Getty Images/iStockphoto

Sea Mar Community Health Centers Faces Lawsuit Over Data Breach

Sea Mar Community Health Centers in Seattle is now facing a lawsuit after a 2021 data breach that impacted 688,000 individuals.

Seattle-based Sea Mar Community Health Centers (SMCHC) is facing a class-action lawsuit over its handling of a 2021 data breach that impacted 688,000 individuals. The lawsuit alleged that SMCHC was negligent and violated Washington consumer protection laws.

SMCHC discovered the breach in June 2021 and later determined that threat actors had accessed and potentially copied data from the community health center’s digital environment between December 2020 and March 2021.

Patient names, addresses, Social Security numbers, birth dates, medical, vision, and dental treatment information, insurance information, and other protected health information (PHI) may have been involved in the incident.

HIPAA requires covered entities to notify data breach victims within 60 days of discovering the breach. However, the lawsuit said that SMCHC did not notify victims until October 2021, ten months after the cyberattack and four months after SMCHC discovered the breach.

“The Data Breach was a direct result of Defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect patients’ and employees’ Private Information,” the filing stated.

The lawsuit also shed more light on the nature of the data breach, explaining that threat actors known as the “Marketo gang” stole three terabytes (TB) of sensitive data from SMCHC and posted it for sale on a marketplace on the dark web.

“As a result of the Data Breach, Plaintiff and more than 650,000 Class Members suffered injury and ascertainable losses in the form of the present and imminent threat of fraud and identity theft, loss of the benefit of their bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack, and the loss of value of their personal information,” the lawsuit continued.

“In addition, Plaintiff’s and Class Members’ sensitive personal information—which was entrusted to Defendant—was compromised and unlawfully accessed due to the Data Breach.”

The lawsuit alleged that SMCHC maintained patient data in a “reckless manner” by storing it on a computer network “in a condition vulnerable to cyberattacks.”

Plaintiffs argued that if SMCHC had better safeguards in place, including data encryption, the threat actors would not have had undetected access to the community health center’s systems for four months.

“There is a strong probability that entire batches of stolen information have been dumped on the black market and are yet to be dumped on the black market, meaning Plaintiff and Class Members are at an increased risk of fraud and identity theft for many years into the future,” the lawsuit explained.

In June 2021, the Supreme Court ruled that data breach victims must demonstrate actual injury and prove that the defendant’s conduct caused the damage. Plaintiffs must now prove that they suffered a concrete injury to claim Article III standing.

The Ramirez v. TransUnion ruling has already impacted multiple healthcare data breach lawsuits. A judge recently moved to dismiss a data breach lawsuit against medical management company Practicefirst, citing insufficient evidence of actual harm.

The SMCHC lawsuit alleged that plaintiffs suffered actual harm by means of fraudulent loans, insurance claims, and tax returns. In addition, the lawsuit said that plaintiffs spent extensive time on the phone with financial institutions to dispute charges, and many purchased credit monitoring and identity theft prevention services.

Next Steps

Dig Deeper on Healthcare data breaches