On May 5, 2022, a member of PARTNERSHIP HEALTHPLAN OF CALIFORNIA (“PHC”), a healthcare coverage provider based in Northern California, filed a class action lawsuit in Humboldt County Superior Court challenging PHC’s failure to adequately store and protect sensitive medical information of up to 850,000 enrollees and failing to give notice of the breach to all impacted enrollees. When compared to the data reported by the U.S. Department of Health and Human Services Office of Civil Rights during the last 2 years, this would be the second largest health plan data breach in the United States during that time.  

A copy of the Complaint can be found here.

According to the Complaint, on March 29, 2022, the Hive ransomware group posted a message declaring the group had been able to access the personal private information of up to 850,000 patients of PHC on or about March 19, 2022, and had encrypted PHC’s computer systemThis data included at least the names, addresses and Social Security Numbers of their patients. The Complaint also alleges that PHC’s negligence in safeguarding the medical information of Plaintiff and the Class members “was exacerbated by the repeated warnings and alerts directed to protecting and securing sensitive data, especially in light of the substantial increase in cyberattacks and/or data breaches in the healthcare and insurance industries preceding the date of this attack”. This included government reports about Hive targeting health care companies such as PHC as early as July 2021.

The Complaint further alleges PHC, to date, has failed to provide notice of this breach to consumers, or even acknowledge this massive data breach occurred.  While its operations were brought to a standstill, PHC’s website for several weeks only had the following message: “We are working diligently with third-party forensic specialists to investigate this disruption, safely restore full functionality to affected systems, and determine whether any information may have been potentially accessible as a result of the situation.” 

The Complaint alleges violations of the Information Practices Act of 1977 the Confidentiality of Medical Information Act, Article I, Section 1 of the California Constitution (Invasion of Privacy), California Business and Professions Code § 17200 et seq. (Unfair and Unlawful Business Practices), and Declaratory Relief.

According to research published in the online journal Healthcare, health-related data “are more sensitive than other types of data because any data tampering can lead to faulty treatment, with fatal and irreversible losses to patients. Hence, healthcare data need enhanced security, and should be breach-proof.” (Seh AH, et al., Healthcare Data Breaches: Insights and Implications. Healthcare. 2020; 8(2):133.)

If you are a patient of PARTNERSHIP HEALTHPLAN OF CALIFORNIA and are concerned about this breach of your personal data and what your options are, contact Janssen Malloy LLP by calling toll-free 888-JANSSEN (1-888-526-7736) or (707) 445-2071.