‣ Company hit by ransomware attack
‣ Over 154,000 people affected
On June 10, 2022, PracticeMax, an Arizona-based company that provides billing, business management and registration services to hospitals, physician offices, and other health care entities, reported a data breach to the California Attorney General’s Office affecting over 154,000 people nationwide.
The personal information that may have been accessed and taken includes:
- Full Names
- Social Security numbers
- Dates of Birth
- Treatment and/or diagnosis information
- Health insurance information
- Financial information
- Patient account number
- Employee and employer identification numbers
- Passport number
- Driver’s license/state identification number
- Prescription information
- Provider or employee username and password or PIN (in limited cases)
The full text of the PracticeMax Notice of Data Breach can be found here.
PracticeMax’s public statement disclosed that from April 17, 2021 to May 5, 2021, the company’s network was subject to unauthorized access, some email accounts were also accessed, and certain files may have been removed.
On May 1, 2021, PracticeMax began investigating issues on its network and discovered the ransomware on certain of its systems. After investigation, it began notifying affecting individuals. People being notified in this latest group of notifications are being notified over one year after the ransomware attack and data breach took place.
Special California Laws Protect You From Data Breach Harms
If you are a California resident and received a Notice of Data Breach from PracticeMax you may be entitled to between $100 and $1,000 plus actual damages resulting from the negligent release of your confidential information.
California has unique state laws, including the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA) that compensate individuals whose confidential and sensitive data have been accessed in ransomware events.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again) and anything else a court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.
Corporations Should Be Held Accountable For Data Breaches
When businesses decide to collect and keep personal data about California individuals, under California law they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals. This personal data is incredibly valuable to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”The stakes are high: Data breach victims are more likely to also be victims of additional fraud.
Cybercrimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is under $20 per record depending on the type of information, according to Privacy Affairs Dark Web Index of 2021.
Certain critical types of personal information – like Social Security numbers, names, and birth dates – are impossible, or almost impossible, to change. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. “The effects of a health data breach on consumers outlast the initial breach.”
Once you know your data has been disclosed, it is reasonable to take action to avoid concerns that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
 Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).
 Source: R. Bonta, California Attorney General, BULLETIN: Obligation to Proactively Reduce Vulnerabilities to Ransomware Attacks and Requirements Regarding Health Data Breach Reporting (2021).