On March 25, 2022, SuperCare Health (“SuperCare”) reported a security incident that potentially affected patient personal information. From July 23 to July 27, 2021, an unknown party had access to certain systems on the SuperCare network. The company investigated, and determined on February 4, 2022 that some consumer information was potentially impacted.
Almost 2 months later, on March 25, 2022, the company’s Data Breach Notice was reported on the California Attorney General’s Office Data Security Breach website page. Over 318,000 individuals were affected.
SuperCare Health Data Breach
Medical Information Potentially Accessed
The personal information that may have been acquired includes:
- Full Name
And one or more of the following:
- Date of Birth
- Medical Group
- Patient Account Number
- Medical Record Number
- Health Insurance Information
- Testing/Diagnostic/Treatment information
- Other health related information
- Claim information
And, for a subset of individuals:
- Social Security number
- Driver’s license number
SuperCare is offering one year of complimentary identity protection services through IDX. Note that, according to the Notice, the deadline to enroll is June 25, 2022.
The full text of the SuperCare Notice of Data Breach can be found here.
Special California Laws Protect You
If you are a California resident and received a Recent Notice of Data Breach from SuperCare, you may be entitled to between $100 and $1,000 or your actual damages, whichever is greater. Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
California has laws that specifically protect your personal information.
- The California Customer Records Act requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information.
- The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents.
- The California Confidentiality of Medical Information Act (CMIA) requires that every health care provider and health care service plan who maintains medical information do so in a manner that preserves its confidentiality.
If certain types of personal information, like Social Security numbers and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the CCPA and CCRA. Medical information is additionally covered by the CMIA.
As Electronic Personal Data Doesn’t Degrade, One Year Of Identity Theft Services Offered by SuperCare May Not Be Enough
Identity theft is on the upswing. In 2018 approximately 23 million people in the United States reported that they had been victims of identity theft within the previous year. By 2021, there were over 50 million personal records compromised nationwide; with the T-Mobile data breach alone affecting 6 million consumers. Even Equifax and Experian, which are in the business of offering credit monitoring services, have experienced massive data breaches, affecting over 150 million people.
Cyber crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is low (under $20 per record, depending on the type of information according to Privacy Affairs Dark Web Index of 2021). Medical records and health insurance information are even more valuable, as they potentially provide access to expensive health care along with other forms of identity theft. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.
Law enforcement is often unable to break the sophisticated encryption hiding these unlawful activities. The FBI’s Internet Crime Compliance Center received almost 800,000 complaints in 2020. This leaves identity theft victims to repair their misused credit scores, health insurance, and social security numbers.
Not every data breach will lead to identity theft. But once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
It bears remembering, “dark web” monitoring can sometimes tell you if your information is being offered for sale to cyber thieves but cannot actually prevent the sale of that information.
You Have Important Legal Rights Under California’s CCPA
When businesses decide to collect and keep personal data about California customers or visitors to their websites, under California law they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals.
The CCPA is the most comprehensive state privacy law in the country. It also provides consumers other important rights. These include:
- The right to see a copy of the personal data a business has collected about you, free of charge.
- The right to find out why a business has collected your personal information, what it has shared (by category), who it was collected from (by source type), and who it has shared your data with (by category).
- The right to have your personal information deleted from any business that collected it directly from you.
- The right to find out if your data is being sold.
- The right to opt-out of the sale of your data without being discriminated against.
 Source: E. Harrell, Victims of Identity Theft, 2018. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, 2021.