– A patient filed a class-action lawsuit against Solara Medical Supplies, after the vendor recently disclosed a months-long data breach that impacted about 114,000 patients. The California-based vendor is a supplier of medical devices and disposable medical products.
At the end of November, Solara began notifying patients that their data was potentially compromised after several employee email accounts were breached for several months between April 2 and June 20. A review of the compromised accounts found a hacker could have potentially accessed a trove of sensitive information, ranging from contact names and dates of birth, to Social Security numbers and other personally identifiable information.
Filed in the US District Court of the Southern District of California, the lawsuit argues that Solara’s failure to protect patients’ personal and medical information allowed hackers “to steal everything they could possibly need to commit nearly every conceivable form of identity theft.”
The breach victims also claim Solara failed to implement reasonable security measures that would ensure the vendor’s systems were protected. The vendor is also accused of failing to take adequate steps to prevent the breach and timely detect the security incident.
What’s more, the lawsuit argues that Solara did not “disclose the material facts that they did not have adequate computer systems and security practices to safeguard the personal and medical Information.” Solara is also accused of failing to notify patients in a timely manner, as the breach was first detected on June 28, but Solara did not begin notifying patients until November.
Under HIPAA, covered entities must report breaches impacting more than 500 patients within 60 days of discovering the breach – not at the close of an investigation. The breach victims argue that “during this time, the cybercriminals had free reign to defraud their unsuspecting victims.”
“Solara apparently chose to complete its internal investigation and develop its excuses and speaking points before giving class members the information they needed to protect themselves against fraud and identity theft,” according to the lawsuit.
“Many are now paying monthly or annual fees for identity theft and credit monitoring services,” it continued. “Now that their personal and medical Information has been released into the criminal cyber domains, breach victims must spend their time being extra vigilant due to [Solara]’s failures, to try to prevent being victimized for the rest of their lives.”
The breach victims claim there have already been fraudulent charges on various financial accounts, and victims have spent many hours filing police reports and monitoring credit reports and financial accounts to combat identity theft.
It’s important to note that Solara’s breach notice to patients did include a year of free credit monitoring and identity theft protection services. But a recent study published in the Annals of Internal Medicine showed 70 percent of data involved in healthcare breaches increases patients’ risk of fraud.
The breach victims are seeking actual damages, statutory damages, and punitive damages, as well as attorney fees, costs, and expenses under the California Consumer Privacy Act, other state and medical privacy laws, negligence, and other regulations.
The lawsuit also asks for injunctive relief, which would include requiring Solara to improve its data security systems, annual auditing, and funding for long-term credit monitoring services.
Solara joins a growing list of companies facing lawsuits after major data breaches, including the University of Missouri Health Care and American Medical Collection Agency. Premera and Washington State University have both settled data breach lawsuits for millions, while a lawsuit against Allscripts over its 2018 ransomware attack was dismissed in June.