SuperCare Health Reaches $2.25M Data Breach Settlement Over Alleged Negligence

May 09, 2023 - SuperCare Health has agreed to a data breach settlement totaling $2.25 million in a class-action lawsuit filed by plaintiff Vickey Angulo and class members, who alleged the organization’s “reckless” approach to cybersecurity had led to the exposure of personal health information for hundreds of thousands of patients.

On March 25, 2022, officials confirmed that the California-based respiratory care provider was hit by a data breach between July 23 and July 27. With 318,379 individuals affected, the SuperCare Health breach was one of the most significant healthcare data breaches of 2022 at the time of publication.

It exposed highly sensitive data, including first and last names, birth dates, Social Security numbers, and treatment information.

In response to the breach, SuperCare took immediate action to contain the situation and strengthen the security of its network.

In a lawsuit filed with the US District Court Central District of California, plaintiff Vickey Angulo it was asserted that SuperCare's data breach resulted from the company's failure to implement sufficient cybersecurity protocols, especially given that attacks against medical systems and healthcare providers are at an unprecedented high.

 Attorneys representing the class members argued that the plaintiff and class members would need to invest time in safeguarding themselves from identity theft and fraud.

“As a result of the Data Breach, Plaintiff anticipates spending considerable time and money on an ongoing basis to try to mitigate and address harms caused by the Data Breach,” the filing stated.

Furthermore, the plaintiff highlighted that the affected parties will remain at an elevated risk of identity theft and fraud for an extended period.

In addition to highlighting the plaintiff's anticipated costs and ongoing efforts to mitigate the effects of the data breach, the lawsuit also mentioned that the Federal Trade Commission (FTC) had issued numerous guidelines for businesses emphasizing the importance of adopting reasonable data security practices. 

Despite this guidance, SuperCare “failed to adequately adopt and train its employees on even the most basic of information security protocols.”

Patients accused SuperCare of violating contractual obligations and federal and state laws, including the Federal Trade Commission Act and California's Confidentiality of Medical Information Act.

Among other problems, patients also criticized SuperCare for delaying its data breach notification until late March, several months after it occurred.

Under the agreement, SuperCare will provide two tiers of monetary payments, ranging from $100 to $2,500. All eligible class members will also receive one year of three-bureau credit monitoring, including up to $1 million in fraud insurance coverage.

At the time of the breach, SuperCare said data privacy was a top priority and would implement additional cybersecurity measures to protect its digital environment and reduce the risk of future incidents.