On February 6, 2023, Sharp HealthCare, one of the largest healthcare providers in San Diego, announced that it began sending out letters on February 3, 2023, advising nearly 63,000 Sharp HealthCare patients of a possible data breach by a third-party hacker.
The Sharp HealthCare hack of personal data included:
- patients’ names
- internal Sharp identification numbers
- invoice numbers
- payment amounts
- names of Sharp entities receiving payment
Such private information could reveal sensitive and personal material leading to privacy and security breaches.
Sharp HealthCare claims that the hacker stole no patient banking information or Social Security numbers but was not clear about the extent of personal information that is at issue.
According to Sharp HealthCare, on or about January 12, 2023, a hacker stole files from the Sharp HealthCare system after it took over the system’s healthcare server. Sharp admitted this hacker was able to breach data by accessing a file within Sharp HealthCare’s servers.
If you paid a bill or invoice using Sharp HealthCare’s online bill payment service between August 12, 2012, and January 12, 2023, your personal information may have been hacked, and you may have been the victim of a data breach.
California Data Breach and Privacy Laws Protect You
California’s privacy laws specifically protect your personal and healthcare information.
- The California Customer Records Act requires businesses to implement and maintain reasonable security procedures and practices to protect consumers’ personal information.
- The California Consumer Privacy Act (CCPA) has many protections for the personal information of California residents.
- The Confidential Medical Information Act (CMIA) protects confidential health-related information, depending on the materials accessed.
At this time, it is unclear whether the information disclosed in the Sharp HealthCare data breach hack violated the CMIA. The CMIA requires a health care provider, health care service plan, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records to do so in a way that preserves the confidentiality of the information within those records.
The CMIA defines “medical information” to mean any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or has any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or other information that reveals the individual’s identity.
Sharp HealthCare has not clarified whether any of the information on the invoice records or internal billing reflected information regarding a patient’s medical history, mental or physical condition, or treatment. However, since invoice billing information can and often does refer to the treatment or service being billed for, it is possible such information was hacked and subject to this data breach. Further investigation will reveal the extent of this information.
You may be entitled to between $100 and $1000 or your actual damages, whichever is greater, depending on which of these laws were violated.
Participants in class action data breach lawsuits can recover damages, injunctive relief (to ensure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else necessary to compensate data breach victims and prevent these harms from occurring again.
Sharp HealthCare Data Breach Victims Have Important Legal Rights
The CCPA also provides consumers with other important rights. These include:
- The right to see a copy of the personal data a business has collected about you for free.
- The right to discover why a business has collected your personal information, what it has shared (by category), who it was collected from (by source type), and who it has shared your data with (by category).
Even when your data has been part of a breach, despite the above California laws, you may not be awarded compensation without legal assistance. Experienced data breach and class action attorneys can help you exercise your rights, evaluate your options and decide whether you are entitled to compensation.