Plaintiff David J. Rubin, on behalf of himself and all other similarly situated, has filed suit against Scripps Health over allegations that the company failed to adequately protect the protect the “personable identifiable health and financial information,” or PII, of both Rubin and the class members. The suit, which was filed Wednesday in the Southern District of California, was prompted by a ransomware attack on Scripps that led to the compromising of the PII.
The PII that was compromised in the attack, which took place on April 21,, included names, addresses, insurance information, medical records, social security numbers, and more, the complaint said. The ransomware attack occurred despite reassurance from Scripps that they take “great care to ensure health information is kept private and secure,” as is mandated by both state and federal law. The plaintiff contended that Scripps failed in three separate respects – they failed to inform Rubin and class members of their inadequate security practices, they failed to implement better protection, and they failed to detect the attack and notify the affected individuals in a timely manner.
Scripps allegedly became aware of the attack as early as May 1, but failed to disclose their knowledge of the attack to the impacted individuals until May 10, the complaint said. On that day, they allegedly only provided partial information to the plaintiff and class members. A statement issued on June 1 still did not disclose the full impact of the breach. Scripps’ systems were down for a month following the attack, rendering patients “unable to access their medical information, schedule appointments or contact their physicians through Defendant’s systems.”
Rubin explained that the compromising of his PII has exposed both him and class members to potential identity theft, fraud, and ransom demands. He states that these new risks have required his constant surveillance so that he can properly “prevent and detect misuse of his PII.” He believes that the breach had the intended purpose of obtaining PII for its ultimate misuse, such as “exploitation on the dark web or use as ransom for money.”
The complaint cites breach of contract and confidence, negligence, invasion of privacy, and violations of both the California Unfair Competition Law and the California Confidentiality of Medical Information Act. The plaintiff contended that Scripps breached its duty and agreement to protect the sensitive and intimate information. In order to hold Scripps accountable for its perceived misconduct, Rubin is seeking class certification, a trial by jury, favorable judgement on the aforementioned issues, damages and restitution, litigation costs, declaratory and injunctive relief, and any other relief deemed proper by the Court.
The plaintiff is represented by the Katriel Law Firm.
