Failure to Implement Industry Security Standards Lead To The Breach
According to the complaint, Regal’s failure to follow a set of industry standard security rules to protect patient data lead to the breach.
The Health Insurance Portability and Accountability Act (“HIPAA”) requires that health care data be encrypted. The information exposed in the breach was not encrypted.
HIPAA requires medical service providers to provide each patient with a HIPAA compliant notice titled “NOTICE OF PRIVACY PRACTICES” that explains how it handles its patients’ sensitive and confidential information. The notice on Regal Medical’s website states:
RMG has adopted and adheres to stringent security standards designed to protect non-public personal information at regalmed.com against accidental or unauthorized access or disclosure. Among the safeguards that RMG has developed for this site are administrative, physical and technical barriers that together form a protective firewall around the information stored at this site. We periodically subject our site to simulated intrusion tests and have developed comprehensive disaster recovery plans.
The remaining Defendants have similar language designed to provide assurances to its patients that their data is safe.
To this date, Defendants in this action has not divulged details about the root cause of the breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again.
Offer Of A Single Years Identity Theft Protection Falls Short Of Duration Of Risk
According to the complaint, there is substantial lag time – measured in years – between when harm occurs and when it is discovered, and also between when Private Information and/or financial information is stolen and when it is used.
There is a strong probability that some of the information stolen during the breach has already been dumped on the black market. Equally probable is that some information may yet to be dumped on the black market. This means that class members are at risk of identity theft now and for many years in the future.
Defendants offer of a single year of identity theft protection pales against the duration that the threat to patients’ identities exist. Among the host of security demands sought by this lawsuit is the requirement to pay a lifetime of credit monitoring services for affected individuals..
A class action complaint was recently filed against Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group, and Greater Covina Medical (collectively, “Regal”) alleging that it negligently failed to protect the personal health and identifying information of 3.3 million people.