Facts

Nadine Ferrer obtained medical services with San Diego Family Care. To obtain the services, she was required to provide certain personal information. In 2021, San Diego Family Care sent Ferrer a letter entitled, "Subject: Notice of Data Breach" which was dated May 7, 2021. The letter, signed by San Diego Family Care's Chief Executive Officer, Roberta L. Feinberg, stated that a data security incident occurred that may have affected her data. On April 6 , 2021, San Diego Family Care also described the data security incident on its website, noting that the information that may have been involved in the incident included: individuals' names; Social Security or other government identification numbers; financial account numbers; dates of birth; medical diagnosis or treatment information; and/or health insurance information. On May 25, 2021, Ferrer filed a class action complaint against San Diego Family Care and others. About a month later, Dacia Thomas, who also obtained services from San Diego Family Care and received notice of the breach, filed suit. The two cases were later consolidated.

PLAINTIFFS' CONTENTIONS: Plaintiff Ferrer contended that defendants' failure to adequately protect the confidentiality of personal and confidential medical information and prevent its disclosure or access by unauthorized third parties was a violation of the Confidentiality of Medical Information Act (CIMA), breach of the California Security Notification Laws, and violation of California's Unfair Competition Law (UCL). Plaintiff Thomas asserted claims for negligence, invasion of privacy, breach of expressed and implied contract, breach of fiduciary duty, unjust enrichment and violation of CIMA and UCL.

DEFENDANTS' CONTENTIONS: Defendants denied all contentions and liability. Defendant San Diego Family Care and its business associate, Health Care Partners of Southern California, became aware that their information technology hosting provider experienced a data security incident that resulted in the encryption of certain data. While the hosting provider took steps to secure and restore its systems and launched an investigation, at that time, defendants did not know if any data belonging to defendants may have been involved in the incident. Based on the investigation, it was ascertained that some of defendants' data may have been accessed or acquired by an unauthorized individual. Defendants obtained a copy of the data that was impacted and using experts conducted a thorough review to identify individuals whose information may have been involved in the incident. It then sent out the notification letters which included steps as to what individuals could do to protect their information. Defendant also established a toll-free call center to answer questions about the incident and address related concerns.

Settlement Discussions

The parties participated in JAMS mediation with Bruce Friedman.

Result

The case settled for $1,000,000. An Identity Theft Protection Package subscription will be available for the settlement class members for two years at no cost, and class members may be reimbursed for specified out-of-pocket losses. Defendants will also work with its hosting provider to ensure that appropriate remediation measures are taken to reduce the likelihood of a similar incident occurring in the future.