Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
CIRCUIT COURT FOR BALTIMORE COUNTY,
MARYLAND
401 Bosley Avenue, P.O. Box 6754
Towson, MD 21285-6754
To: MARYLAND HEALTH ENTERPRISES, INC., D/B/A LORIEN HEALTH SERVICES
1205 YORK ROAD LUTHERVILLE, MD 21093
Main: 410-887-2601
Fax: 410-887-3062
Case Number: C-03-CV-20-002899 Other Reference Number(s):
PAMELA KLEMM, ET AL. VS. MARYLAND HEALTH ENTERPRISES, INC., D/B/A LORIEN HEALTH
SERVICES Issue Date: 8/17/2020
WRIT OF SUMMONS
You are hereby summoned to file a written response by pleading or motion, within 30 days after service of this summons upon you, in this Court, to the attached complaint filed by:
PAMELA KLEMM; CATHERINE ROMANS No Known Address; No Known Address
This summons is effective for service only if served within 60 days after the date it is issued.
Julie L. Ensor Clerk of the Circuit Court
To the person summoned: Failure to file a response within the time allowed may result in a judgment by default or the granting of the relief sought against you. Personal attendance in court on the day named is NOT required.
Instructions for Service:
1. This summons is effective for service only if served within 60 days after the date issued. 2. Proof of Service shall set out the name of the person served, date and the particular place and manner of service.
If service is not made, please state the reasons. 3. Return of served or unserved process shall be made promptly and in accordance with Maryland Rule 2-126. 4. If this notice is served by private process, process server shall file a separate affidavit as required by Maryland
Rule 2-126(a).
CC-CV-032 (Rev. 06/2019) Page 1 of 2 08/17/2020 1:53 PM
Pamela Klemm, et al. vs. MARYLAND HEALTH ENTERPRISES, INC., d/b/a LORIEN HEALTH SERVICESCase Numl
SHERIFF'S RETURN Circuit Court for Baltimore County
Sheriff fee:
Served:
Time:
By:
With the following:
Date:
❑ Summons
❑ Complaint
❑ Motions
❑ Petition and Show Cause Order
Was unable to serve because:
Sheriff fee: $
❑ Moved left no forwarding address
1-7 Address not in jurisdiction
Instructions to Private Process Server:
❑ Counter Complaint
7 Domestic Case Information Report
❑ Financial Statement
❑ Other
Please specify
❑ No such address
['Other
Please specify
Serving Sheriff's Signature & Date
1. This Summons is effective for service only if served within 60 days after the date issued. 2. Proof of Service shall set out the name of the person served, date and the particular place and manner of service.
If service is not made, please state the reasons. 3. Return of served or unserved process shall be made promptly and in accordance with Rule 2-126. 4. If this summons is served by private process, process server shall file a separate affidavit as required by Rule 2-
126(a).
CC-CV-032 (Rev. 06/2019) Page 2 of 2 08/17/2020 1:53 PM
E-FILED; Baltimore County Circuit Court Docket: 7/28/2020 11:26 AM; Submission: 7/28/2020 11:26 AM
IN THE CIRCUIT COURT FOR Baltimore County (city or County)
CIVIL - NON-DOMESTIC CASE INFORMATION REPORT DIRECTIONS
Plaintiff This Information Report must be completed and attached to the complaint filed with the Clerk of Court unless your case is exempted from the requirement by the Chief Judge of the Court of Appeals pursuant to Rule 2-111(a).
Defendant: You must file an Information Report as required by Rule 2-323(h). THIS INFORMATION REPORT CANNOT BE ACCEPT dscvl ojam
- - - FORM FILED BY: OPLAINTIFF ODEFENDANT CASE NUMBE Pamela Klemm and Catherine Romans, on behalf Maryland HealtIcEnterprises, Inc., 13/147A
CASE NAME: of themselyes and a151lItilgrif.5imilarly situated, vs. Lorien Health ServicesPlaintiff DèFé
iiaant
PARTY'S NAME: Pamela Klemm PHONE: (443) 536-5718
PARTY'S ADDRESS: 622 Hornbeam Rd, Edgewood, MD, 21040
PARTY'S E-MAIL: [email protected]
If represented by an attorney: PARTY'S ATTORNEY'S NAME: Gary E. Mason PHONE. (202) 429-2290
PARTY'S ATTORNEY'S ADDRESS:5101 Wisconsin Ave., NW, Suite 305, Washington, D.C. 20016
PARTY'S ATTORNEY'S E-MAIL: [email protected]
JURY DEMAND? CglYes ON° RELATED CASE PENDING? 171Yes ON° If yes, Case #(s), if known -
ANTICIPATED LENGTH OF TRIAL?: hours days
PLEADING TYPE New Case: 0 Original El Administrative Appeal El Appeal Existing Case: CI Post-Judgment El Amendment if filing in an existing case, skip Case Category/ Subcategory section - go to Relief section.
IF NEW CASE: CASE CATEGORY/SUBCATEGORY (Check one box.) TORTS
R Asbestos Assault and Battery
0 Business and Commercial CI Conspiracy El Conversion 0 Defamation CI False Arrest/Imprisonment 0 Fraud 0 Lead Paint - DOB of
Youngest Plt: 0 Loss of Consortium El Malicious Prosecution El Malpractice-Medical El Malpractice-Professional El Misrepresentation El Motor Tort 0 Negligence El Nuisance 0 Premises Liability El Product Liability El Specific Performance 0 Toxic Tort 0 Trespass
Wrongful Death CONTRACT Ci Asbestos gel Breach 0 Business and Commercial El Con else Judgment
(Cont'd) 0 Construction 0 Debt CI Fraud
El Government Insurance Product Liability
PROPERTY El Adverse Possession
Breach of Lease Detinue
O Distress/Distrain CI Ejectment 0 Forcible Entry/Detainer El Foreclosure
0 Commercial El Residential CI Currency or Vehicle 0 Deed of Trust 0 Land Installments 0 Lien0 Mortgage Might of Redemption 0 Statement Condo
0 Forfeiture of Property / Personal Item
El Fraudulent Conveyance El Landlord-Tenant Ei Lis Pendens El Mechanic's Lien 0 Ownership El Partition/Sale in Lieu El Quiet Title 0 Rent Escrow El Return of Seized Property El Right of Redemption 0 Tenant Holding Over
PUBLIC LAW CI Attorney Grievance 0Bond Forfeiture Remission 0 Civil Rights CI County/Mncpl Code/Ord 0 Election Law aminent Domain/Condemn. El Environment 0 Error Coram Nobis 0 Habeas Corpus 0 Mandamus El Prisoner Rights 0 Public Info. Act Records El Quarantine/Isolation El Writ of Certiorari
EMPLOYMENT CI ADA 0 Conspiracy El EEO/HR CI FLSA
FMLA El Workers' Compensation El Wrongful Termination
INDEPENDENT PROCEEDINGS
0 Assumption of Jurisdiction 0 Authorized Sale 0 Attorney Appointment 0 Body Attachment Issuance 0 Commission Issuance
El Constructive Trust 0 Contempt El Deposition Notice 0 Dist Ct Mtn Appeal 0 Financial 0 Grand Jury/Petit Jury Ei Miscellaneous 0 Perpetuate Testimony/Evidence 0 Prod. of Documents Req. El Receivership 0 Sentence Transfer CI Set Aside Deed 0 Special Adm. - Atty 0 Subpoena Issue/Quash 0 Trust Established 0 Trustee Substitution/Removal 0 Witness Appearance-Compel PEACE ORDER GI Peace Order EQUITY El Declaratory Judgment El Equitable Relief 0 Injunctive Relief 0 Mandamus OTHER 0 Accounting 0 Friendly Suit 0 Grantor in Possession 0 Maryland Insurance Administration CI Miscellaneous CI Specific Transaction 0 Structured Settlements
CC-DCM-002 (Rev. 04/2017) Page 1 of 3
IF NEW OR EXISTING CASE: RELIEF (Check All that Apply)
0 Abatement 0 Administrative Action 0 Appointment of Receiver 0 Arbitration 0 Asset Determination 0 Attachment b/f Judgment 0 Cease & Desist Order 0 Condemn Bldg 0 Contempt
Court Costs/Fees RI Damages-Compensatory
Damages-Punitive
0 Earnings Withholding 0 Judgment-Interest 0 Return of Property 0 Enrollment 0 Judgment-Summary 0 Sale of Property 0 Expungement 0 Liability 0 Specific Performance 0 Findings of Fact 0 Oral Examination 0 Writ-Error Coram Nobis 0 Foreclosure 0 Order 0 Writ-Execution 0 Injunction 0 Ownership of Property 0 Writ-Garnish Property 0 Judgment-Affidavit 0 Partition of Property 0 Writ-Garnish Wages
0 Writ-Habeas Corpus 0 Judgment-Attorney Fees 0 Peace Order 0 Judgment-Confessed 0 Possession 0 Writ-Mandamus
0 Writ-Possession 0 Judgment-Consent 0 Production of Records 0 Judgment-Declaratory 0 Quarantine/Isolation Order 0 Judgment-Default 0 Reinstatement of Employment
If you indicated Liability above, mark one of the following. This information is not an admission and may not be used for any purpose other than Track Assignment.
OLiability is conceded. OLiability is not conceded, but is not seriously in dispute. OLiability is seriously in dispute.
