DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Class action ping pong: Dismissal of lawsuit against Chelan Douglas Health District reversed; case goes back to Superior Court

Posted on November 3, 2024November 3, 2024 by Dissent

In July 2021, Chelan Douglas Health District in Washington experienced a data breach. They disclosed the breach to the public in March 2022, surprisingly patting themselves on the back for completing their investigation in 6-7 months.

A number of media reports indicate that the breach reportedly affected almost 109,000 patients, but the breach was reported to HHS on March 15, 2022 as affecting the protected health information (PHI) of 188,236 patients. The types of PHI included Social Security numbers, dates of birth/death, financial account information, medical information (treatment/diagnosis information, medical record or patient number, and/or health insurance policy information.

A potential class action lawsuit was filed in Chelan County Superior Court by Sarah Nunley and Michelle Slater. They claimed that they received a large number of spam phone calls and emails, and Nunley further claimed her personal data was used to file for an unauthorized business license and that her social security number appeared on the dark web.

Their case was dismissed in February 2023 when Chelan County Superior Court Judge Kristin Ferrera held that they had shown no evidence of harm.

This past week, the dismissal was reversed by the State Court of Appeals. As KPQ reported, the three-judge panel stated that the Health District had a responsibility to protect the personal information it stored, and the plaintiffs have a right to prove at trial that they suffered damages. Of note:

The three-judge panel’s Acting Chief Judge Tracy Staab wrote it was the court’s opinion that the Health District had knowledge its clients information was vulnerable as early as 2020, and that it also was aware that cybercriminals were attempting to compromise its systems.

Staab further wrote that the Health District failed to increase its security measures even after it was warned by the FBI about an impending cyberattack in May, 2021.

Even when staff received a phishing email after they were warned of an impending cyberattack, they reportedly still “did not improve its security measures,” the court wrote.

The case now goes back to Chelan County Superior Court.

A check of HHS’s public breach tool indicates that HHS closed its investigation of this incident with the following note:

The covered entity (CE), Chelan Douglas Health District, reported that it experienced a cyber-attack that compromised the protected health information (PHI) of 188,236 individuals. The PHI involved included names, dates of birth, drivers’ license numbers, Social Security numbers, claims and financial information, diagnoses, and other treatment information. The CE notified HHS, affected individuals, the media, and provided substitute notice. In its mitigation efforts, the CE implemented additional administrative and technical safeguards to better protect its PHI.

Their note makes no mention of the Health District’s risk assessment or any failure to take other steps when warned by the FBI of an impending attack, it seems.


Related:

  • Former U.S. Soldier Pleads Guilty to Hacking and Extortion Scheme Involving Telecommunications Companies
  • DOGE Denizen Marko Elez Leaked API Key for xAI
  • Four people bailed after arrests over cyber attacks on M&S, Co-op and Harrods
  • Texas Enacts Electronic Health Record Data Localization Law
  • United Australia Party confirms ransomware attack, personal data and email correspondence exposed
Category: Breach IncidentsHealth Data

Post navigation

← DDoS site Dstat.cc seized and two suspects arrested in Germany
Canada Arrests Man Suspected of Hacks of Snowflake Customers →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • North Country Healthcare responds to Stormous’s claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
  • Former U.S. Soldier Pleads Guilty to Hacking and Extortion Scheme Involving Telecommunications Companies
  • DOGE Denizen Marko Elez Leaked API Key for xAI
  • Four people bailed after arrests over cyber attacks on M&S, Co-op and Harrods
  • RansomedVC is back — and is still attacking its competitors
  • Texas Enacts Electronic Health Record Data Localization Law
  • United Australia Party confirms ransomware attack, personal data and email correspondence exposed
  • Armenian National Extradited to the United States Faces Federal Charges for Ransomware Extortion Conspiracy
  • 70% of healthcare cyberattacks result in delayed patient care, report finds

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Texas Enacts Electronic Health Record Data Localization Law
  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents
  • Attorney General Tong Announces $85,000 Settlement with TicketNetwork for Violations of the Connecticut Data Privacy Act​
  • Fourth Circuit upholds West Virginia ban on abortion pills
  • Meta fixes bug that could leak users’ AI prompts and generated content
  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.