CA Health Plan Faces Lawsuit After Cybersecurity Incident Linked to Hive Ransomware

May 17, 2022 - Partnership HealthPlan of California (PHC) is facing a proposed class-action lawsuit in the wake of a March 2022 cyber incident claimed by Hive ransomware group. The plaintiff, identified only as “John Doe,” alleged that PHC failed to adequately secure the personal information of its members.

In late March, PHC replaced its traditional webpage with a notice stating that its systems were down after detecting “anomalous activity.”

According to VentureBeat, Hive ransomware claimed responsibility for stealing 850,000 personally identifiable information (PII) records from the health plan. Hive ransomware claimed responsibility for multiple healthcare cyberattacks, including one on Memorial Health System in August.

As of April 15, PHC said it had successfully restored its website functionality and that it would continue to investigate the incident. PHC has not publicly confirmed the exact nature of the incident.

The class-action complaint, filed on May 5, claimed that “PHC failed to take steps necessary to prevent such an attack and has refused to date to notify victims of this ransomware attack that their personal information was improperly accessed and stolen.”

Under the HIPAA Breach Notification Rule, covered entities have 60 days following breach discovery to notify impacted individuals. It is unclear when exactly the breach began, but the lawsuit noted that Hive appeared to have gained access on or around March 19, giving PHC until around May 18 to notify HHS and the impacted individuals.

However, under California law, healthcare entities may be held to more stringent breach reporting requirements.

“Yet Defendants are still refusing to even acknowledge that a ransomware and resulting data breach took place, let alone providing comprehensive notice in the most expedient time possible and without unreasonable delay, as required under California law,” the lawsuit alleged.

The lawsuit alleged that PHC “affirmatively chose to design their systems with inadequate user authentication, security protocols and privileges, and set up faulty patching and updating protocols.”

Specifically, the lawsuit alleged that PHC violated the Information Practices Act of 1977, the Confidentiality of Medical Information Act, and Article 1, Section 1 of the California Constitution, among other allegations.

As recent cases have shown, it is difficult for plaintiffs to successfully prove harm in a healthcare data breach lawsuit. This is partly due to Ramirez v. TransUnion, in which the Supreme Court ruled that data breach victims must demonstrate actual injury and prove that the defendant’s conduct caused the damage. Despite this, recent research has shown that duplicative healthcare data breach lawsuits are increasing in frequency.