Prospect Medical Holdings is facing a lawsuit associated with a 2023 Rhysida ransomware attack that held up to a motion to dismiss, although a few of the claims were dropped. At the beginning of August 2023, Prospect Medical Holdings discovered unauthorized access to its network. The investigation revealed that an unauthorized third party had accessed the network for about four days before the attack was discovered. The compromised systems included sensitive information like names, birth dates, driver’s license numbers, Social Security numbers, financial data, diagnoses, laboratory test data, treatment details, medical record numbers, medical insurance details, and claims data.
The Rhysida ransomware group professed to be behind the attack, saying it had stolen a database containing over 1 TB of personally identifiable information (PII) and protected health information (PHI) of customers, which included over five hundred thousand Social Security numbers. Rhysida is known for selling or publishing stolen information on its leak site when ransoms aren’t paid. In this case, the group professed to have sold about 50% of the information, while the other half was exposed on their site.
Prospect Medical Holdings provided credit monitoring and identity theft protection services for free to those impacted by the breach and applied new management and technical safety measures. The breach report submitted to the HHS’ Office for Civil Rights indicated that 1,309,096 people were affected. As a result, some lawsuits were filed, including an amended lawsuit representing a countrywide class of impacted persons. The plaintiffs claim different levels of harm, as six reported proof of attempted fraudulent transactions utilizing their personal data.
The lawsuit includes allegations of breach of implied contract, negligence, negligence per se, violation of the Federal Trade Commission Act, the California Unfair Competition Act, the California Confidentiality of Medical Information Act (CMIA), and the California Constitution. The plaintiffs want injunctive relief and damages. Prospect Medical Holdings submitted a motion to dismiss the revised lawsuit, reasoning that no plaintiff had standing and that no one had plausibly confirmed entitlement to relief according to the common-law or statutory claims stated in the complaint.
District Court Judge Wendy Beetlestone denied the motion to dismiss the lawsuit because of insufficient standing, and that all the known plaintiffs had plausibly claimed tangible and impending injuries. Nevertheless, the judge approved the motion to dismiss a few claims associated with the plaintiffs not plausibly alleging entitlement to relief, although others were permitted to continue. The motion to dismiss the negligence claim was rejected, because the plaintiffs had claimed cognizable tort damages and adequate causation. The motion to dismiss the negligence per se claim and the FTC Act violation was given. Yet the judge allowed the plaintiffs to use these theories to assist their negligence claim, enabling them to depend on the supposed FTC Act violation.
The breach of implied contract claim was dropped without prejudice since the plaintiffs did not plausibly confirm that there is an implied contract with Prospect Medical Holdings. The California Constitution and the common law privacy violation claims were dropped with prejudice since the complaint didn’t claim deliberate conduct by Prospect Medical Holdings. The California Unfair Competition Law state was dropped without prejudice, as the plaintiffs were given the chance to plead an inadequate legal remedy. The motion to drop the CMIA violation claim was refused since the Rhysida gang’s promise that patient files were for being sold on the dark web made it possible to infer that those files included medical backgrounds, which are covered by HIPAA laws.