In July 2021, Chelan Douglas Health District in Washington experienced a data breach. They disclosed the breach to the public in March 2022, surprisingly patting themselves on the back for completing their investigation in 6-7 months.
A number of media reports indicate that the breach reportedly affected almost 109,000 patients, but the breach was reported to HHS on March 15, 2022 as affecting the protected health information (PHI) of 188,236 patients. The types of PHI included Social Security numbers, dates of birth/death, financial account information, medical information (treatment/diagnosis information, medical record or patient number, and/or health insurance policy information.
A potential class action lawsuit was filed in Chelan County Superior Court by Sarah Nunley and Michelle Slater. They claimed that they received a large number of spam phone calls and emails, and Nunley further claimed her personal data was used to file for an unauthorized business license and that her social security number appeared on the dark web.
Their case was dismissed in February 2023 when Chelan County Superior Court Judge Kristin Ferrera held that they had shown no evidence of harm.
This past week, the dismissal was reversed by the State Court of Appeals. As KPQ reported, the three-judge panel stated that the Health District had a responsibility to protect the personal information it stored, and the plaintiffs have a right to prove at trial that they suffered damages. Of note:
The three-judge panel’s Acting Chief Judge Tracy Staab wrote it was the court’s opinion that the Health District had knowledge its clients information was vulnerable as early as 2020, and that it also was aware that cybercriminals were attempting to compromise its systems.
Staab further wrote that the Health District failed to increase its security measures even after it was warned by the FBI about an impending cyberattack in May, 2021.
Even when staff received a phishing email after they were warned of an impending cyberattack, they reportedly still “did not improve its security measures,” the court wrote.
The case now goes back to Chelan County Superior Court.
A check of HHS’s public breach tool indicates that HHS closed its investigation of this incident with the following note:
The covered entity (CE), Chelan Douglas Health District, reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 188,236 individuals. The PHI involved included names, dates of birth, drivers’ license numbers, Social Security numbers, claims and financial information, diagnoses, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In its mitigation efforts, the CE implemented additional administrative and technical safeguards to better protect its PHI.
Their note makes no mention of the Health District’s risk assessment or any failure to take other steps when warned by the FBI of an impending attack, it seems.