MONETARY DAMAGES (Do not include Attorney's Fees, Interest, or Court Costs)
0 Under $10,000 0 $10,000 - $30,000 0 $30,000 - $100,000 0 Over $100,000
0 Medical Bills $ 0 Wage Loss $ 0 Property Damages $
ALTERNATIVE DISPUTE RESOLUTION INFORMATION
Is this case appropriate for referral to an ADR process under Md. Rule 17-101? (Check all that apply) A. Mediation 0Yes IJNo C. Settlement Conference 0Yes g1No B. Arbitration 0Yes tJNo D. Neutral Evaluation 0Yes gi No
SPECIAL REQUIREMENTS
0 If a Spoken Language Interpreter is needed, check here and attach form CC-DC-041
0 If you require an accommodation for a disability under the Americans with Disabilities Act, check here and attach form CC-DC-049
ESTIMATED LENGTH OF TRIAL
With the exception of Baltimore County and Baltimore City, please fill in the estimated LENGTH OF TRIAL. (Case will be tracked accordingly)
0 1/2 day of trial or less 0 3 days of trial time
0 1 day of trial time 0 More than 3 days of trial time
0 2 days of trial time
BUSINESS AND TECHNOLOGY CASE MANAGEMENT PROGRAM
For all jurisdictions, if Business and Technology track designation under Md. Rule 16-308 is requested, attach a duplicate copy of complaint and check one of the tracks below.
0 Expedited- Trial within 7 months of 0 Standard - Trial within 18 months of Defendant's response Defendant's response
EMERGENCY RELIEF REQUESTED
CC-DCM-002 (Rev. 04/2017) Page 2 of 3
COMPLEX SCIENCE AND/OR TECHNOLOGICAL CASE MANAGEMENT PROGRAM (ASTAR)
FOR PURPOSES OF POSSIBLE SPECIAL ASSIGNMENT TO ASTAR RESOURCES JUDGES under Md. Rule 16-302, attach a duplicate copy of complaint and check whether assignment to an ASTAR is requested.
El Expedited - Trial within 7 months of 0 Standard - Trial within 18 months of Defendant's response Defendant's response
IF YOU ARE FILING YOUR COMPLAINT IN BALTIMORE CITY, OR BALTIMORE COUNTY, PLEASE FILL OUT THE APPROPRIATE BOX BELOW.
CIRCUIT COURT FOR BALTIMORE CITY (CHECK ONLY ONE)
❑ Expedited Trial 60 to 120 days from notice. Non jury matters.
• Civil-Short Trial 210 days from first answer.
in Civil-Standard Trial 360 days from first answer.
■ Custom Scheduling order entered by individual judge.
0 Asbestos Special scheduling order.
0 Lead Paint Fill in: Birth Date of youngest plaintiff
0 Tax Sale Foreclosures Special scheduling order.
■ Mortgage Foreclosures No scheduling order.
CIRCUIT COURT FOR BALTIMORE COUNTY
CI Expedited Attachment Before Judgment, Declaratory Judgment (Simple), (Trial Date-90 days) Administrative Appeals, District Court Appeals and Jury Trial Prayers,
Guardianship, Injunction, Mandamus.
n Standard Condemnation, Confessed Judgments (Vacated), Contract, Employment (Trial Date-240 days) Related Cases, Fraud and Misrepresentation, International Tort, Motor Tort,
Other Personal Injury, Workers' Compensation Cases.
❑ Extended Standard Asbestos, Lender Liability, Professional Malpractice, Serious Motor Tort or (Trial Date-345 days) Personal Injury Cases (medical expenses and wage loss of $100,000, expert
and out-of-state witnesses (parties), and trial of five or more days), State Insolvency.
0 Complex Class Actions, Designated Toxic Tort, Major Construction Contracts, Major (Trial Date-450 days) Product Liabilities, Other Complex Cases.
07/28/2020 Date
5101 Wisconsin Ave., NW, Suite 305 Address
Washington DC 20016 City State Zip Code
/s/ Gary E. Mason Esq. Signature of Counsel / Party
Gary E. Mason Printed Name
CC-DCM-002 (Rev. 04/2017) Page 3 of 3
E-FILED; Baltimore County Circuit Court Docket: 7/28/2020 1:30 PM; Submission: 7/30/2020 1:30 PM
IN THE CIRCUIT COURT FOR BALTIMORE COUNTY, MARYLAND
PAMELA KLEMM and CATHERINE ROMANS, on behalf of themselves and all others similarly situated,
Plaintiffs, v.
MARYLAND HEALTH ENTERPRISES, INC., d/b/a LORIEN HEALTH SERVICES,
Defendant.
Case No. C-03-CV-20-002899
CLASS ACTION COMPLAINT
Plaintiffs, PAMELA KLEMM ("Klemm") and Catherine Romans ("Romans")
(collectively, "Plaintiffs"), on behalf of themselves and all others similarly situated, bring this
action against Defendant MARYLAND HEALTH ENTERPRISES, INC., d/b/a LORIEN
HEALTH SERVICES ("Defendant" or "MHE") to obtain damages, restitution, and injunctive
relief for the Class, as defined below, from the Defendant. Plaintiffs make the following
allegations upon information and belief, except as to their own actions, the investigation of their
counsel, and the facts that are a matter of public record.
I. NATURE OF THE ACTION
1. This class action arises out of the recent ransomware attack and data breach that
was perpetrated against Defendant MHE (the "Ransomware Attack"), which held in its possession
certain personally identifiable information ("PIP") and protected health information ("PHI")
(collectively, "the Private Information") of the Plaintiffs and the putative Class Members (defined
below).
2. The Private Information compromised in the Ransomware Attack included highly
sensitive information such as names, Social Security numbers, dates of birth, addresses, and health
diagnosis and treatment information.
3. The Ransomware Attack was a direct result of Defendant's failure to implement
adequate and reasonable cyber-security procedures and protocols necessary to protect consumers'
Private Information.
4. Plaintiffs bring this class action lawsuit on behalf of those similarly situated to
address Defendant's inadequate safeguarding of Class Members' Private Information that it
collected and maintained, and for failing to provide timely and adequate notice to Plaintiffs and
other Class Members that their information had been subject to the unauthorized access of an
unknown third party and precisely what specific type of information was accessed.
5. In addition, Defendant MHE and its employees failed to properly monitor the
computer network and systems that housed the Private Information. Had MHE properly monitored
its property, it would have discovered the intrusion sooner.
6. Defendant maintained the Private Information in a reckless manner. In particular,
the Private Information was maintained on Defendant's computer network in a condition
vulnerable to cyberattacks. Upon information and belief, the mechanism of the cyberattack and
potential for improper disclosure of Plaintiffs' and Class Members' Private Information was a
known risk to Defendant and thus Defendant was on notice that failing to take steps necessary to
secure the Private Information from those risks left that property in a dangerous condition.
7. Defendant disregarded the rights of Plaintiffs and Class Members by, inter alia,
intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures
to ensure their data systems were protected against unauthorized intrusions; failing to disclose that
2
they did not have adequately robust computer systems and security practices to safeguard Class
Members' Private Information; failing to take standard and reasonably available steps to prevent
the Ransomware Attack; and failing to provide Plaintiffs and Class Members prompt and accurate
notice of the Ransomware Attack.
8. In addition, Defendant and its employees failed to properly monitor the computer
network and systems that housed the Private Information. Had Defendant properly monitored its
property, it would have discovered the intrusion sooner.
9. Plaintiffs' and Class Members' identities are now at risk because of Defendant's
negligent conduct since the Private Information that Defendant collected and maintained is now in
the hands of data thieves.
10. Armed with the Private Information accessed in the Ransomware Attack, data
thieves can commit a variety of crimes including, e.g., opening new financial accounts in Class
Members' names, taking out loans in Class Members' names, using Class Members' information
to obtain government benefits, filing fraudulent tax returns using Class Members' information,
filing false medical claims using Class Members' information, obtaining driver's licenses in Class
Members' names but with another person's photograph, and giving false information to police
during an arrest.
11. As a result of the Ransomware Attack, Plaintiffs and Class Members have been
exposed to a heightened and imminent risk of fraud and identity theft. Plaintiffs and Class
Members must now and in the future closely monitor their financial accounts to guard against
identity theft.
3
12. Plaintiffs and Class Members may also incur out of pocket costs for, e.g.,
purchasing credit monitoring services, credit freezes, credit reports, or other protective measures
to deter and detect identity theft.
13. Through this Complaint, Plaintiffs seek to remedy these harms on behalf of
themselves and all similarly situated individuals whose Private Information was accessed during
the Ransomware Attack.
14. Plaintiffs seeks remedies including, but not limited to, compensatory damages,
reimbursement of out-of-pocket costs, and injunctive relief including improvements to
Defendant's data security systems, future annual audits, and adequate credit monitoring services
funded by Defendant.
15. Accordingly, Plaintiffs bring this action against Defendant seeking redress for their
unlawful conduct, and asserting claims for: (i) negligence, (ii) breach of express contract, (iii)
breach of implied contract, (iv) breach of fiduciary duty, and (v) violation of Maryland's Consumer
Protection Act, § 1301, et seq.
II. JURISDICTION AND VENUE
16. This Court has jurisdiction over this action pursuant to § 1-501 of the Courts and
Judicial Proceedings Article of the Maryland Code Annotated.
17. This Court has jurisdiction over Defendant pursuant to § 6-201 and § 6-103 of the
Courts and Judicial Proceedings Article of the Maryland Code Annotated because Defendant is
organized under the laws of the State of Maryland and the causes of action alleged herein arise
from Defendant transacting business in Maryland.
4
18. Venue is proper in this district pursuant to § 6-102 of the Courts and Judicial
Proceedings Article of the Maryland Code Annotated because Defendant (i) maintains its principal
offices and carries on a regular business in this county; and (ii) a substantial part of the events and
omissions giving rise to this action occurred in this county.
III. PARTIES
19. Plaintiff Klemm is and at all times mentioned herein was as individual citizen of
the State of Maryland, residing in the city of Edgewood. Plaintiff Klemm was a customer of
Defendant MHE and received notice of the Ransomware Attack from MHE.
20. Plaintiff Romans is and at all times mentioned herein was as individual citizen of
the State of Maryland, residing in the city of Edgewood. Plaintiff Romans was a customer of
Defendant MHE and received notice of the Ransomware Attack from MHE.
