A Seattle-based healthcare provider is facing a class action lawsuit over a cyber-attack in which the protected health information of 688,000 people was exposed.
The exfiltration of data from Sea Mar Community Health Centers became apparent when files stolen in the attack showed up on the dark data leak website of cyber-criminal gang Marketo.
Marketo claimed to have stolen 3TB of data from Sea Mar. Databreaches.net spotted the leaked files in June 2021 and reported them to Sea Mar. The healthcare provider waited until October 2021 to notify impacted individuals via letter.
Sea Mar said hackers had gained access to its network between December 2020 and March 2021. The cyber-criminals exploited that access to exfiltrate sensitive data, including names, dates of birth, health information, addresses and Social Security numbers.
In October 2021, the incident was reported to the HHS’ Office for Civil Rights as a data breach impacting 688,000 current and former patients.
On February 16, Alan Hall, from Bellingham, Washington, filed a lawsuit against Sear Mar on behalf of himself and others impacted by the data breach. In it, the plaintiff accused the healthcare provider of negligence and alleged that Sea Mar failed to implement adequate and reasonable cybersecurity procedures and protocols to protect patient and employee information.
Sea Mar is further accused of caring for sensitive patient data “in a reckless manner.”
Hall alleges that Sea Mar knew that its computer systems and security practices were inadequate but failed to disclose this information. He further accuses Sea Mar of improper monitoring of its network for intrusions.
The suit alleges that “as a result of the Data Breach, Plaintiff and more than 650,000 Class Members suffered injury and ascertainable losses in the form of the present and imminent threat of fraud and identity theft, loss of the benefit of their bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack, and the loss of value of their personal information.”
Hall is seeking compensatory damages, nominal damages, reimbursement of out-of-pocket costs and injunctive relief, including improvements to Sea Mar’s data security systems and future annual audits