In the first of what is expected to be a flurry of lawsuits stemming from a cyberattack against a Los Angeles County medical network, a Whittier man is suing PIH Health for failing to safeguard his confidential information from hackers who purportedly stole 17 million patient records from computer servers last month.
Ferdinand Rivera’s lawsuit seeks unspecified damages for negligence, invasion of privacy and other complaints arising from the Dec. 1 ransomware attack that downed information technology systems and most phone lines at PIH Health Downey Hospital, PIH Health Whittier Hospital and PIH Health Good Samaritan Hospital in Los Angeles.
The data breach also compromised systems at PIH urgent care centers, doctors’ offices, and home health and hospice agencies.
Rivera’s lawsuit was the first among more than a dozen suits filed already in Los Angeles Superior Court against PIH in response to the breach, the Daily Journal reported.
The Southern California News Group obtained a copy of a threatening, typewritten letter purportedly faxed by the unidentified hackers to PIH outlining the scope of the attack.
The cyberthieves said they found PIH’s network “highly vulnerable,” with data stored insecurely on servers, and claimed to have stolen about 2 terabytes of files, including 17 million confidential patient records that include home addresses, phone numbers, places of employment and medical expenses.
Hackers also claimed they had recovered data for 8.1 million “medical episodes,” detailing patient diagnoses, test results, photos, scans and private emails.
It is unknown if PIH has paid a ransom to the hackers. No known group has publicly claimed responsibility for the attack.
PIH did not address the allegations in Rivera’s lawsuit, but have noted that phone services were restored at its hospitals.
“We are safely bringing communications, clinical applications, and technologies back online,” Amanda Enriquez, a spokesperson for PIH, said in an email.
PIH Health was subjected to a previous breach in June 2019, when a targeted email phishing campaign against company employees compromised personal and protected health information for nearly 200,000 patients. However, PIH didn’t report the breach to the U.S. Health and Human Services Office for Civil Rights until seven months later.
At that time, Rivera’s suit alleges, patients believed PIH had taken additional security measures to protect its computer servers from future attacks, with PIH officials stating the “privacy and protection of private information is a top priority.”
PIH has a duty to exercise reasonable care in obtaining and protecting confidential patient information from being stolen and misused by unauthorized individuals, the suit states.
Personally identifiable information is highly valuable to hackers, who frequently sell it to identity thieves on the dark web, a part of the internet that’s hidden and can only be accessed with specific software or authorization. The stolen data can be used for a variety of crimes, including credit card and bank fraud.
The number of data breaches in the United States surged from 447 in 2012 to more than 3,200 in 2023, costing consumers $12.5 billion last year, the lawsuit states.
Rivera has purchased a credit monitoring service to guard against identity theft in the wake of the recent PIH ransomware attack.
“Plaintiff has suffered compensable damages because he may need to incur the cost of a monitoring service,” the suit states. Exposure of plaintiff’s PII (personally identifiable information) as a result of the PIH ransomware attack has placed him at imminent, immediate and continuing risk of further identity theft-related harm.”