DISTRICT OF NEW JERSEY NEWARK DIVISION DAVID …

[Pages:46]Case 2:20-cv-01409-JMV-MF Document 1 Filed 02/10/20 Page 1 of 45 PageID: 1

UNITED STATES DISTRICT COURT DISTRICT OF NEW JERSEY NEWARK DIVISION

DAVID ARANOWITZ and

:

ROXANE CAMPAGNA on behalf of

:

themselves and all others

:

similarly situated,

:

:

Plaintiffs,

:

:

v.

:

:

HACKENSACK MERIDIAN HEALTH, INC., :

:

Defendant.

:

_________________________________________ :

Civil Action No.

CLASS ACTION COMPLAINT

1. Plaintiffs DAVID ARANOWITZ and ROXANE CAMPAGNA, individually, and

on behalf of all others similarly situated, brings this action against Defendant, HACKENSACK

MERIDIAN HEALTH, INC. ("HMH" or "Defendant") to obtain damages, restitution, and

injunctive relief for the Class, as defined below, from Defendant. Plaintiffs make the following

allegations upon information and belief, except as to their own actions, the investigation of their

counsel, and the facts that are a matter of public record.

JURISDICTION AND VENUE

2. This Court has federal question subject matter jurisdiction over this action pursuant

to 28 U.S.C. ? 1331 because the Plaintiffs assert claims that necessarily raise substantial disputed

federal issues under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"),

the Federal Trade Commission Act (15 U.S.C. ? 45) and the Gramm-Leach-Bliley Act (15 U.S.C.

? 6801). See, e.g., infra at ? 40.

1

Case 2:20-cv-01409-JMV-MF Document 1 Filed 02/10/20 Page 2 of 45 PageID: 2

3. Defendant has sufficient minimum contacts in New Jersey, as it is a domestic notfor-profit corporation organized under the laws of the State of New Jersey and conducts the majority (if not all) of its business in the State of New Jersey, thus rendering the exercise of personal jurisdiction by this Court proper and necessary.

4. Venue is proper in this District under 28 U.S.C. ? 1391 because a substantial part of the events and omissions giving rise to these claims occurred in this District.

NATURE OF THE ACTION 5. This class action arises out of the recent ransomware attack at HMH's medical facilities that disrupted operations by, among other things, blocking access to HMH's computer systems and data, including the highly sensitive patient medical records of thousands of patients (the "Ransomware Attack"). As a result of the Ransomware Attack, Plaintiffs and Class Members suffered ascertainable losses in the form of disruption of medical services, out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack. In addition, Plaintiffs' and Class Members' sensitive personal information--which was entrusted to HMH, its officials and agents--was compromised and unlawfully accessed due to the Ransomware Attack. Information compromised in the Ransomware Attack includes names, demographic information, date of birth, Social Security numbers, driver's license or identification card numbers, employment information, health insurance information, medical information, other protected health information as defined by the HIPAA, and additional personally identifiable information ("PII") and protected health information ("PHI") that Defendant HMH collected and maintained (collectively the "Private Information"). 6. Plaintiffs bring this class action lawsuit on behalf of those similarly situated to address Defendant's inadequate safeguarding of Class Members' Private Information that they

2

Case 2:20-cv-01409-JMV-MF Document 1 Filed 02/10/20 Page 3 of 45 PageID: 3

collected and maintained, and for failing to provide timely and adequate notice to Plaintiffs and other Class Members that their information had been subject to the unauthorized access of an unknown third party and precisely what specific type of information was accessed.

7. Defendant maintained the Private Information in a reckless manner. In particular, the Private Information was maintained on Defendant HMH's computer network in a condition vulnerable to cyberattacks of the type that cause actual disruption to Plaintiffs' and Class Members' medical care and treatment. As a result of the Ransomware Attack, Plaintiffs' and Class Members' Private Information was seized and held hostage by computer hackers for `ransom', and ultimately disclosed to other unknown thieves. Upon information and belief, the mechanism of the ransomware and potential for improper disclosure of Plaintiffs' and Class Members' Private Information was a known risk to Defendant, and thus Defendant was on notice that failing to take steps necessary to secure the Private Information from those risks left that property in a dangerous condition.

