Over 880K Patients' PII Exposed in Cancer Center's Data Breach: Class Action
City of Hope National Medical Center had a responsibility to protect the personally identifiable information (PII) of some 820,000 patients but failed to do so during an Oct. 13 data breach, alleged a class action Tuesday (docket 2:24-cv-02890) in U.S. District Court for Central California in Riverside.
The names, Social Security numbers, dates of birth, drivers’ licenses, financial details, medical treatment and insurance information of the patients of the clinical research center, one of 56 National Cancer Institute-designated cancer centers in the U.S., were compromised in the breach, the complaint said.
City of Hope first publicly disclosed the breach Dec. 13, after notifying law enforcement, launching an investigation and engaging cybersecurity and forensic experts to assist, the complaint said. It notified individuals whose PII was affected by the breach March 25 and sent out additional notice letters April 2, “nearly six months after the incident,” the complaint said. Some 827,149 people were affected, according to the Maine Attorney General’s office.
The information City of Hope allowed to be exposed in the data breach is the type it knew or should have known would be the target of cyberattacks and the type protected under statutory law, the complaint said. It cited the cancer center’s privacy statement saying it collects personal information including identifiers; employment, demographic, geographic and health information such as personal and family medical history and insurance details; billing details; religious affiliation; and “inferences regarding preferences or other characteristics.”
Despite the research center’s knowledge of the risks of cyberattacks, and the FTC’s guide to businesses outlining data security principles and practices, it “failed to disclose that their systems and security practices were inadequate to reasonably safeguard their patients' sensitive personal information,” the complaint said. The FTC directs businesses to use an intrusion detection system “to expose a breach as soon as it occurs, monitor activity for attempted hacks, and have an immediate response plan if a breach occurs,” it said. “Immediate notification” of a breach is “critical so that those impacted can take measures to protect themselves,” it said.
Brian Ridley, a Pasadena, California, resident, received a notice from City of Hope April 2 saying his PII was compromised in the breach, the complaint said. Since October, the plaintiff has had an uptick in spam calls and has had to “invest significant time monitoring his accounts to detect and reduce the consequences of likely identity fraud,” it said. Ridley and class members are subject to “substantial and imminent risk of future harm,” it said.
Ridley asserts claims of negligence, breach of implied contract, unjust enrichment and violation of California’s Unfair Competition Law and Consumer Privacy Act. He seeks an order declaring that City of Hope’s conduct violates the laws alleged, damages and statutory damages, prejudgment interest and an order of restitution.