Lawsuits Filed Against Four Californian Medical Groups and Preferred Home Care Resolves Lawsuit

Four Californian Medical Groups Face Lawsuits for Data Breach Impacting 3.3 Million Individuals

Four Californian medical groups were charged in a class action lawsuit alleging a failure to carry out acceptable and proper cybersecurity procedures, which results in a cyberattack and data breach affecting the personal data and protected health information (PHI) of 3,300,638 present and past patients. The defendants in this class action lawsuit are Regal Medical Group Inc., Affiliated Doctors of Orange County Medical Group, Inc., Lakeside Medical Organization, A Medical Group Inc., and Greater Covina Medical Group, Inc.. The lawsuit alleges that the cyberattack and data breach could be foreseen and, therefore, could be averted.

The cyberattack happened last December 1, 2022. Hackers acquired access to the IT systems of the medical groups and blocked access to selected servers on December 2, 2022. The medical groups detected the cyberattack on December 8, 2022. At that time, the hackers already accessed a big volume of sensitive patient information, which includes full names, contact details, diagnoses, treatment details, prescription drugs, radiology reports, laboratory test results, medical insurance data, and Social Security numbers. Impacted persons received data breach notification in February 2023 and got free credit monitoring services.

Besides not being able to stop the breach, the lawsuit claims there was no monitoring of IT systems. If there was, the attack should have been discovered and stopped immediately. The lawsuit furthermore claims the medical groups were unable to issue prompt announcements, delaying more or less two months after discovering the breach before sending breach notification letters to affected individuals. The medical groups also failed to make known crucial details about the breach, for example, the time period the hackers got access to their information. The lawsuit states that the long time it took to send the notifications gave the cybercriminals lots of time to profit from and misuse the information before the victims could take action to secure their identities.

It is typical for victims to file lawsuits after healthcare data breaches occur and quite often lawsuits are filed prior to any incident of misuse of the stolen information. In this instance, two plaintiffs assert there were attempts of data misuse after the data breach occurred. One plaintiff stated there were multiple fraudulent charges attempted on her credit card and one more stated there was an attempt to enroll a new credit card under her name and that she had gotten a fraud notification telling her about the breach of her Social Security number. The attempted fraudulent action happened from December 2022 to February 2023, prior to receiving the breach notification from the defendants. The lawsuit claims the plaintiffs and class members currently face a long-term threat of identity theft, medical identity theft, and fraudulence because of the cyberattack and data security breach.

The lawsuit claims breach of implied contract, negligence, negligence per se, unjust enrichment, intrusion upon seclusion, violations of the California Consumer Privacy Act, California Confidentiality of Medical Information Act, California Unfair Competition Law, and California Consumer Records Act, and violations of state data breach laws. The lawsuit wants class-action status, compensatory, consequential, and general damages, statutory, exemplary, and punitive damages, legal fees, and a jury trial.

The plaintiffs of the lawsuit are Maria Hinestrosa, and Shannon Masser Downs, M.B. (a minor). Nickolas J. Hagman and Daniel O. Herrera of Cafferty Clobes Meriwether & Sprengel LLP and Pavithra Rajesh and Jonathan M. Rotter of Glancy Prongay & Murry LLP.

Preferred Home Care Resolves Data Breach Lawsuit

AssistCare Home Health Services has decided to resolve a class action lawsuit, submitted on behalf of people impacted by a cyberattack and data breach last January 2021. AssistCare Home Health Services, dba Preferred Home Care of New York, informed over 92,000 individuals last March 2021 about the exposure of their protected health information (PHI) in a cyberattack. Unauthorized persons acquired access to its system from January 8 to January 10, 2021, and extracted files that contain patient information. The Sodinokibi ransomware group conducted the attack and published some of the stolen information on its data leak website. The exposed information included names, Social Security numbers, personal data, and medical data.

The Simmons v. AssistCare Home Health Services LLC class action lawsuit was submitted in the New York Superior Court for Kings County on behalf of the 92,283 persons that received the data breach notification. The lawsuit claimed negligence for being unable to set up reasonable cybersecurity procedures to safeguard against an identified risk of ransomware attacks on the industry, and that because of that negligence, victims were put at an impending and raised threat of identity theft and fraud.

AssistCare Home Health Services opted to resolve the lawsuit without admitting any wrongdoing and has decided to agree to claims from class members as much as $3,900 for every claimant. The total amount of the settlement wasn’t revealed. Claims will be received as much as $400 for compensation for ordinary losses including bank fees, credit-linked expenses, communication charges, and as much as 4 hours of lost time valued at $20 per hour. Claims likewise are going to be accepted up to $3,500 at most per claimant to pay for documented, extraordinary losses that were not yet reimbursed, including losses to identity theft and fraud. Irrespective of whether a claim is filed, class members are qualified to get one year of credit monitoring services from three bureau.

Class members have until April 24, 2023, to object to or not include themselves in this settlement deal, to object to or exclude themselves from the settlement and send claims for compensation of losses. The schedule of the fairness hearing is on June 27, 2023.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at