21. Defendant MHE is a Maryland corporation with its principal place of business at
1205 York Road, Lutherville, Maryland 21093.
IV. STATEMENT OF FACTS
A. Nature of Defendant's Businesses
22. Defendant is a for-profit nursing home, assisted living and rehabilitation company
that operates nine (9) facilities in Baltimore, Howard, Harford and Carroll counties.
23. Defendant's services include, but are not limited to, assisted living, rehabilitation
and therapy, dialysis, respite care, hospice services, tracheotomy care, and at-home care.
24. In the ordinary course of receiving health care services from Defendant, Plaintiffs
and Class members provided Defendant with sensitive, personal, and private information such as:
a. name, address, phone number and email address;
5
b. dates of birth;
c. Social Security numbers;
d. information relating to individual medical history;
e. medical record information;
f. insurance information and coverage; and
g. treatment details
25. Plaintiffs and Class Members were required to provide their sensitive, personal, and
private information to Defendant as a condition of receiving services from Defendant.
26. Defendant maintains this Private Information on its servers and within its data
infrastructure.
27. All of Defendant's employees, staff, entities, sites, and locations may share patient
information with each other for various purposes, as disclosed in the Notice of Privacy Practices
("Privacy Policy") that Defendant is required to maintain.
28. The Privacy Policy is posted on Defendant's website and is provided to every
patient upon request.
29. Because of the highly sensitive and personal nature of the information Defendant
acquires and stores with respect to its patients, Defendant promises to: (1) maintain the privacy of
patients' PHI; (2) maintain the confidentiality of health information that identifies its patients; (3)
follow the terms of the notice of privacy practices that Defendant has in effect at the time; (4)
https://www.lorienhealth.com/application/files/8515/9121/1315/LHS_NPP_6.1.20.pdf.
6
obtain patients' written authorization for uses and disclosures that are not identified by the privacy
notice; and (5) notify patients in the event it discovers a breach.
30. Defendant MHE agreed to and undertook legal duties to maintain the PHI entrusted
to it by Plaintiffs and Class Members safely, confidentially, and in compliance with all applicable
laws, including the Health Insurance Portability and Accountability Act ("HIPAA").
31. The patient information held by Defendant in its computer systems and networks
included the Private Information of Plaintiffs and Class Members.
B. The Ransomware Attack
32. A ransomware attack is a type of malicious software that blocks access to a
computer system or data, usually by encrypting it, until the victim pays a fee to the attacker.'
33. On June 6, 2020, computer hackers gained access to Defendant MHE's computer
servers and data infrastructure which resulted in widespread file encryption of files containing
Personal Information that had been collected by Defendant.3
34. The computer hackers exfiltrated data and files from Defendant MHE's computer
servers.
35. The data and files exfiltrated from Defendant MHE's computer servers included
the PII and PHI of Plaintiffs and Class Members, including names, Social Security numbers, dates
of birth, addresses, and health diagnosis and treatment information.
2 https://www.proofpoint.com/us/threat-reference/ransomware (last visited July 27, 2020).
3 See https://www.lorienhealth.com/contact/security-incident (last visited July 27, 2020).
7
36. The computer hackers also installed ransomware software on Defendant MHE's
computers and servers.
37. The cyber criminals responsible for the hack of Defendant MHE's systems have
been publicly identified themselves as the notorious NetWalker ransomware gang.'
38. The NetWalker ransomware gang began targeting the healthcare sector in May
2020,5 and targeted Defendant MHE for this ransomware attack. Defendant's vulnerability to
remote desktop hacks, the type and variety of data stored by Defendant MHE, and the disruption
to hospital operations that ransomware causes made Defendant a prime target for the NetWalker
gang.
39. In recent years, the NetWalker ransomware gang has gained notoriety for
"shaming" victims by exfiltrating and publishing organizations' sensitive data.6 In particular, the
NetWalker ransomware gang has been known to extort businesses by publicly posting breached
data on the Internet—and threatening full dumps of stolen data if the gang's `customers' do not
pay for their files to be unencrypted.7 Victims have included Australian transportation and
logistics firm Toll Group, the Champaign Urbana Public Health District (CHUPD) in Illinois, the
city of Weiz in Austria, and, most recently, Michigan State University.
https://healthitsecurity.com/news/magellan-health-data-breach-victim-tally-reaches-365k-patients (reporting that the Maze hacking group posted a zip file with data allegedly stolen from HFM during a ransomware attack in April)(last visited July 11, 2020).
https://healthitsecurity.com/news/lorien-health-services-ransomware-attack-impacts-48k-patients (last visited July
27, 2020) 6 https://www.cyberdefensemagazine.com/netwalker-ransomware-gang-threatens-to-release-michigan-state-university-files/ (last visited July 27, 2020).
https://www.tripwire.com/state-of-security/featured/netwalker-ransomware-what-need-know/ (last visited July 27,
2020).
8
40. As one media outlet has described the NetWalker ransomware gang: "This is worse
than a regular ransomware attack." In particular, "there remains the problem of the exfiltrated
data. If that's released by the NetWalker gang then there are clear dangers — not only to your
business, but also to your partners and customers."8
41. Unsurprisingly, in mid-June of 2020, NetWalker operators made the Ransomware
Attack known, publishing screenshots of directory listings with 2020 date stamps and admission
records as proof of compromise.9
42. According to reports, some of the data has been dumped online and a password-
protected archive of 147MB is currently available via a file-sharing service.
43. The hackers also published the unlock key for the archive and labeled this cache
"Part 1," indicating that they may leak more data in the future.
44. On or about July 16, 2020—well after breached Private Information was dumped
online—Defendant MHE finally notified affected persons of the Ransomware Attack. The Notice
of Data Incident ("Notice") stated in relevant part the following 10:
m 9 http s://www.bleep ingcomputer. com/news/security/lorien-health-services-discloses-ransomware-attack-affecting-nearly-50-000/ (last visited July 27, 2020). 10 https://ago.vermont.gov/blog/2020/07/16/lorien-health-services-notice-of-data-breach-to-consumers/ (last visited
July 27, 2020).
9
Re: Notice of Data Security Incident
Dear 'First -Name La>t Naml
I am writing to inform you of a data security incident that involved your personal information. At Lorien Health Services ("Lorien"), which you may know as FA( TLITY. we take the privacy and security of your information very seriously. This is why I am notifying you of the incident, offering you credit monitoring and identity monitoring services, and informing you about steps you can take to help protect your personal information.
What Happened? On June 6. 2020. Lorien learned that data on our network had been encrypted. Upon discovering this incident, Lorien immediately engaged a team of cybersecurity experts to assist with our response and to determine whether any personal information may have been accessed during the incident. On June 10. 2020 the investigation determined that your information may have been accessed during the incident.
What Information Was Involved? The information involved resident admission forms which typically include names, Social Security numbers, dates of birth, addresses, and health diagnosis and treatment information.
What Are We Doing? As soon as we discovered the incident, we took the steps described above. We also notified the
Federal Bureau of Investigation and will provide whatever cooperation is necessary to hold the perpetrators accountable.
In addition, we are providing you with information to help protect your personal information, and offering identity
monitoring and recovery services for 12 months through IDExperts as described below.
What You Can Do: You can follow the recommendations included with this letter to protect your personal information.
We strongly encourage you to enroll in the credit monitoring and identity protection services through ID Experts. To
enroll, please visit https://app.myidcare.comiaccount-creationfprotect or 1-833-431-1278 and provide the following
enrollment code: ::,XXXXXXXX Please note you must enroll by October 16, 2020. If you have questions or need
assistance, please call ID Experts at 1-833-431-1278.
For More Information: If you have any questions about this letter, please contact Lorien at 1-833-431-1278. Please accept our sincere apologies and know that we deeply regret any worry or inconvenience that this may cause you.
45. Upon information and belief, this notice was sent to 47,754 patients, including
Plaintiffs, and has been posted on Defendant's website.
46. Incredibly, Defendant had not publicly disclosed the security breach when
NetWalker named MHE online in mid-June, and publicly posted the Private Information of
Plaintiffs and Class Members. As one cybersecurity expert observed about the failure to
immediately disclose ransomware attacks:
10
The lack of disclosure obviously means that customers/clients/vendors /partners do not know that their data is now in the hands of cybercriminals and can be downloaded by anybody with an Internet connection....And that means they do not know that they should set up credit monitoring, notify their financial institution, be on the lookout for scams or spear phishing attempts."
47. "[T]he fact that the information is posted on a publicly accessible website puts
victims at risk of others stealing the personal data," reported one news outlet about the
ramifications of ransomware attacks.12
48. Overall, the Private Information of 47,754 patients was impacted in the
Ransomware Attack, including the Private Information of Plaintiffs.
49. Despite learning of the Ransomware Attack on June 6, 2020, despite the fact that
Defendant knew or should have known by June 10, 2020 that the NetWalker gang had exfiltrated
patient data and would inevitably publish it online, breach notification letters were not sent to
affected patients until July 16, 2020, almost forty (40) days after first learning of the breach.
50. The July notification date was approximately one month after the NetWalker
ransomware gang published a sampling of the Private Information online for all cyberthieves to
access and well after the time period in which compromised breach victims could take prophylactic
measures to safeguard their identities and Private Information.
C. Defendant's Patient Privacy Policies.
11 https://www.timesunion.com/business/article/Computer-breach-exposes-some-Community-Care-15067744.php
(last visited July 12, 2020). 12 Id.
11
51. As a healthcare service provider, Defendant is bound by HIPAA, which requires
subject providers to comply with a series of administrative, physical security, and technical
security requirements in order to protect patient information. Among other things, it mandates that
medical providers develop, publish, and adhere fo a privacy policy.
52. Defendant recognizes its obligations under HIPAA along with the commensurate
obligation to safeguard and protect patient PHI and PII:
We will notify you of certain breaches of your personal health information, if they occur, as required by the HIPAA Privacy Rule requirements.13
53. Defendant assures consumers that "We will not use or disclose your health
information without your authorization, except as described in this Notice."'
