth dates, Social Security numbers and protected health information, according to one complaint.

Read more at Law Street.

DataBreaches.net first reached out to Sea Mar in June 2021, after seeing data posted on the Marketo leak site with a claim that they had 3 TB of data from Sea Mar. This site first reported on this breach in October 2021 having waited until Sea Mar first publicly acknowledged the breach. As made clear in that reporting, Sea Mar was contacted about the breach numerous times by this site in June and July of 2021 and Sea Mar even acknowledged in October that they had been contacted on the exact date in June that this site had first emailed them.

This site does not know when or how many times Marketo may have attempted to contact them — or whether any bad actors prior to Marketo had contacted them to attempt to extort them.  If the data was exfiltrated between December of 2020 and March of 2021, it is hard to believe that no threat actor contacted them prior to June 2021 when the data showed up on Marketo. To the contrary, data generally does not show up on any leak site until after threat actors have tried and failed to extort a victim.

In January 2022, things appeared to get even worse for patients of Sea Mar when another group of threat actors called “Snatch Team” posted a listing from an unnamed “private company.” That listing made 22 TB of data publicly and freely available. Inspection of the data suggested that it was from Sea Mar, as Sea Mar’s name appeared frequently throughout the records.

Once again, DataBreaches.net reached out to Sea Mar to seek confirmation or denial. Once again, Sea Mar did not reply.

Getting no answer from Sea Mar, DataBreaches.net reached out to “Snatch Team” to ask them if the data were from Sea Mar. A spokesperson responded, “There is no Sea Mar company among our clients. All of this is private information and we cannot assert it belongs to this company.”  It is not clear what that really means, though, as it might simply mean that some other threat actors gave them the data on consignment to try to sell and Snatch had no dealings with the original source.

Unlike the summer of 2021 when DataBreaches.net delayed publication to await confirmation from Sea Mar, DataBreaches.net did not delay publication this time,  believing that if the data were/are from Sea Mar, then patients should be alerted to their now increased risk. DataBreaches.net’s attempts to validate the data and source are described in more detail in the January post.

DataBreaches.net is not the only entity that inspected the leaked data and believed it to be linked to Sea Mar. A senior intel analyst for a health insurance plan whose members’ data appeared in the leaked data contacted Sea Mar to ask them if the data were Sea Mar’s and if other Sea Mar patients who were insured by them now needed to be notified. After being told Sea Mar would call them back on that, they never got a callback.

To this site’s knowledge, Sea Mar has not sent out any updated notifications or press releases to alert patients that a lot of protected health information is now freely available on the internet. Visitors to their website will not find any mention of any data breach or any data breach update linked from their home page.  Sea Mar’s original notification statement is still available on their website if you know where to look (https://www.seamar.org/seamar-downloads/2021-10-28-Breach_Notice.pdf)

As to the complaint and lawsuits:  although the complaint talks about data showing up on “the dark web,”  data have already shown up on two clear net sites — the clear net versions of Marketo and Snatch Team (assuming, for now, that the data on Snatch Team *are* from Sea Mar). So even more people can freely help themselves to patient data. Lawsuits reference “the dark web” as if somehow that makes things worse. When data are freely shared on clear net sites, even more people can discover the data and download it for potential misuse.

The case described in the Law Street article is Hall v. Sea Mar Community Health Centers, 2:22-cv-00184

 

Related posts:

  • Would Sea Mar Community Health even know about large patient data dumps if not for DataBreaches.net?
  • A data breach that put 688,000 patients at risk just became … even worse
  • WA: Sea Mar Community Health Centers discloses breach that began last year
  • Yet more data from the Sea Mar Community Health Center data breach appears on the internet
Category: Commentaries and AnalysesHackHealth DataU.S.

Post navigation

← Only 3% of consumers freeze credit after data breach
NC: Charlotte Radiology notifies patients of December security incident →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.