Lawsuit Filed in Health Center Data Exfiltration BreachIncident Affected at Least 650,000; Data Allegedly Posted on Dark Web
A Seattle, Washington-based community health center operator is facing a class action lawsuit in the aftermath of a data exfiltration incident reported last year as affecting more than 650,000 individuals. The breach also involved data allegedly found posted for sale on the Marketo data leak site.
The lawsuit complaint, filed on Wednesday in a Washington state superior court by Alan Hall, a former patient, on behalf of others similarly affected, alleges that Sea Mar Community Health Centers violated various state regulations and was negligent in failing to properly safeguard individuals' sensitive information, among other claims.
Sea Mar operates dozens of medical, behavioral health and dental clinics and social service programs in the region. In an October 2021 breach notification statement, it said the incident potentially affected information including name, address, Social Security number, date of birth, client identification number, diagnostic and treatment information, medical/vision/dental insurance information, claims information, and images associated with dental treatment.
Sea Mar reported the hacking incident on Oct. 31, 2021, to the U.S. Department of Health and Human Services as affecting 688,000 individuals. Hall's lawsuit complaint alleges the incident affected more than 650,000 class members.
The complaint alleges that between December 2020 and March 2021, an unauthorized individual hacked into Sea Mar's IT network and obtained access to confidential files containing current and former patients’ private Information.
"For at least three months, the cybercriminals who hacked into [Sea Mar's] IT network had unfettered access to files containing information pertaining to patients," the lawsuit alleges.
"Incredibly, the threat actor - known as the 'Marketo gang' - stole 3 TB of sensitive data from [Sea Mar] and thereafter posted it for sale on the 'Marketo marketplace,' a marketplace where the cybercriminals sell their stolen data to the highest bidder on the dark web."
Blog site Databreaches.net last October reported that as proof of the Sea Mar exfiltration incident, cybercriminals uploaded to the Marketo data leak site several photos of identified pediatric dental patients, and that Marketo claimed to have had 201 bids for Sea Mar data in July 2021.
Sea Mar in its breach notification statement says that on June 24, 2021, it "was informed that certain Sea Mar data had been copied from its digital environment by an unauthorized actor."
Alleged Security Failures
Hall's lawsuit alleges that as a result of the incident, affected individuals "suffered injury and ascertainable losses in the form of the present and imminent threat of fraud and identity theft … out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack, and the loss of value of their personal information," the lawsuit alleges.
It says Sea Mar "disregarded the rights of Plaintiff and Class Members … by intentionally, willfully, recklessly, or negligently failing to take adequate and prevent the data breach … and failing to provide Plaintiff and Class Members prompt notice of the Data Breach."
"Had [Sea Mar] properly monitored its property, it would have discovered the intrusion sooner, as opposed to letting cyberthieves roam freely in [its] IT network for four months."
Sea Mar did not immediately respond to Information Security Media Group's request for comment on the lawsuit.
In its October 2021 breach notification statement, the company said it was not aware of any evidence of the misuse of any information potentially involved in this incident.
Technology attorney Steven Teppler of the law firm Sterlington PLLC, who is not involved in the Sea Mar case, says that when personally identifiable information or protected health information stolen in breaches ends up on for sale on the dark web, that exposure of PII and PHI should strengthen the plaintiff’s and class members' Article III argument. "The 'imminence' of damage - identity compromise - is much closer to realization and seriously dilutes any argument that such damage is speculative," he says.
Additional Credit/ID Monitoring
The lawsuit seeks relief, including damages and an order compelling Sea Mar to "utilize appropriate methods and policies with respect to consumer data collection, storage, and safety." The lawsuit also seeks "disgorgement of the revenues wrongfully retained as a result of [Sea Mar's] wrongful conduct."
The lawsuit also seeks at least three years of complimentary identity and credit monitoring for the plaintiff and class members. The complaint alleges that the complimentary ID/credit monitoring offered by Sea Mar in the aftermath of the breach "is wholly inadequate as the services are only offered for 12 months and it places the burden squarely on the plaintiff and class members."
Attorney Teppler agrees. "In light of threat actors 'ageing' PII and PHI, or the substantial likelihood of identity compromise attempts to use valuable PII over a long period of time - Social Security numbers, in particular - one year is anything but generous."
The Sea Mar lawsuit is among the latest suits filed against healthcare entities in the aftermath of major health data breaches. For instance, last month, a proposed class action lawsuit was filed in an Ohio federal court against Ohio-based Memorial Health System in the wake of a ransomware attack that occurred last August and reportedly involved the Hive cybercriminal gang, resulting in a health data breach affecting nearly 216,500 individuals.
That lawsuit, like the one against Sea Mar, alleges a list of claims including negligence (see: Lawsuit: Negligence Led to Memorial Health System Attack).