54. Defendant had an obligation created by HIPAA, contract, industry standards,
common law, and representations made to Class Members, to keep Class Members' Private
Information confidential and to protect it from unauthorized access and disclosure.
55. Plaintiffs and Class Members provided their Private Information to Defendant with
the reasonable expectation and mutual understanding that Defendant would comply with its
obligations to keep such information confidential and secure from unauthorized access.
56. Defendant's data security obligations were particularly important given the
substantial increase in ransomware attacks and/or data breaches in the healthcare industry
preceding the date of the breach.
L3 https://wwvv.lorienhealth.com/application/files/8515/9121/1315/LHS_NPP_6.1.20.pdf (last visited July 27, 2020). 14 Id.
12
57. Data breaches, including those perpetrated against the healthcare sector of the
economy, have become widespread. In 2016, the number of U.S. data breaches surpassed 1,000,
a record high and a forty percent increase in the number of data breaches from the previous year.
In 2017, a new record high of 1,579 breaches were reported, representing a 44.7 percent increase
over 2016. In 2018, there was an extreme jump of 126 percent in the number of consumer records
exposed from data breaches. In 2019, there was a 17 percent increase in the number of breaches
(1,473) over 2018, with 164,683,455 sensitive records exposed.
58. The number of data breaches in the healthcare sector skyrocketed in 2019, with 525
reported breaches exposing nearly 40 million sensitive records (39,378,157), compared to only
369 breaches that exposed just over 10 million sensitive records (10,632,600) in 2018.
59. Indeed, ransomware attacks, such as the one experienced by Defendant, have
become so notorious that the Federal Bureau of Investigation ("FBI") and U.S. Secret Service have
issued a warning to potential targets so they are aware of, and prepared for, a potential attack.
Indeed, one media outlet specifically reported that "[t]he operators of NetWalker ransomware have
been aggressively targeting healthcare organizations."15
60. Therefore, the increase in such attacks, and attendant risk of future attacks, was
widely known to the public and to anyone in Defendant's industry, including Defendant.
15 https://www.spamtitan.com/web-filtering/netwalker-ransomware-aggressive-campaign-healthcare-organizations-
universities/ (last visited July 27, 2020).
13
DEFENDANT FAILS TO COMPLY WITH FTC GUIDELINES
61. The Federal Trade Commission ("FTC") has promulgated numerous guides for
businesses which highlight the importance of implementing reasonable data security practices.
According to the FTC, the need for data security should be factored into all business decision-
making.
62. In 2016, the FTC updated its publication, Protecting Personal Information: A Guide
for Business, which established cyber-security guidelines for businesses. The guidelines note that
businesses should protect the personal customer information that they keep; properly dispose of
personal information that is no longer needed; encrypt information stored on computer networks;
understand their network's vulnerabilities; and implement policies to correct any security
problems. The guidelines also recommend that businesses use an intrusion detection system to
expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating someone
is attempting to hack the system; watch for large amounts of data being transmitted from the
system; and have a response plan ready in the event of a breach.
63. The FTC further recommends that companies not maintain PII longer than is
needed for authorization of a transaction; limit access to sensitive data; require complex passwords
to be used on networks; use industry-tested methods for security; monitor for suspicious activity
on the network; and verify that third-party service providers have implemented reasonable security
measures.
64. The FTC has brought enforcement actions against businesses for failing to
adequately and reasonably protect customer data, treating the failure to employ reasonable and
appropriate measures to protect against unauthorized access to confidential consumer data as an
14
unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act ("FTCA"), 15
U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses must take
to meet their data security obligations.
65. These FTC enforcement actions include actions against healthcare providers like
Defendant. See, e.g., In the Matter of Labmd, Inc., A Corp, 2016-2 Trade Cas. (CCH) ¶ 79708,
2016 WL 4128215, at *32 (MSNET July 28, 2016) ("[T]he Commission concludes that LabMD's
data security practices were unreasonable and constitute an unfair act or practice in violation of
Section 5 of the FTC Act.")
66. Defendant failed to properly implement basic data security practices. Defendant's
failure to employ reasonable and appropriate measures to protect against unauthorized access to
patient PII and PHI constitutes an unfair act or practice prohibited by Section 5 of the FTC Act,
15 U.S.C. § 45.
67. Defendant was at all times fully aware of its obligation to protect the PII and PHI
of its patients. Defendant was also aware of the significant repercussions that would result from
its failure to do so.
DEFENDANT FAILS TO COMPLY WITH INDUSTRY STANDARDS
68. Experts studying cyber security routinely identify healthcare providers as being
particularly vulnerable to cyberattacks because of the value of the PII and PHI which they collect
and maintain.
69. As an article about a recent Microsoft ransomware study stated, "All hospitals and
healthcare organizations need to defend themselves against ransomware, especially during this
15
challenging time.s16 Microsoft provided a list of 11 best practices tips for how hospitals should
protect themselves against ransomware.
70. Several best practices have been identified that a minimum should be implemented
by healthcare providers like Defendant, including but not limited to: educating all employees;
strong passwords; multi-layer security, including firewalls, anti-virus, and anti-malware software;
encryption, making data unreadable without a key; multi-factor authentication; backup data, and;
limiting which employees can access sensitive data.
71. A number of industry and national best practices have been published and should
be used as a go-to resource when developing an institution's cybersecurity standards. The Center
for Internet Security (CIS) released its Critical Security Controls, and all healthcare institutions
are strongly advised to follow these actions. The CIS Benchmarks are the overwhelming option
of choice for auditors worldwide when advising organizations on the adoption of a secure build
standard for any governance and security initiative, including PCI DSS, HIPAA, NIST 800-53,
SOX, FISMA, ISO/IEC 27002, Graham Leach Bliley and ITIL.
72. Other best cybersecurity practices that are standard in the healthcare industry
include installing appropriate malware detection software; monitoring and limiting the network
ports; protecting web browsers and email management systems; setting up network systems such
as firewalls, switches and routers; monitoring and protection of physical security systems;
protection against any possible communication system; training staff regarding critical points.
16 https://www.techrepublic.com/article/microsoft-to-hospitals-11-tips-on-how-to-combat-ransomware/ (last visited July 27, 2020).
16
73. Defendant failed to meet the minimum standards of any of the following
frameworks: the NIST Cybersecurity Framework, NIST Special Publications 800-53, 53A, or 800-
171; General Accounting Office (GAO) standards; the Federal Risk and Authorization
Management Program (FEDRAMP); and the Center for Internet Security's Critical Security
Controls (CIS CSC), which are all established standards in reasonable cybersecurity readiness.
DEFENDANT'S CONDUCT VIOLATES HIPAA AND EVIDENCES ITS INSUFFICIENT DATA SECURITY
74. HIPAA requires covered entities to protect against reasonably anticipated threats
to the security of sensitive patient health information.
75. Covered entities must implement safeguards to ensure the confidentiality, integrity,
and availability of PHI. Safeguards must include physical, technical, and administrative
components.
76. Title II of HIPAA contains what are known as the Administrative Simplification
provisions. 42 U.S.C. §§ 1301, et seq. These provisions require, among other things, that the
Department of Health and Human Services ("HHS") create rules to streamline the standards for
handling PIT like the data Defendant left unguarded. The HHS subsequently promulgated multiple
regulations under authority of the Administrative Simplification provisions of HIPAA. These rules
include 45 C.F.R. § 164.306(a)(1-4); 45 C.F.R. § 164.312(a)(1); 45 C.F.R. § 164.308(a)(1)(i); 45
C.F.R. § 164.308(a)(1)(ii)(D), and 45 C.F.R. § 164.530(b).
77. Defendant's data breach resulted from a combination of insufficiencies that
demonstrate they failed to comply with safeguards mandated by HIPAA regulations.
17
DEFENDANT'S BREACH
78. Defendant breached its obligations to Plaintiffs and Class Members and/or was
otherwise negligent and reckless because it failed to properly maintain and safeguard its computer
systems and data infrastructure. Defendant's unlawful conduct includes, but is not limited to, their
failure to:
a. maintain an adequate data security system to reduce the risk of data breaches and
cyber-attacks;
b. adequately protect patients' Private Information;
c. properly monitor its own data security systems for existing intrusions;
d. ensure that vendors with access to Defendant's protected health data employed
reasonable security procedures;
e. ensure the confidentiality and integrity of electronic PHI they created, received,
maintained, and/or transmitted, in violation of 45 C.F.R. § 164.306(a)(1);
f. implement technical policies and procedures for electronic information systems
that maintain electronic PHI to allow access only to those persons or software programs
that have been granted access rights in violation of 45 C.F.R. § 164.312(a)(1);
g. implement policies and procedures to prevent, detect, contain, and correct security
violations in violation of 45 C.F.R. § 164.308(a)(1)(i);
h. implement procedures to review records of information system activity regularly,
such as audit logs, access reports, and security incident tracking reports in violation of 45
C.F.R. § 164.308(a)(1)(ii)(D);
18
i. protect against reasonably anticipated threats or hazards to the security or integrity
of electronic PHI in violation of 45 C.F.R. § 164.306(a)(2);
J. protect against reasonably anticipated uses or disclosures of electronic PHI that are
not permitted under the privacy rules regarding individually identifiable health information
in violation of 45 C.F.R. § 164.306(a)(3);
k. ensure compliance with HIPAA security standard rules by Defendant ' workforce
in violation of 45 C.F.R. § 164.306(a)(4);
1. train all members of Defendant ' workforce effectively on the policies and
procedures regarding PHI as necessary and appropriate for the members of their
workforces to carry out their functions and to maintain security of PHI, in violation of 45
C.F.R. § 164 .530 (b) ; and/or
m. render the electronic PHI they maintained unusable, unreadable, or indecipherable
to unauthorized individuals, as they had not encrypted the electronic PHI as specified in
the HIPAA Security Rule by "the use of an algorithmic process to transform data into a
form in which there is a low probability of assigning meaning without use of a confidential
process or key" (45 CFR 164.304 definition of encryption).
