A proposed class action has been submitted against four leading healthcare networks located in Southern California, alleging that their neglect precipitated an information breach that put the personal data of over three million patients at risk. The case argues that Regal Medical Group, Lakeside Medical Organization, Affiliated Doctors of Orange County Medical Group, and Greater Covina Medical Group neglected to protect their patients’ information from cyber attackers who accessed their system on December 1, 2022. The suit further states that the healthcare networks’ personnel noticed anomalies regarding several of the servers as early as December 2, yet the groups were not aware of the breach until December 8.
Around 3,300,638 current and former patients had their confidential information breached due to the inadequate security measures taken by the healthcare networks. This included Social Security numbers, dates of birth, full names, home addresses, phone numbers, treatments, diagnoses, medications, lab tests, x-rays, and plan membership numbers. The lawsuit contends that, if the server had been closely monitored, the offender’s unauthorized access could have been discovered before any harm was done.
Moreover, the filing claims that the healthcare groups’ delayed notification of affected individuals was inappropriate. It claimed that the breach was initially identified in early December of 2023, yet notice of it was not sent to those involved until approximately two months afterwards, on February 1 of that year. This long delay, the suit alleges, virtually assured that the cybercriminals could “monetize, misuse, and/or disseminate” the stolen data prior to victims being able to take any steps to protect their data.
The class action lawsuit is intended to benefit all people in the United States whose private information was exposed during the data breach that occured in December of 2022. The three plaintiffs in the case are all individuals located in California, who were informed of the data infringement in February of 2023 and realized their sensitive medical data had been affected. One plaintiff has, since December of last year, gotten numerous caution alerts, including an unauthorized try to open a credit card, as well as receiving knowledge that their Social Security Number had been exposed. One more plaintiff was alerted in December that a third individual had attempted to gain access to the plaintiff’s credit card. Then, in February of this year, the woman’s bank blocked her debit card and deactivated her account because of suspicious activity.
In response to the breach, the defendants granted the data breach victims one year of complimentary credit monitoring. However, the lawsuit affirms this is not enough compensation considering that the victims may experience lifetime threats of identity fraud, medical scam and other unlawful activity.
The compromised personal information can be used by cybercriminals for various types of fraud, such as medical identity theft or financial fraud. Victims of medical identity theft may have their medical records altered, leading to inaccurate diagnoses or treatments, and may also receive bills for medical services they did not receive. Financial fraud can also lead to unauthorized purchases or loans taken out in the victim’s name.
To prevent these consequences and hold the healthcare networks accountable for their negligence, the lawsuit seeks compensation for affected patients. The case highlights the need for organizations to prioritize cybersecurity measures to protect the sensitive personal information of their clients and customers. Measures like multi-factor authentication, regular security audits, and training employees in cyber-threat identification and response can help organizations prevent data breaches and avoid the serious consequences that result from them.