Class Action Suit Filed in L.A. BreachSeeking Damages in Wake of Computer Theft Incident
A class action lawsuit has been filed against Los Angeles County and a vendor that handles patient billing and payment collections for the county's departments of health services and public health in the wake of a breach last month affecting 168,500 individuals.
See Also: HIPAA Audits: A Revised Game Plan
The breach was the result of a Feb. 5 theft of eight unencrypted desktop computers from the Torrance, Calif. office of Sutherland Healthcare Services, the billing and collections business.
Sutherland and the county began notifying breach victims of the incident on March 6, about a month after the theft (see: L.A. Breach Linked to Stolen Computers).
Information contained on the computers included patients' names, Social Security numbers and billing information. In addition, the stolen computers may have also contained the date of birth, addresses, diagnoses and other medical information for some patients.
The suit, which alleges violations of various California laws, was filed by attorneys for one unnamed plaintiff on behalf of the class of other individuals also impacted by the breach. That plaintiff is only identified in the suit as an adult female whose identity is being protected "due to the privacy breaches alleged," say documents filed in the Superior Court of California in Los Angeles County on March 14. The case is seeking an unspecified figure for damages, attorney's fees and appropriate injunctive relief.
Genie Harrison, lead trial attorney of Genie Harrison Law Firm, one of the two law firms representing the plaintiffs, tells Information Security Media Group that the next step in the suit is for the court to rule on whether the case can proceed as a class action.
In the meantime, the case will undergo discovery phase to determine details of the incident, she says. Those details range from the physical security that was in place at Sutherland's offices, why encryption and other safeguards were not implemented, and L.A. County's oversight of its vendor. "We'll get a copy of the contract [the county] had with Sutherland, and obtain information about the obligations they had for their client," she says.
Among the multiple complaints in the suit is that Sutherland and L.A. County failed to notify breach victims in a timely way. "Victims should've been notified as soon as [the organizations] knew" of the breach, she says. Medical facilities in California have an obligation to notify breach victims within five business days of detecting a breach, she says, referring to California Health & Safety Code 1280.15.
The suit also cited violations of a number of other California statutes, including those related to the Confidentiality of Medical Information Act, fair business practices, and various consumer and privacy regulations.
Additionally, the one year of free credit monitoring being offered to affected individuals by Sutherland and L.A. County as part of their breach response is "woefully inadequate," Harrison contends. "What happens if identity information is sold on the black market? Identity theft could go on for victims five or 10 years from now because of this breach," she says.
The L.A. County department of public health declined to comment on the case. Sutherland did not reply to a request for comment.