79. As the result of computer systems in need of security upgrading, inadequate
procedures for handling emails containing ransomware or other malignant computer code, and
inadequately trained employees who opened files containing the ransomware virus, Defendant
negligently and unlawfully failed to safeguard Plaintiffs' and Class Members' Private Information.
80. Accordingly, Plaintiffs' and Class Members now face an increased risk of fraud
and identity theft.
19
D. Ransomware Attacks and Data Breaches Cause Disruption and Put Consumers at an Increased Risk of Fraud and Identify Theft
81. Ransomware attacks also constitute data breaches in the traditional sense. For
example, in a recent ransomware attack on the Florida city of Pensacola, and while the City was
still recovering from the ransomware attack, the hackers released 2GB of data files from the total
32GB of data that they claimed was stolen prior to encrypting the City's network with ransomware.
In the statement given to a news outlet, the hackers said, "This is the fault of mass media who
writes that we don't exfiltrate data ...."17
82. Also, in a ransomware advisory, the Department of Health and Human Services
informed entities covered by HIPAA that "when electronic protected health information (ePHI) is
encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted
by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control
of the information)."18
83. Ransomware attacks are also considered a breach under the HIPAA Rules because
there is an access of PHI not permitted under the HIPAA Privacy Rule:
A breach under the HIPAA Rules is defined as, "...the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI." See 45 C.F.R. 164.4019
84. Other security experts agree that when a ransomware attack occurs, a data breach
does as well, because such an attack represents a loss of control of the data within a network.
17 https://www.cisomag.com/pensacola-ransomware-hackers-release-2gb-data-as-a-proof/ (last visited July 12,
2020). 18 See https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf (last visited July 12, 2020).
19 See https://onlinelibrary.wiley.com/doi/ful1/10.1111/1475-6773.13203 (last visited July 12, 2020).
20
85. Ransomware attacks are also Security Incidents under HIPAA because they impair
both the integrity (data is not interpretable) and availability (data is not accessible) of patient health
information:
The presence of ransomware (or any malware) on a covered entity's or business associate's computer systems is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. See the definition of security incident at 45 C.F.R. 164.304. Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures. See 45 C.F.R.164.308(a)(6).2°
86. The United States Government Accountability Office released a report in 2007
regarding data breaches ("GOA Report") in which they noted that victims of identity theft will
face "substantial costs and time to repair the damage to their good name and credit record."21
87. The FTC recommends that identity theft victims take several steps to protect their
personal and financial information after a data breach, including contacting one of the credit
bureaus to place a fraud alert (consider an extended fraud alert that lasts for 7 years if someone
steals their identity), reviewing their credit reports, contacting companies to remove fraudulent
charges from their accounts, placing a credit freeze on their credit, and correcting their credit
reports. 22
88. Identity thieves use stolen personal information such as Social Security numbers
for a variety of crimes, including credit card fraud, phone or utilities fraud, and bank/finance fraud.
20 See https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf (last visited July 12, 2020). 21 See "Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown," p. 2, U.S. Government Accountability Office, June 2007, https://www.gao.gov/new.items/d07737.pdf (last visited July 12) ("GAO Report"). 22 See https://www.identitytheft.gov/Steps (last visited July 12, 2020).
21
89. Identity thieves can also use Social Security numbers to obtain a driver's license or
official identification card in the victim's name but with the thief's picture; use the victim's name
and Social Security number to obtain government benefits; or file a fraudulent tax return using the
victim's information. In addition, identity thieves may obtain a job using the victim's Social
Security number, rent a house or receive medical services in the victim's name, and may even give
the victim's personal information to police during an arrest resulting in an arrest warrant being
issued in the victim's name. A study by Identity Theft Resource Center shows the multitude of
harms caused by fraudulent use of personal and financial information:23
Americans' expenses/disruptions as a result of criminal activity in their name [2016)
I hod to request government assistance 29.5%
I hod to borrow money 60.7%
Hod to use my savings to pay for expenses 322%
Couldn't qualify for a home loon 32.8%
I lost my home/place of residence 31.1%
I couldn't care for my family 34.4%
Hod to rekg on family/friends for assistance 49.2%
Lost out on on employment opportunity 44.3%
Lost tine away from school 19.7%
Missed time away from work 55.7%
Was generally inconvenienced 73.8%
Other 23%
None of these a3%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Sou/ce Identity Theft Restlice "- tter creclitcards•corn
23 "Credit Card and ID Theft Statistics" by Jason Steele, 10/24/2017, at: https://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statisties-1276.php (last visited
July 12, 2020).
22
90. What's more, theft of Private Information is also gravely serious. PII/PHI is a
valuable property right.24 Its value is axiomatic, considering the value of Big Data in corporate
America and the consequences of cyber thefts include heavy prison sentences. Even this obvious
risk to reward analysis illustrates beyond doubt that Private Information has considerable market
value.
91. Theft of PHI, in particular, is gravely serious: "A thief may use your name or health
insurance numbers to see a doctor, get prescription drugs, file claims with your insurance provider,
or get other care. If the thief s health information is mixed with yours, your treatment, insurance
and payment records, and credit report may be affected."25 Drug manufacturers, medical device
manufacturers, pharmacies, hospitals and other healthcare service providers often purchase
PII/PHI on the black market for the purpose of target marketing their products and services to the
physical maladies of the data breach victims themselves. Insurance companies purchase and use
wrongfully disclosed PHI to adjust their insureds' medical insurance premiums.
92. It must also be noted there may be a substantial time lag — measured in years --
between when harm occurs versus when they is discovered, and also between when Private
Information and/or financial information is stolen and when they is used. According to the U.S.
Government Accountability Office, which conducted a study regarding data breaches:
[L]aw enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen
24 See, e.g., John T. Soma, et al, Corporate Privacy Trend: The "Value" of Personally Identifiable Information ("PII") Equals the "Value" of Financial Assets, 15 Rich. J.L. & Tech. 11, at *34 (2009) ("PII, which companies obtain at little cost, has quantifiable value that is rapidly reaching a level comparable to the value of traditional financial assets.") (citations omitted). 25 See Federal Trade Commission, Medical Identity Theft, http://www.consumerftc.gov/articles/0171-medical-identity-theft (last visited July 12, 2020).
23
data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.
See GAO Report, at p. 29.
93. Private Information and financial information are such valuable commodities to
identity thieves that once the information has been compromised, criminals often trade the
information on the "cyber black-market" for years.
94. As evidenced by the NetWalker's public posting of a sample of the stolen data,
there is a strong probability that the entirety of the stolen information has been dumped on the
black market or will be dumped on the black market, meaning Plaintiffs and Class Members are
at an increased risk of fraud and identity theft for many years into the future. Thus, Plaintiffs and
Class Members must vigilantly monitor their financial and medical accounts for many years to
come.
95. Medical information is especially valuable to identity thieves. According to account
monitoring company LogDog, coveted Social Security numbers were selling on the dark web for
just $1 in 2016 — the same as a Facebook account. That pales in comparison with the asking price
for medical data, which was selling for $50 and up.26
96. Of recent, the medical and financial services industries have experienced
disproportionally higher numbers of data theft events than other industries. Defendant therefore
knew or should have known this and strengthened its data systems accordingly. Defendant was put
26 https ://nakedsecurity. s ophos.com/2019/10/03/ransomware-attacks-paralyze-and-sometimes-crush-
hospitalsfficontent (last visited July 12, 2020).
24
on notice of the substantial and foreseeable risk of harm from a data breach, yet it failed to properly
prepare for that risk.
V. PLAINTIFFS' AND CLASS MEMBERS' DAMAGES
97. To date, Defendant has done absolutely nothing to compensate Class Members
for the damages they sustained in the Ransomware Attack. Defendant has merely offered
identity monitoring services for a paltry 12 months through ID Experts to patients whose data
was stolen. The offer is wholly inadequate as it fails to provide for the fact that victims of
Ransomware Attacks and other unauthorized disclosures commonly face multiple years of
ongoing identity theft and they entirely fails to provide any compensation for the unauthorized
release and disclosure of Plaintiffs' and Class Members' Private Information. Furthermore,
Defendant MHE's credit monitoring offer squarely places the burden on Plaintiffs and Class
Members, rather than on the Defendant, to investigate and protect themselves from Defendant's
tortious acts resulting in the Ransomware Attack. Rather than automatically enrolling Plaintiffs
and Class Members in credit monitoring services upon discovery of the breach, Defendant merely
sent instructions to Plaintiffs and Class Members about actions they can affirmatively take to
protect themselves.
98. Plaintiffs and Class Members have been damaged by the compromise and
exfiltration of their Private Information in the Ransomware Attack.
99. Plaintiffs' Private Information was compromised and exfiltrated by cyber-criminals
as a direct and proximate result of the Ransomware Attack.
25
100. As a direct and proximate result of Defendant's conduct, Plaintiffs and Class
Members have been placed at an imminent, immediate, and continuing increased risk of harm from
fraud and identity theft.
101. As a direct and proximate result of Defendant's conduct, Plaintiffs and Class
Members have been forced to expend time dealing with the effects of the Ransomware Attack.
102. Plaintiffs and Class Members face substantial risk of out-of-pocket fraud losses
such as loans opened in their names, medical services billed in their names, tax return fraud, utility
bills opened in their names, credit card fraud, and similar identity theft.
103. Plaintiffs and Class Members face substantial risk of being targeted for future
phishing, data intrusion, and other illegal schemes based on their Private Information as potential
fraudsters could use that information to more effectively target such schemes to Plaintiffs and
Class Members.
104. Plaintiffs and Class Members may also incur out-of-pocket costs for protective
measures such as credit monitoring fees, credit report fees, credit freeze fees, and similar costs
directly or indirectly related to the Ransomware Attack.
