DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Sea Mar Community Health Centers Hit with Class Action Suits Over 2021 Data Breach

Posted on February 19, 2022 by Dissent

Kendal Enz reports:

Sea Mar Community Health Centers is facing numerous class action complaints for alleged inadequate cyber security procedures that resulted in a data breach of more than 650,000 class members’ sensitive information. The complaints, which were filed in November 2021 in King County Superior Court, were removed to Washington’s Western District Court this week.

The Washington healthcare provider was hacked by the infamous Marketo gang sometime between December 2020 and March 2021, and had 3 terabytes of patient’s sensitive information stolen, including names, addresses, birth dates, Social Security numbers and protected health information, according to one complaint.

Read more at Law Street.

DataBreaches.net first reached out to Sea Mar in June 2021, after seeing data posted on the Marketo leak site with a claim that they had 3 TB of data from Sea Mar. This site first reported on this breach in October 2021 having waited until Sea Mar first publicly acknowledged the breach. As made clear in that reporting, Sea Mar was contacted about the breach numerous times by this site in June and July of 2021 and Sea Mar even acknowledged in October that they had been contacted on the exact date in June that this site had first emailed them.

This site does not know when or how many times Marketo may have attempted to contact them — or whether any bad actors prior to Marketo had contacted them to attempt to extort them.  If the data was exfiltrated between December of 2020 and March of 2021, it is hard to believe that no threat actor contacted them prior to June 2021 when the data showed up on Marketo. To the contrary, data generally does not show up on any leak site until after threat actors have tried and failed to extort a victim.

In January 2022, things appeared to get even worse for patients of Sea Mar when another group of threat actors called “Snatch Team” posted a listing from an unnamed “private company.” That listing made 22 TB of data publicly and freely available. Inspection of the data suggested that it was from Sea Mar, as Sea Mar’s name appeared frequently throughout the records.

Once again, DataBreaches.net reached out to Sea Mar to seek confirmation or denial. Once again, Sea Mar did not reply.

Getting no answer from Sea Mar, DataBreaches.net reached out to “Snatch Team” to ask them if the data were from Sea Mar. A spokesperson responded, “There is no Sea Mar company among our clients. All of this is private information and we cannot assert it belongs to this company.”  It is not clear what that really means, though, as it might simply mean that some other threat actors gave them the data on consignment to try to sell and Snatch had no dealings with the original source.

Unlike the summer of 2021 when DataBreaches.net delayed publication to await confirmation from Sea Mar, DataBreaches.net did not delay publication this time,  believing that if the data were/are from Sea Mar, then patients should be alerted to their now increased risk. DataBreaches.net’s attempts to validate the data and source are described in more detail in the January post.

DataBreaches.net is not the only entity that inspected the leaked data and believed it to be linked to Sea Mar. A senior intel analyst for a health insurance plan whose members’ data appeared in the leaked data contacted Sea Mar to ask them if the data were Sea Mar’s and if other Sea Mar patients who were insured by them now needed to be notified. After being told Sea Mar would call them back on that, they never got a callback.

To this site’s knowledge, Sea Mar has not sent out any updated notifications or press releases to alert patients that a lot of protected health information is now freely available on the internet. Visitors to their website will not find any mention of any data breach or any data breach update linked from their home page.  Sea Mar’s original notification statement is still available on their website if you know where to look (https://www.seamar.org/seamar-downloads/2021-10-28-Breach_Notice.pdf)

As to the complaint and lawsuits:  although the complaint talks about data showing up on “the dark web,”  data have already shown up on two clear net sites — the clear net versions of Marketo and Snatch Team (assuming, for now, that the data on Snatch Team *are* from Sea Mar). So even more people can freely help themselves to patient data. Lawsuits reference “the dark web” as if somehow that makes things worse. When data are freely shared on clear net sites, even more people can discover the data and download it for potential misuse.

The case described in the Law Street article is Hall v. Sea Mar Community Health Centers, 2:22-cv-00184

 

Category: Commentaries and AnalysesHackHealth DataU.S.

Post navigation

← Only 3% of consumers freeze credit after data breach
NC: Charlotte Radiology notifies patients of December security incident →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.