A Rochester man is suing South Country Health Alliance, alleging a 2020 data breach was brought on by its failure to secure its nearly 67,000 members' protected health information, including names, addresses, Social Security numbers, and diagnostic and/or treatment information.
South Country purchases health plans for residents in its nine member counties — including Dodge, Goodhue, Steele and Waseca counties — who are enrolled in Medical Assistance, General Assistance Medical Care and MinnesotaCare. While Justin Hiatt is the only named plaintiff, the complaint, filed April 29 in Steele County court, is a class-action suit and includes any individual whose data was compromised in the breach.
On Sept. 14, 2020, South County discovered that unauthorized access to an employee email account occurred the prior June, according to a Dec. 30, 2020 release from the alliance. Once the breach was discovered, South County reported it immediately, secured the accounts, began an investigation and engaged cybersecurity experts to assist with the investigation.
By early November, South County determined personal information belonging to some members may have been compromised, reportedly identifying and contacting those individuals and offering them complimentary credit monitoring and identity protection services.
Those efforts weren't sufficient, according to the court filing.
"The (protected health information) stolen in the data breach is significantly more valuable than the loss of, say, credit card information in a large retailer data breach. Victims affected by those retailer breaches could avoid much of the potential future harm by simply cancelling credit or debit cards and obtaining replacements. The information stolen in the data breach — most notably name, date of birth and Social Security number is difficult — if not impossible, to change," it said.
Hiatt says he's already suffered consequences from the breach — his protected health information was allegedly used to open two unauthorized overseas accounts — and notes that he and the other victims will continue to do so for years to come.
"It is incorrect to assume that reimbursing a victim of the data breach for financial loss due to fraud makes that individual whole again. On the contrary, after conducting a study, the U.S. Department of Justice's Bureau of Justice Statistics found that 'among victims who had personal information used for fraudulent purposes, 29% spent a month or more resolving problems," and that, "resolving the problems caused by identity theft [could] take more than a year for some victims,'" according to the suit.
The lawsuit also alleges South Country not only failed to train its employees to recognize potentially dangerous emails, it failed to safeguard client information as described in its privacy policy and did not identify specific actions to increase security and protect members’ data in the future, according to a release from the plaintiff's attorney, Hellmuth & Johnson.
Hiatt is requesting a jury trial. South Country has 30 days to file its response.