Class Actions Pour in Against Sea Mar Community Health Centers Over Data Breach Affecting 650K+ Patients

New to ClassAction.org? Read our Newswire Disclaimer

Sea Mar Community Health Centers faces at least four proposed class action lawsuits in Washington over a data breach in which reportedly three terabytes of sensitive information belonging to more than 650,000 people was stolen by hackers. 

The lawsuits, filed on November 12, 2021 in King County Superior Court and removed to Washington’s Western District Court this week, allege the cyberattack was a direct result of the private, non-profit healthcare system’s failure to have in place adequate and reasonable cybersecurity measures and protocols designed to protect patients’ and employees’ sensitive data. 

According to the litigation, an unauthorized individual hacked Sea Mar Community Health Centers’ IT network between December 2020 and March 2021 and had access to confidential files containing current and former patients’ information. The suits say the actor, known as “Marketo gang,” heisted three terabytes of patient data and thereafter posted it for sale on a dark web marketplace where cybercriminals are known to sell stolen information to the highest bidder. 

Sea Mar Community Health Centers became aware of the incident on June 24, 2021, when the perpetrator informed the company that they had successfully copied the data from its digital environment, the lawsuits relay. As a result of the hack, more than 650,000 individuals face the threat of fraud and identity theft, as well as out-of-pocket expenses and lost time related to remedying or mitigating the fallout from the breach, the cases say. 

“Information compromised in the Data Breach includes patient names, addresses, dates of birth, Social Security numbers, medical and clinical treatment information, insurance information, claims information and other protected health information as defined by the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’) that Defendant collected and maintained.” 

Sea Mar has more than 90 health clinics in Washington providing medical, dental and behavioral health services. Sea Mar allegedly did not begin to notify government agencies or the public about the data breach until on or around October 29, 2021, more than four months after it was warned of the incident.

“Cybercriminals could pilfer patients’ PII [personally identifiable information] and PHI [personal health information] because Sea Mar did not adequately maintain, protect, and secure the information, leaving it an unguarded target for theft and misuse,” one suit alleges. “On information and belief, Sea Mar knew or had reason to know that patients’ PII and PHI was for sale online but never informed its patients of that fact.”

The lawsuits look to represent all Washington state residents whose personal health and identifying information was accessed by and disclosed to unauthorized persons in the data breach, including residents who received notice of the incident. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.