105. Plaintiffs and Class Members also suffered a loss of value of their Private
Information when they was acquired by cyber thieves in the Ransomware Attack. Numerous courts
have recognized the propriety of loss of value damages in related cases.
106. Plaintiffs and Class Members have spent and will continue to spend significant
amounts of time to monitor their financial accounts and records for misuse.
107. Plaintiffs and Class Members have suffered or will suffer actual injury as a direct
result of the Ransomware Attack. Many victims suffered ascertainable losses in the form of out-
26
of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects
of the Ransomware Attack relating to:
a. finding fraudulent charges;
b. canceling and reissuing credit and debit cards;
c. purchasing credit monitoring and identity theft prevention;
d. addressing their inability to withdraw funds linked to compromised accounts;
e. taking trips to banks and waiting in line to obtain funds held in limited accounts;
f. lacing "freezes" and "alerts" with credit reporting agencies;
g. spending time on the phone with or at a financial institution to dispute fraudulent
charges;
h. contacting financial institutions and closing or modifying financial accounts;
i. resetting automatic billing and payment instructions from compromised credit and
debit cards to new ones;
paying late fees and declined payment fees imposed as a result of failed automatic
payments that were tied to compromised cards that had to be cancelled; and
k. reviewing and monitoring bank accounts and credit reports for unauthorized
activity for years to come.
108. Moreover, Plaintiffs and Class Members have an interest in ensuring that their
Private Information, which is believed to remain in the possession of the Defendant, is protected
from further breaches by the implementation of security measures and safeguards, including but
27
not limited to, making sure that the storage of data or documents containing personal and financial
information is not accessible online and that access to such data is password-protected.
109. Further, as a result of Defendant's conduct, Plaintiffs and Class Members are forced
to live with the anxiety that their Private Information —which contains the most intimate details
about a person's life—may be disclosed to the entire world, thereby subjecting them to
embarrassment and depriving them of any right to privacy whatsoever.
110. As a direct and proximate result of Defendant's actions and inactions, Plaintiffs and
Class Members have suffered anxiety, emotional distress, and loss of privacy, and are at an
increased risk of future harm.
111. Defendant's delay in identifying and reporting the Ransomware Attack caused
additional harm. It is axiomatic that "[t]he quicker a financial institution, credit card issuer,
wireless carrier or other service provider is notified that fraud has occurred on an account, the
sooner these organizations can act to limit the damage. Early notification can also help limit the
liability of a victim in some cases, as well as allow more time for law enforcement to catch the
fraudsters in the act."27
112. Indeed, once a Ransomware Attack has occurred, "[o]ne thing that does matter is
hearing about a Ransomware Attack quickly. That alerts consumers to keep a tight watch on credit
card bills and suspicious emails, It can prompt them to change passwords and freeze credit reports.
271dentity Fraud Hits Record High with 15.4 Million U.S. Victims in 2016, Up 16 PercentAccording to New Javelin
Strategy & Research Study, Business Wire, https://www.businesswire.corninews/home/20170201005166/en/Identity-Fraud-Hits-Record-High-15.4-Million.
28
And notifying officials can help them catch cybercriminals and warn other businesses of emerging
dangers. If consumers don't know about a breach because they wasn't reported, they can't take
action to protect themselves" (internal citations omitted).28
113. Although their Private Information was improperly compromised on June 6, 2020,
and published by the hackers in mid-June, affected consumers were not notified of the
Ransomware Attack until July 16, 2020, depriving them of the ability to promptly mitigate
potential adverse consequences resulting from the Ransomware Attack.
114. As a result of Defendant's delay in detecting and notifying consumers of the
Ransomware Attack, the risk of fraud for Plaintiffs and Class Members has been driven even
higher.
VI. CLASS ACTION ALLEGATIONS
115. Plaintiffs bring this action on behalf of themselves and on behalf of all other persons
similarly situated (the "Class") pursuant to Rule 2-231 of the Maryland Rules.
116. Plaintiffs propose the following Class definition, subject to amendment as
appropriate:
All persons whose Private Information was compromised in the Ransomware Attack, and who were sent Notice of the Ransomware Attack.
117. Excluded from the Class are Defendant's officers and directors, and any entity in
which Defendant have a controlling interest; and the affiliates, legal representatives, attorneys,
28Consumer Reports, The Ransomware Attack Next Door: Security breaches don't just hit giants like Equifax and Marriott. Breaches at small companies put consumers at risk, too, January 31, 2019, https://www.consumerreports.org/data-theftithe-data-breach-next-door.
29
successors, heirs, and assigns of Defendant. Excluded also from the Class are Members of the
judiciary to whom this case is assigned, their families and Members of their staff.
118. Plaintiffs hereby reserve the right to amend or modify the class definitions with
greater specificity or division after having had an opportunity to conduct discovery. The proposed
Class meets the criteria for certification under Rule 2-231 of the Maryland Rules.
119. Numerosity. The Members of the Class are so numerous that joinder of all of them
is impracticable. While the exact number of Class Members is unknown to Plaintiffs at this time,
based on information and belief, the Class consists of approximately 47,754 consumers whose data
was compromised in the Ransomware Attack.
120. Commonality. There are questions of law and fact common to the Class, which
predominate over any questions affecting only individual Class Members. These common question
of law and fact include, without limitation:
a. Whether Defendant unlawfully used, maintained, lost, or disclosed Plaintiffs' and
Class Members' Private Information;
b. Whether Defendant failed to implement and maintain reasonable security
procedures and practices appropriate to the nature and scope of the information
compromised in the Ransomware Attack;
c. Whether Defendant's data security systems prior to and during the Ransomware
Attack complied with applicable data security laws and regulations;
d. Whether Defendant's data security systems prior to and during the Ransomware
Attack were consistent with industry standards;
30
e. Whether Defendant owed a duty to Class Members to safeguard their Private
Information;
f. Whether Defendant breached its duty to Class Members to safeguard their Private
Information;
g. Whether computer hackers obtained Class Members' Private Information in the
Ransomware Attack;
h. Whether Defendant knew or should have known that their data security systems
and monitoring processes were deficient;
i. Whether Plaintiffs and Class Members suffered legally cognizable damages as a
result of Defendant's misconduct;
j. Whether Defendant's conduct was negligent;
k. Whether Defendant's conduct was per se negligent;
1. Whether the Ransomware Attack constitutes a violation of Maryland's Consumer
Protection Act, § 1301, et seq.;
m. Whether Defendant was unjustly enriched;
n. Whether Defendant failed to provide notice of the Ransomware Attack in a timely
manner; and
o. Whether Plaintiffs and Class Members are entitled to damages, civil penalties,
punitive damages, and/or injunctive relief.
121. Typicality. Plaintiffs' claims are typical of those of other Class Members because
Plaintiffs' Private Information, like that of every other Class member, was compromised in the
Ransomware Attack.
31
122. Adequacy of Representation. Plaintiffs will fairly and adequately represent and
protect the interests of the Members of the Class. Plaintiffs' Counsel is competent and experienced
in litigating class actions, including data privacy litigation of this kind.
123. Predominance. Defendant have engaged in a common course of conduct toward
Plaintiffs and Class Members, in that all the Plaintiffs' and Class Members' data was stored on the
same computer systems and unlawfully accessed in the same way. The common issues arising
from Defendant's conduct affecting Class Members set out above predominate over any
individualized issues. Adjudication of these common issues in a single action has important and
desirable advantages of judicial economy.
124. Superiority. A class action is superior to other available methods for the fair and
efficient adjudication of the controversy. Class treatment of common questions of law and fact is
superior to multiple individual actions or piecemeal litigation. Absent a class action, most Class
Members would likely find that the cost of litigating their individual claims is prohibitively high
and would therefore have no effective remedy. The prosecution of separate actions by individual
Class Members would create a risk of inconsistent or varying adjudications with respect to
individual Class Members, which would establish incompatible standards of conduct for
Defendant . In contrast, the conduct of this action as a class action presents far fewer management
difficulties, conserves judicial resources and the parties' resources, and protects the rights of each
Class member.
125. Defendant has acted on grounds that apply generally to the Class as a whole, so that
class certification, injunctive relief, and corresponding declaratory relief are appropriate on a
Class-wide basis.
32
126. Finally, all members of the proposed Class are readily ascertainable. Defendant has
access to Class Members' names and addresses affected by the Ransomware Attack. Class
Members have already been preliminarily identified and sent notice of the Ransomware Attack by
Defendant.
CAUSES OF ACTION
FIRST COUNT Negligence
(On Behalf of Plaintiffs and All Class Members)
127. Plaintiffs re-allege and incorporate by reference Paragraphs 1 through 126 above
as if fully set forth herein.
128. Defendant required Plaintiffs and Class Members to submit non-public personal
information in order to obtain medical services.
129. By collecting and storing this data in Defendant's computer property, and sharing
and using it for commercial gain, Defendant had a duty of care to use reasonable means to secure
and safeguard their computer property—and Class Members' Private Information held within it—
to prevent disclosure of the information, and to safeguard the information from theft. Defendant '
duty included a responsibility to implement processes by which they could detect a breach of their
security systems in a reasonably expeditious period of time and to give prompt notice to those
affected in the case of a ransomware attack.
130. Defendant owed a duty of care to Plaintiffs and Class Members to provide data
security consistent with industry standards and other requirements discussed herein, and to ensure
that their systems and networks, and the personnel responsible for them, adequately protected the
Private Information.
33
131. Defendant's duty of care to use reasonable security measures arose as a result of
the special relationship that existed between Defendant and its patients, which is recognized by
laws and regulations including but not limited to HIPAA, as well as common law. Defendant was
in a position to ensure that its systems were sufficient to protect against the foreseeable risk of
harm to Class Members from a ransomware attack or data breach.
