DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

SuperCare Health Sued After Data Breach

Posted on April 14, 2022 by Dissent
(c) Higyou | Dreamstime.com

 

The gap from the disclosure of a data breach to the filing of a potential class-action lawsuit is often a matter of weeks (or less), although a lot of lawsuits are dismissed for lack of Article III standing (see a 2021 review of data breach litigation here).

In March, in-home respiratory care provider SuperCare Health notified the California Attorney General’s Office of a breach that occurred (and was first discovered) in July of 2021. By the end of March, we learned that SuperCare was notifying more than 318,000 patients of the incident. The types of protected health information stored in their system that might have been accessed without authorization included patients’  names, address, date of birth, hospital or medical group, patient account number, medical record number, health insurance information, testing/diagnostic/treatment information, other health-related information, and claim information.

But what exactly happened? As DataBreaches reported previously, in SuperCare’s March 25 notice, SuperCare noted “As of the date of this letter, we have no reason to believe your information was published, shared, or misused as a result of this incident.”

But was patient information stolen? Was this a ransomware incident? It wasn’t clear from their notification.

On April 7, DataBreaches sent an email inquiry to SuperCare asking them:

Was the incident a *ransomware* incident? If yes, were files encrypted and was there a ransom demanded?

Was any ransom paid to the threat actor(s)?

Was any data *exfiltrated* (removed or copied and removed) from the system at all?

SuperCare did not reply at all, and so DataBreaches is still not clear on whether this was a ransomware incident and/or whether any data were exfiltrated.

Keeping the above in mind, consider the potential class-action lawsuit Jose Rascon reports about:

On Tuesday, plaintiff Vickey Angulo filed a suit against SuperCare Health in the Central District of California.

[…]

Other claims being presented by the plaintiff include that the defendant failed to offer or “provide affected individuals with adequate credit monitoring service or compensation for the damages they have suffered as a result of the breach.

The plaintiff also argues that this information is still available to the public which would make possible for anyone to use such information for nefarious purposes.

Read more of Rascon’s reporting at Law Street Media.

The plaintiff is being represented by Milberg Coleman Bryson Phillips Grossman, PLLC. After looking at the complaint, DataBreaches emailed Alex Straus of the law firm to ask them the basis for certain allegations in the complaint.  Specifically:

In Paragraph 7, the complaint alleges: “As a consequence of the Data Breach, Plaintiff’s and Class members’ Private Information has been released into the public domain…..”

It has? Where are the data? DataBreaches has not found any evidence (yet) that data from SuperCare have been exfiltrated, dumped, or leaked at all, and no threat actor group with a leak site has claimed SuperCare Health as one of their victims.  Then, too, as SuperCare’s notice stated on March 25, “As of the date of this letter, we have no reason to believe your information was published, shared, or misused as a result of this incident.” That statement permits the possibility that data was exfiltrated but not published, and it also permits the possibility that SuperCare health will eventually discover something that changes their beliefs, but what is the current basis for Paragraph 7 of the complaint?

Second, Paragraph 42 of the complaint begins, “Moreover, the removal of PHI and other PII and PHI from Defendant’s system, ”

Where has SuperCare stated that any data was actually exfiltrated? I cannot find any such disclosure and they never responded to DataBreaches’ inquiries on that point. So where is the plaintiff getting that allegation from? It may be the case that data were exfiltrated, but I don’t think there has been any public acknowledgment or evidence of that by this point.

The complaint’s allegations may turn out to be true if and when more information about this incident becomes available, but it does not seem to fit the facts as we currently know them.

DataBreaches will update this post if a response is received from the law firm. DataBreaches has also sent a second inquiry to SuperCare Health asking whether this was a ransomware incident and whether any data was actually exfiltrated.

 

Category: Breach IncidentsCommentaries and AnalysesHackHealth DataU.S.

Post navigation

← About 1,700 MetroHealth patients affected by data breach
RIPTA says it paid hackers $170K in ransom money after massive data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.