Partnership HealthPlan of California Hit with Class Action Following Hive Ransomware Attack

New to ClassAction.org? Read our Newswire Disclaimer

Partnership HealthPlan of California (PHC) faces a proposed class action over a March 2022 ransomware attack during which the personal and medical information of enrollees and employees was reportedly exposed.

The 42-page lawsuit claims that PHC’s failure to implement adequate cybersecurity protocols and procedures caused 850,000 unique records and over 400 gigabytes of personal consumer information to be acquired by the Hive ransomware group. According to the case, the data compromised in the breach included enrollees’ names; email and street addresses; Social Security, driver’s license, tribal identification, and medical record numbers; treatment, diagnosis, prescription and other medical information; health insurance data; and portal usernames and passwords.

The lawsuit says that PHC not only failed to take the necessary steps to protect enrollees’ personal and health information from unauthorized access but has failed to provide “full and complete notice to affected consumers in the most expedient time possible and without unreasonable delay,” as required under California law.

“Despite its duties and obligations under California law to promptly provide notice to consumers of such material facts so that they could take appropriate action, PHC did not inform members that it was experiencing a ransomware attack, that its systems had been encrypted by the Hive ransomware group, and that patient Medical Information had been stolen and disclosed,” the complaint states.

The lawsuit relays that around March 29, 2022, the Hive ransomware group published a website page in which it claimed to have exfiltrated hundreds of gigabytes of data from PHC’s file servers on March 19. Although PHC shut down its patient-facing website on March 30, it failed to disclose to members that it had been subject to a ransomware attack, the suit states. When the health plan restored functionality to its website on April 15, it acknowledged only that there had been a “detection of anomalous activity within areas of the organization’s network,” the case adds.

According to the complaint, PHC waited until around May 18 to begin notifying state and federal officials and send letters to current and former enrollees regarding the ransomware attack. The case contends, however, that the notice sent to victims has “significant deficiencies” in that it contained only a “brief and vague description” of the incident and failed to acknowledge that the breach was a ransomware attack orchestrated by “a gang of cyber-thieves.”

The suit goes on to argue that PHC’s offer of two years of a “vague credit monitoring service” is inadequate to protect those whose information was stolen given fraudulent use of that data may continue for years.

The lawsuit looks to represent all non-California citizens and residents who are current or former enrollees or employees of Partnership HealthPlan of California or its healthcare service plans and whose information was accessed or released or disclosed as a result of the Hive ransomware attack around March 2022 and who were sent notice of the attack in May.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.