132. Defendant's duty to use reasonable security measures under HIPAA required
Defendant to "reasonably protect" confidential data from "any intentional or unintentional use or
disclosure" and to "have in place appropriate administrative, technical, and physical safeguards to
protect the privacy of protected health information." 45 C.F.R. § 164.530(c)(1). Some or all of the
medical information at issue in this case constitutes "protected health information" within the
meaning of HIPAA.
133. Pursuant to HIPAA, 42 U.S.C. § 1302d, et seq., Defendant had a duty to implement
reasonable safeguards to protect Plaintiffs' and Class Members' Private Information.
134. Pursuant to HIPAA, Defendant had a duty to render the electronic PHI they
maintained unusable, unreadable, or indecipherable to unauthorized individuals, as specified in the
HIPAA Security Rule by "the use of an algorithmic process to transform data into a form in which
there is a low probability of assigning meaning without use of a confidential process or key." See
definition of encryption at 45 C.F.R. § 164.304.
135. In addition, Defendant had a duty to employ reasonable security measures under
Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits "unfair . . .
practices in or affecting commerce," including, as interpreted and enforced by the FTC, the unfair
practice of failing to use reasonable measures to protect confidential data.
34
136. Pursuant to the Federal Trade Commission Act, 15 U.S.C. § 45, Defendant had a
duty to provide fair and adequate computer systems and data security practices to safeguard
Plaintiffs' and Class Members' Private Information.
137. Pursuant to the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, Defendant had a duty
to protect the security and confidentiality of Plaintiffs' and Class Members' Private Information.
138. Defendant breached its duties to Plaintiffs and Class Members under the Federal
Trade Commission Act, HIPAA, and the Gramm-Leach-Bliley Act by failing to provide fair,
reasonable, or adequate computer systems and data security practices to safeguard Plaintiffs' and
Class Members' Private Information.
139. Defendant's failure to comply with applicable laws and regulations is evidence of
its negligence.
140. Defendant's duty to use reasonable care in protecting confidential data arose not
only as a result of the statutes and regulations described above, but also because Defendant is
bound by industry standards to protect confidential Private Information.
141. Defendant breached its duties, and thus was negligent, by failing to use reasonable
measures to protect Class Members' Private Information. The specific negligent acts and
omissions committed by Defendant include, but are not limited to, the following:
a. Failing to adopt, implement, and maintain adequate security measures to safeguard
Class Members' Private Information;
b. Failing to adequately monitor the security of their networks and systems;
c. Failure to periodically ensure that their email system had plans in place to maintain
reasonable data security safeguards;
35
d. Allowing unauthorized access to Class Members' Private Information;
e. Failing to detect in a timely manner that Class Members' Private Information had
been compromised; and
f. Failing to timely notify Class Members about the Ransomware Attack so that they
could take appropriate steps to mitigate the potential for identity theft and other damages.
142. It was foreseeable that Defendant's failure to use reasonable measures to protect
Class Members' Private Information would result in injury to Class Members. Further, the breach
of security was reasonably foreseeable given the known high frequency of cyberattacks and data
breaches in both the financial services and medical industry.
143. It was therefore foreseeable that the failure to adequately safeguard Class Members'
Private Information would result in one or more types of injuries to Class Members.
144. Plaintiffs and Class Members are entitled to compensatory and consequential
damages suffered as a result of the Ransomware Attack.
145. Defendant's negligent conduct is ongoing, in that it still holds the Private
Information of Plaintiffs and Class Members in an unsafe and unsecure manner, and has not
reported securing its servers that were breached in the Ransomware Attack (as evidenced by the
data posted publicly online by the ransomware gang). Plaintiffs and Class Members are also
entitled to injunctive relief requiring Defendant to (i) strengthen its data security systems and
monitoring procedures; (ii) submit to future annual audits of those systems and monitoring
procedures; and (iii) continue to provide adequate credit monitoring to all Class Members.
36
SECOND COUNT Breach of Express Contract
(On Behalf of Plaintiffs and All Class Members)
146. Plaintiffs re-allege and incorporate by reference Paragraphs 1 through 126
above as if fully set forth herein.
147. Plaintiffs and Class Members allege that they entered into valid and enforceable
express contracts with Defendant.
148. The valid and enforceable express contracts that Plaintiffs and Class Members
entered into with Defendant include Defendant's promise to protect nonpublic personal
information given to Defendant or that Defendant gathers on its own from disclosure.
149. Under these express contracts, Defendant and/or affiliated healthcare providers,
promised and were obligated to: (a) provide healthcare to Plaintiffs and Class Members; and (b)
protect Plaintiffs and the Class Members' PII/PHI: (i) provided to obtain such healthcare; and/or
(ii) created as a result of providing such healthcare. In exchange, Plaintiffs and Class Members
agreed to pay money for these services, and to turn over their Private Information.
150. Both the provision of healthcare and the protection of Plaintiffs' and Class
Members' PII/PHI were material aspects of these contracts.
151. At all relevant times, Defendant expressly represented in its Privacy Policy that it
would, among other things: (A) protect patients' medical information; (B) keep medical
information private; (C) give notice of Defendant's legal duties and privacy practices with respect
to medical information about patients, (D) follow the terms of the privacy notice that is currently
in effect; (E) to make any other uses and disclosures of medical information not covered by the
37
Privacy Notice or the laws that apply to use only with written permission, and; F) notify patients
in the event of a breach of unsecured medical information.
152. Defendant's express representations, including, but not limited to, express
representations found in Defendant's Privacy Policy, formed an express contract requiring
Defendant to implement data security adequate to safeguard and protect the privacy of Plaintiffs'
and Class Members' PII/PHI.
153. Consumers of healthcare value their privacy, the privacy of their dependents, and
the ability to keep their PII/PHI associated with obtaining healthcare private. To customers such
as Plaintiffs and Class Members, healthcare that does not adhere to industry standard data security
protocols to protect PII/PHI is fundamentally less useful and less valuable than healthcare that
adheres to industry-standard data security. Plaintiffs and Class Members would not have entered
into these contracts with Defendant without an understanding that their PII/PHI would be
safeguarded and protected.
154. A meeting of the minds occurred, as Plaintiffs and Class Members provided their
PII/PHI to Defendant and paid for the provided healthcare in exchange for, amongst other things,
protection of their PII/PHI.
155. Plaintiffs and Class Members performed their obligations under the contract when
they paid for their health care services and provided their PII/PHI.
156. Defendant materially breached its contractual obligation to protect the nonpublic
personal information Defendant gathered when the information was accessed and exfiltrated by
unauthorized personnel as part of the Ransomware Attack.
38
157. Defendant materially breached the terms of these express contracts, including, but
not limited to, the terms stated in the Privacy Policy. Defendant did not maintain the privacy of
Plaintiffs' and Class Members' PII/PHI as evidenced by MHE's disclosure of the Ransomware
Attack. Specifically, Defendant did not comply with industry standards, or otherwise protect
Plaintiffs' and the Class Members' PII/PHI, as set forth above.
158. The Ransomware Attack was a reasonably foreseeable consequence of Defendant's
actions in breach of these contracts.
159. As a result of Defendant's failure to fulfill the data security protections promised
in these contracts, Plaintiffs and Class Members did not receive the full benefit of the bargain, and
instead received healthcare and other services that were of a diminished value to that described in
the contracts. Plaintiffs and Class Members therefore were damaged in an amount at least equal
to the difference in the value of the healthcare with data security protection they paid for and the
healthcare they received.
160. Had Defendant disclosed that its data security was inadequate or that it did not
adhere to industry-standard security measures, neither the Plaintiffs, the Class Members, nor any
reasonable person would have purchased healthcare from Defendant.
161. As a direct and proximate result of the Ransomware Attack, Plaintiffs and Class
Members have been harmed and have suffered, and will continue to suffer, actual damages and
injuries, including without limitation the release, disclosure, and publication of their PII/PHI, the
loss of control of their PIPPHI, the imminent risk of suffering additional damages in the future,
disruption of their medical care and treatment, out-of-pocket expenses, and the loss of the benefit
of the bargain they had struck with Defendant.
39
162. Plaintiffs and Class Members are entitled to compensatory and consequential
damages suffered as a result of the Ransomware Attack.
THIRD COUNT Breach of Implied Contract
(On Behalf of Plaintiffs and All Class Members)
163. Plaintiffs re-allege and incorporate by reference Paragraphs 1 through 126
above as if fully set forth herein.
164. When Plaintiffs and Class Members provided their Private Information to
Defendant in exchange for Defendant's services, they entered into implied contracts with
Defendant pursuant to which Defendant agreed to reasonably protect such information.
165. Defendant solicited, offered, and invited Class Members to provide their Private
Information as part of Defendant's regular business practices. Plaintiffs and Class Members
accepted Defendant's offers and provided their Private Information to Defendant.
166. In entering into such implied contracts, Plaintiffs and Class Members reasonably
believed and expected that Defendant's data security practices complied with relevant laws and
regulations, including HIPAA, and were consistent with industry standards.
167. Class Members who paid money to Defendant reasonably believed and expected
that Defendant would use part of those funds to obtain adequate data security. Defendant failed to
do so.
168. Plaintiffs and Class Members would not have entrusted their Private Information to
Defendant in the absence of the implied contract between them and Defendant to keep their
information reasonably secure.
40
169. Plaintiffs and Class Members would not have entrusted their Private Information to
Defendant in the absence of their implied promise to monitor their computer systems and networks
to ensure that they adopted reasonable data security measures.
170. Plaintiffs and Class Members fully and adequately performed their obligations
under the implied contracts with Defendant.
171. Defendant breached its implied contracts with Class Members by failing to
safeguard and protect their Private Information.
172. As a direct and proximate result of Defendant's breach of the implied contracts,
Class Members sustained damages as alleged herein.
173. Plaintiffs and Class Members are entitled to compensatory and consequential
damages suffered as a result of the Ransomware Attack.
174. Plaintiffs and Class Members are also entitled to injunctive relief requiring
Defendant to, e.g., (i) strengthen its data security systems and monitoring procedures; (ii) submit
to future annual audits of those systems and monitoring procedures; and (iii) immediately provide
adequate credit monitoring to all Class Members.
