Lawsuits are scary and expensive and this one is attacking a non-profit community health center.
A class action lawsuit has been filed against Sea Mar Community Health Centers (Sea Mar) in Washington for failing to protect patients’ private and sensitive information. Sea Mar is not a big national company, like Blackbaud, AMCA, Accellion or CaptureRx, all of whom had to defend class actions in recent years. More recently, another class action lawsuit was filed against a regional health system, Memorial Health System in Ohio. Memorial operates three hospitals in two states, employs over 2,700, including 325 healthcare providers at 64 clinics, By contrast, Sea Mar a community-based organization serving low-income, underserved, and uninsured communities in western Washington. It represents the opposite of the usual target for class actions – they do not have “deep pockets”. Why were they sued?
Class action lawsuits are usually filed when a large number of people in a similar situation, with the same set of facts claim injury against the same defendant. In this case, over 650,000 people were affected, so a large number of them can join “the class” and sue together. Like other private lawsuits claiming damages from privacy breaches, this case claims state privacy laws were violated, not HIPAA, since HIPAA does not provide a private right to sue.
Data Breach Causes Medical Identity Theft
This breach and the resulting class action lawsuit boldly reveal how cyber criminals use the dark web to profit from medical identity theft.
In October, 2021 Sea Mar notified the U.S. Department of Health and Human Services (HHS) of a breach potentially affecting 688,000 individuals, in compliance with HIPAA. The breach notice posted on its website said that Sea Mar first learned of unauthorized access by a hacker on June 24, 2021. Sea Mar engaged cybersecurity experts to investigate, and learned that additional data may have been exfiltrated over three months, between December 2020 and March 2021. The information stolen included patient names, addresses, Social Security numbers, dates of birth, client identification numbers, diagnostic and treatment information, insurance information, claims information, and images associated with dental treatment.
Protected Health Information for Sale
The lawsuit alleges that “…the threat actor – known as the ‘Marketo gang’ – stole 3 TB of sensitive data from [Sea Mar] and thereafter posted it for sale on the ‘Marketo marketplace,’ a marketplace where the cybercriminals sell their stolen data to the highest bidder on the dark web.”
Last October, the blog site Databreaches.net reported that “the incident was posted on Marketo’s leaked data site in June. In Sea Mar’s case, Marketo claimed to have 201 bids for their data back in July.” Apparently, the cybercriminals uploaded to the Marketo data leak site several photos of identified pediatric dental patients, as proof. The Marketo leak site is no longer online.
Lawsuits Add to the Costs of a Healthcare Data Breach
Lawsuits are expensive, public and distracting. On top of every other expense required to manage a breach, the legal fees, public relations and patient communications needs absorb resources and time. A nonprofit community health center is often already operating on a thin budget, and these costs can be crippling. The lawsuit is intended to help patients of the clinic, but unfortunately it may end up compromising their care if the clinic’s resources are stretched to a breaking point. Other larger organizations, like AMCA and CaptureRx, mentioned above, have entertained bankruptcy after class action lawsuits.
No one type of organization is “off limits” to cyber criminals or plaintiffs’ lawyers. Ideally, all healthcare organizations will exercise the highest level of care to safeguard patient information, and prevent or limit breaches. Prevention is much less costly.