City of Oakland Facing Multiple Class Action Lawsuits Over February Ransomware Attack
Multiple class action lawsuits have been filed against the city of Oakland in California over a ransomware attack and data breach that involved the theft of the personal and protected health information of 13,000 current and former employees. The ransomware attack was detected on February 8, 2023, and forced the city to shut down its systems to contain the attack, resulting in a state of emergency being declared in the city. Systems remained offline for weeks due to the attack, with the recovery process taking months.
The Play ransomware group took credit for the attack and started leaking some of the stolen data to pressure the city into paying the ransom. Initially, 10 gigabytes of stolen data was released on the group’s dark web data leak site, followed by a massive data dump of 600 gigabytes when the city continued to refuse to pay the ransom. The leaked data included the personal information of individuals employed by the city between July 2010 and January 2022. The ransomware attack is understood to have started with phishing emails.
Multiple class action lawsuits have been filed against the city on behalf of victims of the data breach that allege the city failed to implement appropriate security measures to keep employees’ private information confidential, with several victims of the breach claiming they have had their identities stolen and have experienced credit card fraud. The city has offered complimentary credit monitoring services to affected employees and has started to improve security, including implementing a training program for the workforce to improve resilience to phishing attempts.
A lawsuit was filed by the Oakland police officers’ union that alleges the city failed to provide important information about the extent of the incident and the types of data stolen in the attack and seeks monetary compensation and extended credit monitoring and identity theft protection and restoration services. Another lawsuit names Hada Gonzalez as lead plaintiff, a police services technician, who alleges the city was negligent for failing to protect against the attack. The lawsuit alleges data breach notification failures and violations of the HIPAA Security Rule. As a result of the negligence, the plaintiffs and class members claim they have suffered ongoing, imminent, and impending threats of fraud, identity theft, and abuse of their data, resulting in monetary losses and economic harm. The lawsuit seeks an award of damages and injunctive relief, including the requirement for the city to maintain a comprehensive information security program, encrypt sensitive data, undergo third-party security audits, establish an information security training program, and implement other security measures.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
