The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Multiple Lawsuits Filed Against Regal Medical Group Over 3.3 Million-Record Ransomware Attack

Posted By on Feb 23, 2023

Several class action lawsuits have been filed against Regal Medical Group and affiliated healthcare providers following the February 1, 2023, announcement an HIPAA compliance breach where the protected health information (PHI) of up to 3,300,638 individuals had potentially been stolen in a December 2022 ransomware attack.

The attack affected Regal Medical Group, the Heritage Provider Network, and several affiliated healthcare providers, including Lakeside Medical Organization, A Medical Group, Inc., ADOC Acquisition Co., Greater Covina Medical Group Inc., and Affiliated Doctors of Orange County. The attack was detected on December 2, when employees started experiencing difficulty accessing data.

The forensic investigation revealed the attack started on or before December 1, with sensitive data exfiltrated from its servers on December 1. The stolen files included PHI such as names, phone numbers, addresses, dates of birth, diagnosis and treatment information, laboratory test results, prescription data, radiology reports, health plan member numbers, and Social Security numbers. Affected individuals were offered a 12-month membership to a credit monitoring service.

It is now common for multiple lawsuits to be filed after healthcare data breaches, so it is no surprise that so many lawsuits have been filed after an attack of this magnitude. One of the biggest concerns raised in the lawsuits was how the attackers were able to gain access to so much data, much of which was highly sensitive and could be misused in many different ways. The lawsuits were filed in the California superior state court and federal court, and each makes similar claims against Regal Medical Group and the Heritage Provider Network, including negligence, negligence per se, breach of implied contract, unjust enrichment, and unfair business practices. The lawsuits allege violations of the California Consumer Privacy Act of 2018, the California Confidentiality of Medical Information Act, Unfair Competition Law, the FTC Act, and the Health Insurance Portability and Accountability Act.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuits also take issue with the time taken to issue notifications about the breach, which started to be issued on February 1, 2022, when the data breach occurred on December 1, 2022. While the notifications were issued within the time frame allowed by the HIPAA Breach Notification Rule, that Rule also states that notifications should be issued without undue delay. One of the lawsuits also takes issue with the information provided in the notifications, which failed to provide full information on the nature of the breach, such as for how long the attackers had access to the stolen data.

One of the lawsuits, Timothy Head vs. Regal Medical Group Inc, Heritage Provider Network Inc. (Cole & Van Note), claims the defendants intentionally, willfully, recklessly, or negligently failed to take and implement adequate and reasonable measures to ensure that representative plaintiff(s)’ and class members PHI/PII was safeguarded,” also claims the defendants were negligent for failing to encrypt data.

Sam Abedi And Farnaz Doroodian v. Heritage Provider Network, Inc. and Regal Medical Group, Inc. (Zimmerman Reed LLP/ The Johnson Firm) and David Rodriguez v. Regal Medical Group (Wucetich & Korovilas LLP) make similar claims, including the defendants were well aware of the high prevalence of data breaches and had the resources available to protect data but failed to invest sufficiently in data security, the remediation of vulnerabilities, staff training, and testing security controls.

Lynn Austin vs. Regal Medical Group, Inc. (Parker & Minnie, LLP & Mason LLP) claims the plaintiffs have suffered actual and concrete injury, including out-of-pocket expenses, loss of valuable rights and protections, heightened stress, fear, anxiety, and risk of future invasions of privacy, and mental and emotional distress.

The lawsuits seek class action certification, a jury trial, actual and punitive damages, and injunctive relief, including an order from the courts to prohibit the defendants from engaging in unlawful acts and deceptive business practices and to ensure that a comprehensive information security program is implemented to protect against future data breaches.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist