An American respiratory care provider is facing multiple lawsuits over a data breach that allegedly exposed the personal information of more than 300,000 current and former patients.
SuperCare Health, headquartered in Downey, California, began notifying patients of a data security incident in late March. According to a notice on the healthcare provider’s website, SuperCare Health discovered unauthorized activity on its systems on July 27 2021.
An investigation into the activity revealed that an unknown party had access to certain systems on the healthcare provider’s network from July 23 2021 to July 27 2021. On February 4 2022, SuperCare Health “determined that the potentially impacted files contained some information relating to certain patients.”
Data that may have been exposed in the security incident varied depending on the individual, but may have included name, address, date of birth, hospital or medical group, patient account number, medical record number, health insurance information, testing/diagnostic/treatment information, other health-related information and claim information.
“For a small subset of individuals, their Social Security number and/or driver’s license number may have been contained in the impacted files,” stated SuperCare Health.
The incident was reported to the United States Department of Health and Human Services’ Office for Civil Rights Breach Portal, as impacting 318,379 people.
Complaints were subsequently filed against SuperCare Health in the United States District Court for the Central District of California.
One complaint filed by Vickey Angulo claims that the healthcare provider violated the California Confidentiality of Medical Information Act and California’s Unfair Competition Law and failed to take adequate and reasonable measures to protect its data systems against cyber-attacks.
Another complaint filed by Hamid Shalviri accuses SuperCare Health of negligence and alleges that the company has not done enough to support individuals whose data may have been exposed in the breach.
“To date, Defendant has offered affected individuals only one to two years of identity theft protection services through a single provider, IDX,” read Shalviri’s complaint.
It continued: “The offered service is inadequate to protect Plaintiff and Class Members from the threats they face for years to come, particularly in light of the PII and PHI at issue here.”