FOURTH COUNT Breach of Fiduciary Duty
(On Behalf of Plaintiffs and All Class Members)
175. Plaintiffs re-allege and incorporate by reference Paragraphs 1 through 126
above as if fully set forth herein.
176. At all times during Plaintiffs' and Class Members' interactions with Defendant,
Defendant was fully aware of the confidential and sensitive nature of Plaintiffs' and Class
Members' Private Information that Plaintiffs and Class Members provided to Defendant.
41
177. As alleged herein and above, Defendant's relationship with Plaintiffs and Class
Members was governed by terms and expectations that Plaintiffs' and Class Members' Private
Information would be collected, stored, and protected in confidence, and would not be disclosed
to unauthorized third parties.
178. Plaintiffs and Class Members provided their respective Private Information to
Defendant with the explicit and implicit understandings that Defendant would protect and not
permit the Private Information to be disseminated to any unauthorized parties.
179. Plaintiffs and Class Members also provided their Private Information to Defendant
with the explicit and implicit understandings that Defendant would take precautions to protect that
Private Information from unauthorized disclosure, such as following basic principles of protecting
its networks and data systems.
180. Defendant voluntarily received in confidence Plaintiffs' and Class Members'
Private Information with the understanding that Private Information would not be disclosed or
disseminated to the public or any unauthorized third parties.
181. In light of the special relationship between Defendant and Plaintiffs and Class
Members, whereby Defendant became guardians of Plaintiffs' and Class Members' Private
Information, Defendant became a fiduciary by their undertaking and guardianship of the Private
Information, to act primarily for Plaintiffs and Class Members, (1) for the safeguarding of
Plaintiffs' and Class Members' Private Information; (2) to timely notify Plaintiffs and Class
Members of a Ransomware Attack and disclosure; and (3) to maintain complete and accurate
records of what information (and where) Defendant did and does store.
42
182. Defendant has a fiduciary duty to act for the benefit of Plaintiffs and Class Members
upon matters within the scope of Defendant's relationship with its patients, in particular, to keep
secure their Private Information.
183. Defendant breached its fiduciary duties to Plaintiffs and Class Members by failing
to diligently discover, investigate, and give notice of the Ransomware Attack in a reasonable and
practicable period of time.
184. Defendant breached its fiduciary duties to Plaintiffs and Class Members by failing
to encrypt and otherwise protect the integrity of the systems containing Plaintiffs' and Class
Members' Private Information.
185. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by
failing to timely notify and/or wam Plaintiffs and Class Members of the Ransomware Attack.
186. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by
failing to ensure the confidentiality and integrity of electronic PHI Defendant created, received,
maintained, and transmitted, in violation of 45C.F.R. §164.306(a)(1).
187. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by
failing to implement technical policies and procedures for electronic information systems that
maintain electronic PHI to allow access only to those persons or software programs that have been
granted access rights in violation of 45 C.F.R. § 164.312(a)(1).
188. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by
failing to implement policies and procedures to prevent, detect, contain, and correct security
violations, in violation of 45 C.F.R. § 164.308(a)(1).
43
189. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by
failing to identify and respond to suspected or known security incidents and to mitigate, to the
extent practicable, harmful effects of security incidents that are known to the covered entity in
violation of 45 C.F.R. § 164.308(a)(6)(ii).
190. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by
failing to protect against any reasonably-anticipated threats or hazards to the security or integrity
of electronic PHI in violation of 45 C.F.R. § 164.306(a)(2).
191. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by
failing to protect against any reasonably anticipated uses or disclosures of electronic PHI that are
not permitted under the privacy rules regarding individually identifiable health information in
violation of 45 C.F.R. § 164.306(a)(3).
192. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by
failing to ensure compliance with the HIPAA security standard rules by their workforces in
violation of 45 C.F.R. § 164.306(a)(94).
193. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by
impermissibly and improperly using and disclosing PHI that is and remains accessible to
unauthorized persons in violation of 45 C.F.R. § 164.502, et seq.
194. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by
failing to effectively train all Members of their workforces (including independent contractors) on
the policies and procedures with respect to PHI as necessary and appropriate for the Members of
their workforces to carry out their functions and to maintain security of PHI in violation of 45
C.F.R. § 164.530(b) and 45 C.F.R. § 164.308(a)(5).
44
195. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by
failing to design, implement, and enforce policies and procedures establishing physical and
administrative safeguards to reasonably safeguard PHI, in compliance with 45 C.F.R. §
164.530(c).
196. Defendant breached its fiduciary duties to Plaintiffs and Class Members by
otherwise failing to safeguard Plaintiffs' and Class Members' Private Information.
197. As a direct and proximate result of Defendant's breaches of its fiduciary duties,
Plaintiffs and Class Members have suffered and will suffer injury, including but not limited to: (i)
actual identity theft; (ii) the compromise, publication, and/or theft of their Private Information;
(iii) out-of-pocket expenses associated with the prevention, detection, and recovery from identity
theft and/or unauthorized use of their Private Information; (iv) lost opportunity costs associated
with effort expended and the loss of productivity addressing and attempting to mitigate the actual
and future consequences of the Ransomware Attack, including but not limited to efforts spent
researching how to prevent, detect, contest, and recover from identity theft; (v) the continued risk
to their Private Information, which remains in Defendant's possession and is subject to further
unauthorized disclosures so long as Defendant fail to undertake appropriate and adequate measures
to protect the Private Information in their continued possession; (vi) future costs in terms of time,
effort, and money that will be expended as result of the Ransomware Attack for the remainder of
the lives of Plaintiffs and Class Members; and (vii) the diminished value of Defendant's services
they received. As a direct and proximate result of Defendant's breaches of their fiduciary duties,
Plaintiffs and Class Members have suffered and will continue to suffer other forms of injury and/or
harm, and other economic and non-economic losses.
45
FIFTH COUNT Violation of Maryland's Consumer Protection Act (On Behalf of Plaintiffs and All Class Members)
198. Plaintiffs repeat and re-allege each and every allegation contained in Paragraphs 1
through 126 as if fully set forth herein.
199. This cause of action is brought pursuant to the Maryland Consumer Protection Act,
§ 13-101, et seq. and the Maryland Personal Information Protection Act, § 14-3501, et seq.
200. The purpose of the Maryland Consumer Protection Act is "to set certain minimum
statewide standards for the protection of consumers across the State [of] [Maryland]."
201. The Maryland Personal Information Protection Act was implemented to, among
other things, "[t]o protect personal information from unauthorized access, use, modification, or
disclosure...of an individual residing in the State [of] [Maryland]."
202. A violation of the Maryland Personal Information Protection Act "is an unfair or
deceptive trade practice."
203. Defendant has violated the Maryland Personal Information Protection Act and, by
extension, the Maryland Consumer Protection Act by engaging in the conduct alleged herein.
204. Independently, Defendant has violated the Maryland Consumer Protection Act by
engaging in the unfair and deceptive practices alleged herein. Pursuant to HIPAA (42 U.S.C. §
1302d et seq.), the FTCA, and Maryland law, Defendant was required by law, but failed, to
maintain adequate and reasonable data and cybersecurity measures to maintain the security and
privacy of Plaintiffs' and Class Members' Private Information. This constitutes a violation of
Maryland's Consumer Protection Act.
46
205. The damages suffered by Plaintiffs and Class Members were directly and
proximately caused by the deceptive, misleading and unfair practices of Defendant, as described
above.
206. Plaintiffs and Class Members seek declaratory judgment that Defendant's data
security practices were not reasonable or adequate and caused the Ransomware Attack under the
Maryland CPA, as well as injunctive relief enjoining the above described wrongful acts and
practices of Defendant MHE and requiring Defendant MHE to employ and maintain industry
accepted standards for data management and security, including, but not limited to, proper
segregation, access controls, password protection, encryption, intrusion detection, secure
destruction of unnecessary data, and penetration testing.
207. Additionally, Plaintiffs and Class Members make claims for actual damages,
attorneys' fees and costs.
PRAYER FOR RELIEF
WHEREFORE, Plaintiffs pray for judgment as follows:
a. For an Order certifying this action as a class action and appointing Plaintiffs and
their counsel to represent the Class;
b. For equitable relief enjoining Defendant from engaging in the wrongful conduct
complained of herein pertaining to the misuse and/or disclosure of Plaintiffs' and Class
Members' Private Information, and from refusing to issue prompt, complete and accurate
disclosures to Plaintiffs and Class Members;
47
c. For equitable relief compelling Defendant to utilize appropriate methods and
policies with respect to consumer data collection, storage, and safety, and to disclose with
specificity the type of Private Information compromised during the Ransomware Attack;
d. For equitable relief requiring restitution and disgorgement of the revenues
wrongfully retained as a result of Defendant ' wrongful conduct;
e. Ordering Defendant to pay for not less than seven years of credit monitoring
services for Plaintiffs and the Class;
f. For an award of actual damages, compensatory damages, statutory damages, and
statutory penalties, in an amount to be determined, as allowable by law;
g. For an award of punitive damages, as allowable by law;
h. For an award of attorneys' fees and costs, and any other expense, including expert
witness fees;
i. Pre- and post judgment interest on any amounts awarded; and
j. Such other and further relief as this court may deem just and proper.
JURY TRIAL DEMANDED
Plaintiffs demand a trial by jury on all claims so triable.
48
Dated: July 30, 2020 Respectfully submitted,
/s/ Gary E. Mason Gary E. Mason (Md. Bar No. 15033) (ID 0106080003) David K. Lietz* MASON LIETZ & KLINGER LLP 5301 Wisconsin Avenue, NW Suite 305 Washington, DC 20016 Tel: (202) 429-2290 Email: [email protected] Email: [email protected]
Attorneys for Plaintiffs
*Pro hac vice forthcoming
49