‣ 850,000 Enrollees Subject To Ransomware Attack
‣ One of the Largest Healthcare Data Breaches in US
5/21 Update
Partnership HealthPlan (PHC) Sends Data Breach Notices to Affected Former and Current Enrollees
On May 18, 2022, PHC finally began sending Data Breach Notices to affected current and former enrollees by mail. Partnership HealthPlan also posted a copy of the Notice on its website. A copy of the California Data Breach Notice can be found here.
The Notice, mailed a full 60 days after the initial Hive ransomware attack and data theft, still fails to inform enrollees that their data was compromised in a ransomware attack by a well-known criminal enterprise. Nor does the Notice inform enrollees and their families that the Hive group published details of the data theft on the dark web.
However, the Data Breach Notice does confirm that the compromised confidential and personal data may include the following:
- your name
- Social Security number
- date of birth
- Driver’s License number (if provided)
- Tribal ID number (if provided)
- medical record number
- treatment
- diagnosis
- prescription and other medical information
- health insurance information
- member portal username and password
- email address
- street address
Twenty-four (24) months of complementary credit monitoring is being offered by Cyberscout. The deadline for enrollment is in 90 days from the date of the Notice.
A class action lawsuit was filed on behalf of former and current enrollees.
[original article]
On March 29, 2022, the Hive ransomware group posted a message on its HiveLeaks dark website declaring the group had access to the personal private information of approximately 850,000 patients of healthcare coverage provider Partnership Healthplan of California (“PHC”) totaling about 400 gigabytes of data. This data included their patients’ names, addresses, and social security numbers.
Partnership Healthplan of California Data Breach
According to The Press Democrat, Partnership Healthplan began informing clinics that its systems were down on March 21, 2022.
Partnership Healthplan of California’s website has yet to be restored. Instead replaced with the following message:
“Partnership HealthPlan of California recently became aware of anomalous activity on certain computer systems within its network. We are working diligently with third-party forensic specialists to investigate this disruption, safely restore full functionality to affected systems, and determine whether any information may have been potentially accessible as a result of the situation.”
“Based on Comparitech data this is the largest attack in 2022 so far and the 8th largest of all time in the healthcare industry.”
“Attacks on the healthcare sector have long been popular with cybercriminals as they provide an extra layer of leverage to any extortion or ransom request. [. . . ] [W]ith a customer community of vulnerable patients or clients worried that their most intimate and private medical information may be made public, the pressure on a victim organization to pay up quickly and resolve the incident is dramatically increased.”
PHC provides health care access to over 550,000 people in the following Northern California counties: Del Norte, Humboldt, Lake, Lassen, Marin, Mendocino, Modoc, Napa, Shasta, Siskiyou, Solano, Trinity, and Yolo.
Special California Data Breach Laws Protect You
California has laws that specifically protect your personal information.
- The California Customer Records Act requires businesses to put into place and maintain reasonable security procedures and practices to protect consumers’ personal information.
- In 2018, California passed the California Consumer Privacy Act (CCPA). This law contains many protections for the personal information of California residents.
Suppose certain types of personal information, like the data at issue here, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security. In that case, an affected California resident can sue to protect their rights under the CCPA and CCRA.
You may be entitled to between $100 and $750 or your actual damages, whichever is greater. Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.
Identity theft is on the upswing. In 2018 approximately 23 million people in the United States reported that they had been victims of identity theft within the previous year.[1] By 2021, there were over 50 million personal records compromised nationwide, with the T-Mobile data breach alone affecting 6 million consumers. Even Equifax and Experian, which are offering credit monitoring services, have experienced massive data breaches, affecting over 150 million people.
Cybercrimes present an attractive target for hackers: Data can be bought and sold anonymously. The going rate per personal record is low (under $20 per record, depending on the type of information according to the Privacy Affairs Dark Web Index of 2021).
Certain critical types of personal information – like social security numbers, names, and birth dates – are impossible to change. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.
Law enforcement is often unable to break the sophisticated encryption hiding these unlawful activities. The FBI’s Internet Crime Compliance Center received almost 800,000 complaints in 2020.
This leaves identity theft victims to repair their misused credit scores, health insurance, and social security numbers. Not every data breach will lead to identity theft. But once you know your data has been disclosed, it is reasonable to be concerned that your data will be used by criminals to cause you significant financial losses.
Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
Corporations Can Be Held Accountable For Data Breaches
Many businesses amass vast troves of personal data about consumers and keep that data indefinitely for future profits. When companies use this strategy, keeping your personal information secure from cybercriminals is their responsibility.
When you trust businesses with data that can be used to identify you, they owe you an obligation to use good privacy and security practices to keep your data safe. When businesses decide to collect and hold personal data about California customers or visitors to their websites, under California law, they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals.
Whether you surf the internet, shop online, or use social media, you leave an electronic trail of personal information often scooped up and retained by businesses to boost future sales and increase engagement with their websites. This personal data is valuable to companies and criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[2] The stakes are high: Data breach victims are more likely to be victims of additional fraud.[3]
You Have Important Legal Rights Under California’s CCPA
The CCPA also provides consumers with other important rights. These include:
- The right to see a copy of the personal data a business has collected about you, free of charge.
- The right to find out why a business has collected your personal information, what it has shared (by category), who it was collected from (by source type), and who it has shared your data with (by category).
- The right to have your personal information deleted from any business that collected it directly from you.
- The right to find out if your data is being sold.
- The right to opt out of the sale of your data without being discriminated against.
4/16 UPDATE: PHC WEBSITE AND SYSTEMS RESTORED
PHC has reported that, as of April 15, 2022, it has successfully restored its website functionality. PHC posted an apology for the disruption on its website and has stated that it has “taken all recommended measures offered by our cybersecurity partners to ensure these systems are safe and available to resume normal business operations.” However, PHC also states that its investigation into this incident is ongoing and is not yet completed.
5/6 UPDATE: CLASS ACTION LAWSUIT FILED
Press Release – May 6, 2022
For Immediate Release
CLASS ACTION LAWSUIT ALLEGES PARTNERSHIP HEALTHPLAN OF CALIFORNIA DISCLOSED DATA OF UP TO 850,000 ENROLLEES IN RANSOMWARE ATTACK
On May 5, 2022, a member of PARTNERSHIP HEALTHPLAN OF CALIFORNIA (“PHC”), a healthcare coverage provider based in Northern California, filed a class action lawsuit in Humboldt County Superior Court challenging PHC’s failure to adequately store and protect sensitive medical information of up to 850,000 enrollees and failing to give notice of the breach to all impacted enrollees. When compared to the data reported by the U.S. Department of Health and Human Services Office of Civil Rights during the last 2 years, this would be the second largest health plan data breach in the United States during that time.
According to the Complaint, on March 29, 2022, the Hive ransomware group posted a message declaring the group had been able to access the personal private information of up to 850,000 patients of PHC on or about March 19, 2022, and had encrypted PHC’s computer system. This data included at least the names, addresses and Social Security Numbers of their patients. The Complaint also alleges that PHC’s negligence in safeguarding the medical information of Plaintiff and the Class members “was exacerbated by the repeated warnings and alerts directed to protecting and securing sensitive data, especially in light of the substantial increase in cyberattacks and/or data breaches in the healthcare and insurance industries preceding the date of this attack”. This included government reports about Hive targeting health care companies such as PHC as early as July 2021.
The Complaint further alleges PHC, to date, has failed to provide notice of this breach to consumers, or even acknowledge this massive data breach occurred. While its operations were brought to a standstill, PHC’s website for several weeks only had the following message: “We are working diligently with third-party forensic specialists to investigate this disruption, safely restore full functionality to affected systems, and determine whether any information may have been potentially accessible as a result of the situation.”
The Complaint alleges violations of the Information Practices Act of 1977 the Confidentiality of Medical Information Act, Article I, Section 1 of the California Constitution (Invasion of Privacy), California Business and Professions Code § 17200 et seq. (Unfair and Unlawful Business Practices), and Declaratory Relief.
According to research published in the online journal Healthcare, health-related data “are more sensitive than other types of data because any data tampering can lead to faulty treatment, with fatal and irreversible losses to patients. Hence, healthcare data need enhanced security, and should be breach-proof.” (Seh AH, et al., Healthcare Data Breaches: Insights and Implications. Healthcare. 2020; 8(2):133.)
[1] Source: E. Harrell, Victims of Identity Theft, 2018. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, 2021.
[2] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).
[3] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).
