Linn F. Freedman of Robinson & Cole LLP writes that Sunshine Behavioral Health Group is facing a potential class action lawsuit. The case is Fuentes v. Sunshine Behavioral Health Group LLC and it was filed this week in the Central District of California. The case is drawing some attention because it it one of the first suits to be filed under California’s new Consumer Privacy Act (CCPA). As Freedman explains, if the plaintiff can show he was injured and the injury was due to the defendant violating the law, the plaintiff might survive a motion to dismiss.
The plaintiff, Hector Fuentes, claims that since the data breach, which the complaint alleges began on March 1, 2017:
someone has attempted to fraudulently open a credit card in Mr. Fuentes’ name. Since the Data Breach, Mr. Fuentes has begun receiving magazine subscriptions in his name that he did not purchase and receiving invoices for those magazine subscriptions. Since learning of the Data Breach, Mr. Fuentes has become worried that he will become a victim of identity theft or other fraud which is causing him stress and anxiety. Since learning of the Data Breach, Mr. Fuentes has spent in excess of 10 hours of his own time trying to make sure he has not and does not become victimized because of the Data Breach.
So Fuentes is alleging damages, and claims that the damages were due to Sunshine not having adequate security in place, despite having been put on notice by federal law enforcement and HHS about the risk of hacks. As Freedman notes, however, it is not clear from the complaint whether Fuentes provided 30 days notice to Sunshine to implement security measures before he filed suit seeking to require them to implement security measures.
But there also appear to be other problems with the plaintiff’s complaint.
As regular readers may recall, DataBreaches.net broke the story of the data leak after being tipped to it by a researcher. This site first notified Sunshine of their leak on September 4, 2019 and followed up when they did not take immediate action. The second phone call resulted in them taking some steps to protect the data. But when Sunshine did not disclose the breach by 60 days after this site notified them, DataBreaches.net went public about the leak and what this site found in the data. This site also reported the fact that in November, it notified Sunshine again after realizing that their files were still available for download without any login required if one had already noted the urls for the files during the initial leak. Given that Sunshine Behavioral Health deals with the treatment of alcohol and drug addiction, its patient population and patient records are very sensitive.
Was the exposed data exfiltrated, as the Fuentes’s complaint alleges? Certainly it must have been exfiltrated by at least one party, as this site had been provided a copy of the data by the whitehat researcher who had discovered the leak. But how many other entities accessed, viewed, and/or exfiltrated their data? Sunshine Behavioral Health did not respond to inquiries by DataBreaches.net until their external counsel got involved and contacted this site to inquire as to whether we would destroy any data and certify that we had destroyed it. It was only then that this site was able to get statements confirming that Sunshine Behavioral Health had reported the incident to HHS/OCR and to affected patients, but no other information was provided.
From a quick skim of the complaint, it appears that a lot of the complaint seems to be premised on treating this as a hacking case resulting from the defendant’s’s negligence, but this wasn’t a hacking case. Not to minimize the seriousness of a leak of sensitive information, but this was a data leak or help yourself situation, and the risk of becoming a fraud victim or identity theft victim from a leak may not be the same as the risks of those outcomes from a hack situation.
The complaint also raises the issue that Sunshine’s notification to patients was not timely under either HIPAA or California’s Confidentiality of Medical Information Act (CMIA). And also of concern to the plaintiff, Sunshine allegedly did not offer those affected any fraud insurance or mitigation for those who might become fraud victims. According to the complaint, Sunshine (only) offered those affected 24 months of credit monitoring, which is not the same thing.
The complaint is confusing in that regard, because Sunshine’s notification on their website dated January 21 (well before the complaint was filed), includes this statement:
If we have confirmed that your personal information was affected by the incident, we are offering MyIDCare protection through ID Experts for 24 months at no cost.
MyIDCare does appear to include the kind of mitigation help the plaintiff is asking for– identity recovery and assistance and $1 million ID theft insurance.
Sunshine Behavioral Health was asked if they wished to comment on the litigation but did not respond at all by publication time.