Negligent California Healthcare Groups to Blame for Data Breach Affecting 3.3M Patients, Class Action Says

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit claims the negligence of four major healthcare networks in Southern California resulted in a “foreseeable” data breach that compromised the personal information of over three million patients.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

Regal Medical Group, Inc.; Lakeside Medical Organization, A Medical Group, Inc.; Affiliated Doctors of Orange County Medical Group, Inc.; and Greater Covina Medical Group, Inc. are accused of failing to protect patients’ data from hackers who gained access to the defendants’ network on December 1, 2022, the 67-page lawsuit alleges. According to the suit, though the healthcare groups’ employees reportedly began having trouble accessing some of the servers on December 2, the defendants did not discover the data breach until December 8.

The case relays that the sensitive personal information of around 3,300,638 current and former patients was compromised by the breach and included patients’ Social Security numbers, dates of birth, full names, home addresses, telephone numbers, medical treatment details, diagnoses, prescription data, laboratory test results, radiology reports and health plan membership numbers.

As the complaint tells it, the cyberattack was a direct result of the healthcare networks’ failure to implement sufficient cybersecurity measures to protect the private data stored in their servers. The filing charges that if their security systems had been adequately monitored, the defendants would have detected the unauthorized access sooner.

The lawsuit also takes issue with the healthcare groups’ delayed notification of affected victims. Though the breach was discovered in early December, notices were not sent out to those impacted until approximately two months later, on February 1, 2023, the suit says.

As the filing claims, current and former patients gave their private data to the defendants with the expectation that the medical groups would comply with their legal duties to safeguard it from unauthorized disclosure. However, the two-month delay in notification “virtually ensured” that the cybercriminals could “monetize, misuse and/or disseminate” the stolen data before victims could take action to secure their private information, the case contends.

What’s more, the notices themselves provided scant details to victims and failed to mention how long the hackers had had access to patients’ data and what precise information was compromised, the complaint relays.

The three plaintiffs, California residents, received notice of the data breach in February 2023 and learned that their sensitive medical information had been compromised, the lawsuit explains. Between December 2022 and February of this year, one plaintiff reports having received numerous alerts of fraudulent activity, including an unauthorized attempt to register for a credit card in her name and a notice that her Social Security number had been breached.

Another plaintiff was notified in December of last year that an unknown third party had tried to access her credit card, the suit shares. In February of this year, the woman’s bank canceled her debit card and deactivated her account due to fraudulent activity, the case adds.

Though the defendants have offered data breach victims one year of complimentary credit monitoring, the complaint argues that the gesture is wholly inadequate in the face of victims’ “lifelong risk” of identity theft, medical fraud, and other illegal activity.

The lawsuit looks to represent anyone in the United States whose personal information was compromised in the December 2022 data breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.