SuperCare Health Faces Lawsuit After Data Breach Impacts 318K

April 18, 2022 - California-based SuperCare Health is facing a lawsuit in the wake of a July 2021 data breach. SuperCare recently disclosed the incident to 318,379 individuals, making it one of the largest reported healthcare data breaches of 2022 at the time of publication.

According to SuperCare’s notice, an unauthorized actor accessed the provider’s network between July 23 and July 27. The actor potentially had access to names, addresses, health insurance information, medical record numbers, birth dates, patient account numbers, claim information, treatment information, and hospital or medical group information. A small number of Social Security numbers and driver’s license numbers were also involved.

In a lawsuit filed in the US District Court Central District of California, plaintiff Vickey Angulo alleged that the breach was a direct result of SuperCare’s failure to implement sufficient cybersecurity protocols, “despite the fact that data breach attacks against medical systems and healthcare providers are at an all-time high.”

As a result, the lawsuit reasoned that the plaintiff and class members would have to spend time protecting themselves from identity theft and fraud.

“Upon information and belief, the mechanism of the cyberattack and potential for improper disclosure of Plaintiff’s and Class Members’ Private Information was a known risk to Defendant, through frequent news reports and FBI warnings to the healthcare industry, and thus it was on notice that failing to take steps necessary to secure the Private Information from those risks left the property in a dangerous and vulnerable condition,” the filing stated.

With access to patient information, the lawsuit alleged that data thieves could open new financial accounts, use class members’ information to obtain government benefits, and file driver’s licenses in the victims’ names.

The plaintiff also argued that SuperCare’s breach notice provided “scant detail about the nature, severity or duration of the attack.”

SuperCare described the incident as “unauthorized activity” and said that an unknown party gained access to certain systems on its network.

The lawsuit also alleged that SuperCare “failed to adequately adopt and train its employees on even the most basic of information security protocols.”

In addition, the plaintiff noted that SuperCare notified victims of the breach in late March, months after it occurred. SuperCare’s notice explained that its investigation had concluded on February 4, 2022, which could explain the delay.

Due to the recent uptick in healthcare data breaches, the plaintiff argued that SuperCare should have seen the breach coming. The lawsuit alleged that SuperCare violated HIPAA and Federal Trade Commission (FTC) guidelines and failed to meet NIST security standards.

Since the Supreme Court’s ruling in Ramirez v. TransUnion, data breach victims now must prove that they suffered a concrete injury and link the defendant’s conduct to the injury.