Regal Medical Group Ransomware Attack Nets Cyber Criminals Over 3 Million Medical Records Featured

A class action complaint was recently filed against Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group, and Greater Covina Medical (collectively, “Regal”) alleging that it negligently failed to protect the personal health and identifying information of 3.3 million people.

According to the complaint, the Southern California-based medical groups failed to adequately protect the sensitive information of patients and employees, and failed to provide them with adequate notice after the incident.

In a statement from Regal, it first became aware of the breach on December 8th, 2022, which it later determined to have occurred on or about December 1st, 2022 after it noticed difficulty in accessing some of its servers on or about December 2nd..

Regal began notifying patients of the data breach on February 1, 2023..Information stolen in the breach included included –

  1. names,
  2. Social Security numbers,
  3. dates of birth,
  4. addresses,
  5. diagnoses and treatment information,
  6. laboratory test results,
  7. prescription data,
  8. radiology reports,
  9. health plan member numbers, and
  10. phone numbers.

Failure to Implement Industry Security Standards Lead To The Breach

According to the complaint, Regal’s failure to follow a set of industry standard security rules to protect patient data lead to the breach.

The Health Insurance Portability and Accountability Act (“HIPAA”) requires that health care data be encrypted. The information exposed in the breach was not encrypted.

HIPAA requires medical service providers to provide each patient with a HIPAA compliant notice titled “NOTICE OF PRIVACY PRACTICES” that explains how it handles its patients’ sensitive and confidential information. The notice on Regal Medical’s website states:

RMG has adopted and adheres to stringent security standards designed to protect non-public personal information at against accidental or unauthorized access or disclosure. Among the safeguards that RMG has developed for this site are administrative, physical and technical barriers that together form a protective firewall around the information stored at this site. We periodically subject our site to simulated intrusion tests and have developed comprehensive disaster recovery plans.

The remaining Defendants have similar language designed to provide assurances to its patients that their data is safe.

To this date, Defendants in this action has not divulged details about the root cause of the breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again.

Offer Of A Single Years Identity Theft Protection Falls Short Of Duration Of Risk

According to the complaint, there is substantial lag time – measured in years – between when harm occurs and when it is discovered, and also between when Private Information and/or financial information is stolen and when it is used.

There is a strong probability that some of the information stolen during the breach has already been dumped on the black market. Equally probable is that some information may yet to be dumped on the black market. This means that class members are at risk of identity theft now and for many years in the future.

Defendants offer of a single year of identity theft protection pales against the duration that the threat to patients’ identities exist. Among the host of security demands sought by this lawsuit is the requirement to pay a lifetime of credit monitoring services for affected individuals..


Leave a Reply

Your email address will not be published. Required fields are marked *