Back in March, Partnership HealthPlan of California, a Medi-Cal managed service provider serving close to a million beneficiaries in Northern California, announced on its website that it had been hacked. 

A ransomware group called Hive claimed responsibility, boasting that it had stolen private data for 850,000 Partnership HealthPlan members, including names, social security numbers, dates of birth, addresses and more.

On Thursday, Eureka law firm Janssen Malloy filed a class action lawsuit in Humboldt County Superior Court on behalf of a Partnership HealthPlan member, alleging that the provider failed to adequately store and protect sensitive medical information of enrollees and failed to give proper notice of the data breach.

In a press release issued Friday, the firm invites Partnership patients who are concerned about the breach to reach out.

Here’s that release:

On May 5, 2022, a member of PARTNERSHIP HEALTHPLAN OF CALIFORNIA (“PHC”), a healthcare coverage provider based in Northern California, filed a class action lawsuit in Humboldt County Superior Court challenging PHC’s failure to adequately store and protect sensitive medical information of up to 850,000 enrollees and failing to give notice of the breach to all impacted enrollees.

When compared to the data reported by the U.S. Department of Health and Human Services Office of Civil Rights during the last 2 years, this would be the second largest health plan data breach in the United States during that time.

A copy of the Complaint can be found here.

According to the Complaint, on March 29, 2022, the Hive ransomware group posted a message declaring the group had been able to access the personal private information of up to 850,000 patients of PHC on or about March 19, 2022, and had encrypted PHC’s computer system.

This data included at least the names, addresses and Social Security Numbers of their patients. The Complaint also alleges that PHC’s negligence in safeguarding the medical information of Plaintiff and the Class members “was exacerbated by the repeated warnings and alerts directed to protecting and securing sensitive data, especially in light of the substantial increase in cyberattacks and/or data breaches in the healthcare and insurance industries preceding the date of this attack.” This included government reports about Hive targeting health care companies such as PHC as early as July 2021.

The Complaint further alleges PHC, to date, has failed to provide notice of this breach to consumers, or even acknowledge this massive data breach occurred. While its operations were brought to a standstill, PHC’s website for several weeks only had the following message: “We are working diligently with third-party forensic specialists to investigate this disruption, safely restore full functionality to affected systems, and determine whether any information may have been potentially accessible as a result of the situation.”

The Complaint alleges violations of the Information Practices Act of 1977 the Confidentiality of Medical Information Act, Article I, Section 1 of the California Constitution (Invasion of Privacy), California Business and Professions Code § 17200 et seq. (Unfair and Unlawful Business Practices), and Declaratory Relief.

According to research published in the online journal Healthcare, health-related data “are more sensitive than other types of data because any data tampering can lead to faulty treatment, with fatal and irreversible losses to patients. Hence, healthcare data need enhanced security, and should be breach-proof.” (Seh AH, et al., Healthcare Data Breaches: Insights and Implications. Healthcare. 2020; 8(2):133.)

If you are a patient of PARTNERSHIP HEALTHPLAN OF CALIFORNIA and are concerned about this breach of your personal data and what your options are, contact Janssen Malloy LLP by calling toll-free 888-JANSSEN (1-888-526-7736) or (707) 445-2071.