Class Action Lawsuit Filed Against Tandem Diabetes Care With Regards to January 2020 Phishing Attack

Tandem Diabetes Care Inc., the San Diego medical device company, is confronted with a class action lawsuit in California in association with a January 2020 data breach that led to the exposure and likely stealing of the protected health information (PHI) of around 140,000 people.

Unauthorized persons were able to access to an employee’s email account between January 17 and January 20, 2020 due to a phishing attack. The email account contained data that differed from patient to patient. The variety of personal and confidential data comprised of names, birth dates, insurance data, billing data, healthcare files, and Social Security numbers.

Tandem Diabetes Care submitted the report of the breach to the HHS’ Office for Civil Rights on March 17, 2020 specifying that there were 140,781 people impacted. Concurrently, the company mailed notification letters to the impacted persons.

The case was submitted in the U.S. District Court in the Southern District of California and states that Tandem Diabetes Care violated the Confidentiality of Medical Information Act (CMIA). The plaintiff and class members are seeking compensation for the negligent disclosure of their private and medical information and injunctive relief.

CMIA calls for healthcare service providers to employ security measures to take care of the privacy of individually identifiable medical data and forbids the disclosure of that information with no prior patient permission. Compared with HIPAA, CMIA has a private cause of action that enables patients to take on legal action regarding the negligent disclosure of their private health information.

The plaintiff is referred to as as C.H. and the putative class is separated into two subclasses: All California citizens who had their identities, private information, and medical details included in the email account and all other persons whose details were disclosed.

The legal case states negligence for not securing individually identifiable health data. By making Defendant’s email account available to third parties, Defendant negligently made, retained, preserved, saved, and then compromised the individual identifiable medical data of the Plaintiff and the Class members.

The case states that Tandem Diabetes Care was unable to retain enough technological safety measures, which specifically and proximately resulted in foreseeable risk of patient information loss and damage, which includes identity theft along with other economic losses.

The lawsuit states that patients have sustained damages because of the unauthorized exposure of their persona and PHI and seeks nominal compensation of $1,000 for every class member, refund for actual damages had, damages granted by the common law, and legal fees.

Joshua B. Swigart of the Swigart Law Group filed the legal case and is attempting to get class-action status, not to mention a jury trial.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at