The gap from the disclosure of a data breach to the filing of a potential class-action lawsuit is often a matter of weeks (or less), although a lot of lawsuits are dismissed for lack of Article III standing (see a 2021 review of data breach litigation here).
In March, in-home respiratory care provider SuperCare Health notified the California Attorney General’s Office of a breach that occurred (and was first discovered) in July of 2021. By the end of March, we learned that SuperCare was notifying more than 318,000 patients of the incident. The types of protected health information stored in their system that might have been accessed without authorization included patients’ names, address, date of birth, hospital or medical group, patient account number, medical record number, health insurance information, testing/diagnostic/treatment information, other health-related information, and claim information.
But what exactly happened? As DataBreaches reported previously, in SuperCare’s March 25 notice, SuperCare noted “As of the date of this letter, we have no reason to believe your information was published, shared, or misused as a result of this incident.”
But was patient information stolen? Was this a ransomware incident? It wasn’t clear from their notification.
On April 7, DataBreaches sent an email inquiry to SuperCare asking them:
Was the incident a *ransomware* incident? If yes, were files encrypted and was there a ransom demanded?
Was any ransom paid to the threat actor(s)?
Was any data *exfiltrated* (removed or copied and removed) from the system at all?
SuperCare did not reply at all, and so DataBreaches is still not clear on whether this was a ransomware incident and/or whether any data were exfiltrated.
Keeping the above in mind, consider the potential class-action lawsuit Jose Rascon reports about:
On Tuesday, plaintiff Vickey Angulo filed a suit against SuperCare Health in the Central District of California.
[…]
Other claims being presented by the plaintiff include that the defendant failed to offer or “provide affected individuals with adequate credit monitoring service or compensation for the damages they have suffered as a result of the breach.
The plaintiff also argues that this information is still available to the public which would make possible for anyone to use such information for nefarious purposes.
Read more of Rascon’s reporting at Law Street Media.
The plaintiff is being represented by Milberg Coleman Bryson Phillips Grossman, PLLC. After looking at the complaint, DataBreaches emailed Alex Straus of the law firm to ask them the basis for certain allegations in the complaint. Specifically:
In Paragraph 7, the complaint alleges: “As a consequence of the Data Breach, Plaintiff’s and Class members’ Private Information has been released into the public domain…..”
It has? Where are the data? DataBreaches has not found any evidence (yet) that data from SuperCare have been exfiltrated, dumped, or leaked at all, and no threat actor group with a leak site has claimed SuperCare Health as one of their victims. Then, too, as SuperCare’s notice stated on March 25, “As of the date of this letter, we have no reason to believe your information was published, shared, or misused as a result of this incident.” That statement permits the possibility that data was exfiltrated but not published, and it also permits the possibility that SuperCare health will eventually discover something that changes their beliefs, but what is the current basis for Paragraph 7 of the complaint?
Second, Paragraph 42 of the complaint begins, “Moreover, the removal of PHI and other PII and PHI from Defendant’s system, ”
Where has SuperCare stated that any data was actually exfiltrated? I cannot find any such disclosure and they never responded to DataBreaches’ inquiries on that point. So where is the plaintiff getting that allegation from? It may be the case that data were exfiltrated, but I don’t think there has been any public acknowledgment or evidence of that by this point.
The complaint’s allegations may turn out to be true if and when more information about this incident becomes available, but it does not seem to fit the facts as we currently know them.
DataBreaches will update this post if a response is received from the law firm. DataBreaches has also sent a second inquiry to SuperCare Health asking whether this was a ransomware incident and whether any data was actually exfiltrated.