Sea Mar Community Health Centers is facing numerous class action complaints for alleged inadequate cyber security procedures that resulted in a data breach of more than 650,000 class members’ sensitive information. The complaints, which were filed in November 2021 in King County Superior Court, were removed to Washington’s Western District Court this week.
The Washington healthcare provider was hacked by the infamous Marketo gang sometime between December 2020 and March 2021, and had 3 terabytes of patient’s sensitive information stolen, including names, addresses, birth dates, Social Security numbers and protected health information, according to one complaint.
“Defendant SMCHC maintained the Private Information in a reckless manner. In particular, the Private Information was maintained on Defendant’s computer network in a condition vulnerable to cyberattacks.
“Upon information and belief, the mechanism of the hacking and potential for improper disclosure of Plaintiff’s and Class Members’ Private Information was a known risk to Defendant, and thus Defendant was on notice that failing to take steps necessary to secure the Private Information from those risks left that property in a dangerous condition,” the complaint states.
Sea Mar Community Health Centers became aware of the data breach in June 2021 when the Marketo gang informed the company that it had successfully copied its files. However, it took the company four months to notify patients that their private information had been stolen.
The Marketo gang, which is notorious for hacking businesses and extorting them for ransoms, posted the stolen information from SMCH for sale to cybercriminals on its online marketplace. Class members are in danger of fraud and identity theft as a result of the data breach, and have incurred out-of-pocket expenses and lost valuable time in an attempt to mitigate the effects of the attack, according to litigation.
The referenced complaint claims violations of the Washington State Uniform Healthcare Information Act and the Washington State Consumer Protection Act, negligence, breach of express and implied contracts, and breach of confidence.
Class members are seeking compensatory damages, nominal damages, reimbursement of out-of-pocket costs, and injunctive relief, including improvements to SMCHC’s data security systems, future annual audits, and adequate credit monitoring services funded by the company.