SuperCare Health Faces Lawsuit for Having “Incompetent Security Measures” to Stop Data Breach

Plaintiff filed a lawsuit against SuperCare Health in the US Central District of California and alleged the firm has “Incompetent Security Measures” to Stop Data Breach.

California-based SuperCare Health is facing a lawsuit in the wake of the July 2021 data breach. SuperCare has recently revealed that around 318,379 data records were compromised making it one of the biggest medicare data breaches reported in 2022.

According to SuperCare Health, cybercriminals accessed the organisation’s database with authorization between July 23 and July 27. The bad actors gained access to the personally identifiable information (PII) including names, health insurance information, address, medical record numbers, date of birth, patient account numbers, insurance claim information, patient treatment information and medicare group information.

However, in a lawsuit filed in the US Central District of California, plaintiff Vickey Angulo alleged the health organisation for failure to prevent the data breach along and implement effective cybersecurity protection measures, “despite the fact that data breach attacks against medical systems and healthcare providers are at an all-time high.” 

“Upon information and belief, the mechanism of the cyberattack and potential for improper disclosure of Plaintiff’s and Class Members’ Private Information was a known risk to Defendant, through frequent news reports and FBI warnings to the healthcare industry, and thus it was on notice that failing to take steps necessary to secure the Private Information from those risks left the property in a dangerous and vulnerable condition,” the filing stated.

However, with the access to the patient information, the lawsuit also included that the cybercriminals can also open new financial accounts through synthetic identities, use class members’ information to obtain government benefits, and get fake diver licenses in the victim’s names.

The plaintiff also argued that SuperCare’s breach notice provided “scant detail about the nature, severity or duration of the attack.”

SuperCare described the incident as “unauthorized activity” and said that an unknown party gained access to certain systems on its network “failed to adequately adapt and train its employees on even the most basic of information security protocols.”

Moreover, the plaintiff also noted that the health firm notifies victims of the data breach in March, months after it occurred. SuperCare’s notice explained that its investigation concluded on February 4, 2022. Additionally, the firm was also alleged to violate HIPAA and Federal Trade Commission (FTC) guidelines and failed to comply with the NIST security requirements.

Suggested Read: SA’s Healthcare Organizations Become the Latest Prey for Cybercriminals