PIH sued after notifying patients of phishing attack that could have exposed their protected health information
On January 24, I posted a breach notification from PIH Health with a commentary on how long it took from the time of the phishing attack to notification of almost 200,000 potentially affected patients. There was nothing in their notification, however, that suggested that patients had actually had their protected health information stolen or misused. Nor was their information destroyed or corrupted. Their information was in email accounts and could have been accessed by an unauthorized individual. From what I read, no patient had their care interrupted or even delayed.
On February 20, a potential class action lawsuit was filed against PIH.
The complaint, filed in the Central District of California with one named plaintiff, Daniela Hernandez, does not describe any actual injury or harm that Ms Hernandez suffered as a result of the breach, other than the usual claims of imminent harm, costs, etc. The complaint also includes counts under California and New Jersey laws.
The complaint was filed by the same law firm as two other class action lawsuits I recently noted and it contains some of the same claims and language that I thought were seriously exaggerated in the other complaints.
It was a poor decision on PIH’s part, I think, not to offer affected patients complimentary credit monitoring or restoration services, and I did question the timeliness of the notification, but consider the following allegations from the complaint:
As a direct and proximate result of Defendant’s breaches of its fiduciary duties, Plaintiff and Class Members have suffered and will suffer injury, including but not limited to: (i) actual identity theft; (ii) the compromise, publication, and/or theft of their Private Information; (iii) out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft and/or unauthorized use of their Private Information; (iv) lost opportunity costs associated with effort expended and the loss of productivity addressing and attempting to mitigate the actual and future consequences of the Data Breach, including but not limited to efforts spent researching how to prevent, detect, contest, and recover from identity theft; (v) the continued risk to their Private Information, which remains in Defendant’s possession and is subject to further unauthorized disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect the Private Information in its continued possession; (vi) future costs in terms of time, effort, and money that will be expended as result of the Data Breach for the remainder of the lives of Plaintiff and Class Members; and (vii) the diminished value of Defendant’s services they received.
I am obviously unimpressed with these lawsuits and think they are only going to drive up the cost of healthcare and cyberinsurance. Maybe the legal community needs to speak up more about firms that are filing suits like these.
Or maybe I’m missing something and these suits are an absolutely wonderful way to try to get healthcare entities to take greater precautions against hacks and ransomware attacks because they’re not motivated enough already? Maybe, but somehow I doubt that.