Prospect Medical Holdings Failed to Protect Private Data from Hackers, Class Action Says

New to ClassAction.org? Read our Newswire Disclaimer

Prospect Medical Holdings, Inc. faces a proposed class action that claims the healthcare corporation failed to protect private employee and patient data during an August 2023 cyberattack.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

According to a September 29 notice letter, the company, after reportedly learning on August 1 that a “data security incident” had “disrupted the operations of some of [its] IT systems,” launched an investigation that revealed that an unauthorized third party had, between July 31 and August 3 of this year, accessed and exfiltrated files containing sensitive data.

The 94-page lawsuit relays that the stolen files, which Prospect Medical had shared with a third-party vendor, contained personal data belonging to the company’s employees and current and former patients, including names, dates of birth, Social Security numbers and health insurance details. Per the suit, the data breach also compromised patients’ medical information, including diagnoses, lab results, prescription information, treatment details and medical record numbers.

As the case tells it, a ransomware group called Rhysida reportedly claimed responsibility for the attack and posted screenshots of sensitive documents and medical data on the dark web while threatening to sell the stolen information for 50 Bitcoin—the equivalent of nearly $1.3 million—if Prospect Medical did not meet its ransom demands.

The complaint argues that Prospect Medical, the operator of a network of hospitals and medical centers throughout California, Connecticut, Pennsylvania, Texas and Rhode Island, failed to implement adequate cybersecurity protocols to safeguard the sensitive data in its care, which was allegedly stored unencrypted and unredacted in the defendant’s systems.

The filing contends that the company could have prevented the cyberattack entirely by “properly encrypting private information being shared with its vendors or otherwise ensuring that such private information was protected while in transit or accessible.”

Despite the frequency of data breaches in the medical industry in recent years, Prospect Medical “recklessly” failed to take reasonable steps to safeguard the confidential information in its care, the lawsuit claims.

The plaintiff, a California resident and former patient, says he received in September of this year a notice that stated that his personal data had been compromised in the breach. Like other victims, the man now faces a heightened risk of identity theft, medical fraud and other misuse of his information as a result of Prospect Medical’s negligence, the case charges.

The lawsuit looks to represent anyone in the United States whose private information was compromised in the data breach announced by Prospect Medical in September 2023.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.