DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Class action ping pong: Dismissal of lawsuit against Chelan Douglas Health District reversed; case goes back to Superior Court

Posted on November 3, 2024November 3, 2024 by Dissent

In July 2021, Chelan Douglas Health District in Washington experienced a data breach. They disclosed the breach to the public in March 2022, surprisingly patting themselves on the back for completing their investigation in 6-7 months.

A number of media reports indicate that the breach reportedly affected almost 109,000 patients, but the breach was reported to HHS on March 15, 2022 as affecting the protected health information (PHI) of 188,236 patients. The types of PHI included Social Security numbers, dates of birth/death, financial account information, medical information (treatment/diagnosis information, medical record or patient number, and/or health insurance policy information.

A potential class action lawsuit was filed in Chelan County Superior Court by Sarah Nunley and Michelle Slater. They claimed that they received a large number of spam phone calls and emails, and Nunley further claimed her personal data was used to file for an unauthorized business license and that her social security number appeared on the dark web.

Their case was dismissed in February 2023 when Chelan County Superior Court Judge Kristin Ferrera held that they had shown no evidence of harm.

This past week, the dismissal was reversed by the State Court of Appeals. As KPQ reported, the three-judge panel stated that the Health District had a responsibility to protect the personal information it stored, and the plaintiffs have a right to prove at trial that they suffered damages. Of note:

The three-judge panel’s Acting Chief Judge Tracy Staab wrote it was the court’s opinion that the Health District had knowledge its clients information was vulnerable as early as 2020, and that it also was aware that cybercriminals were attempting to compromise its systems.

Staab further wrote that the Health District failed to increase its security measures even after it was warned by the FBI about an impending cyberattack in May, 2021.

Even when staff received a phishing email after they were warned of an impending cyberattack, they reportedly still “did not improve its security measures,” the court wrote.

The case now goes back to Chelan County Superior Court.

A check of HHS’s public breach tool indicates that HHS closed its investigation of this incident with the following note:

The covered entity (CE), Chelan Douglas Health District, reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 188,236 individuals. The PHI involved included names, dates of birth, drivers’ license numbers, Social Security numbers, claims and financial information, diagnoses, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In its mitigation efforts, the CE implemented additional administrative and technical safeguards to better protect its PHI.

Their note makes no mention of the Health District’s risk assessment or any failure to take other steps when warned by the FBI of an impending attack, it seems.

Category: Breach IncidentsHealth Data

Post navigation

← DDoS site Dstat.cc seized and two suspects arrested in Germany
Canada Arrests Man Suspected of Hacks of Snowflake Customers →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them
  • Iranian Man Pleaded Guilty to Role in Robbinhood Ransomware
  • Developments surrounding data breach at Dutch police
  • Estonia launches international search for Moroccan citizen wanted over data theft
  • Now it’s Tiffany: Another LVMH luxury brand hit by hackers
  • Dutch Government: More forms of espionage to be a criminal offence from 15 May onwards
  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.