8. In addition, HMH and its employees failed to properly monitor the computer network and systems that housed the Private Information. Had HMH properly monitored its property, it would have discovered the intrusion sooner.

9. Because of the Ransomware Attack, Plaintiffs and Class Members had their medical care and treatment as well as their daily lives disrupted. As a consequence of the ransomware locking down the medical records of Plaintiffs and Class Members, Plaintiffs and Class Members had to, among other things, forego medical care and treatment or had to seek alternative care and treatment.

3

Case 2:20-cv-01409-JMV-MF Document 1 Filed 02/10/20 Page 4 of 45 PageID: 4

10. What's more, aside from having their lives disrupted, Plaintiffs' and Class Members' identities are now at risk because of Defendant's negligent conduct since the Private Information that Defendant HMH collected and maintained is now in the hands of data thieves.

11. Armed with the Private Information accessed in the Ransomware Attack, data thieves can commit a variety of crimes including, e.g., opening new financial accounts in class members' names, taking out loans in class members' names, using class members' names to obtain medical services, using class members' health information to target other phishing and hacking intrusions based on their individual health needs, using class members' information to obtain government benefits, filing fraudulent tax returns using class members' information, obtaining driver's licenses in class members' names but with another person's photograph, and giving false information to police during an arrest.

12. As a further result of the Ransomware Attack, Plaintiffs and Class Members have been exposed to a heightened and imminent risk of fraud and identity theft. Plaintiffs and Class Members must now and in the future closely monitor their financial accounts to guard against identity theft.

13. Plaintiffs and Class Members may also incur out of pocket costs for, e.g., purchasing credit monitoring services, credit freezes, credit reports, or other protective measures to deter and detect identity theft.

14. By their Complaint, Plaintiffs seek to remedy these harms on behalf of themselves and all similarly situated individuals whose Private Information was accessed or ransomed during the Ransomware Attack.

15. Plaintiffs seek remedies including, but not limited to, compensatory damages, reimbursement of out-of-pocket costs, and injunctive relief including improvements to

4

Case 2:20-cv-01409-JMV-MF Document 1 Filed 02/10/20 Page 5 of 45 PageID: 5

Defendant's data security systems, future annual audits, and adequate credit monitoring services funded by Defendant.

16. Accordingly, Plaintiffs bring this action against Defendant HMH seeking redress for its unlawful conduct, and asserting claims for: (i) negligence, (ii) intrusion upon seclusion, (iii) negligence per se, (iv) breach of express contract, (v) breach of implied contract, (vi) breach of fiduciary duty and, (vii) violation of the New Jersey consumer protection law.

PARTIES 17. Plaintiff DAVID ARANOWITZ is, and at all times mentioned herein was, an individual citizen of the State of New Jersey residing in Roseland, New Jersey. 18. Plaintiff ROXANE CAMPAGNA is, and at all times mentioned herein was, an individual citizen of the State of New Jersey residing in Clifton, New Jersey. 19. Defendant HMH is a New Jersey domestic not-for-profit corporation with its principal place of business at 343 Thornall Street, Edison, NJ 08837.

DEFENDANT'S BUSINESS 20. Defendant HMH is in the business of rendering hospital services, medical care, treatment, health services, education, and research to the entire state of New Jersey through a network of providers and facilities. 21. Defendant HMH is a combined organization of 17 hospitals and more than 200 ambulatory care centers, fitness and wellness centers, home health services, rehab centers, and skilled nursing centers spanning from Bergen to Atlantic counties. 22. In the ordinary course of receiving treatment and health care services from Defendant HMH, patients are required to provide Defendant with sensitive, personal and private information such as:

5

Case 2:20-cv-01409-JMV-MF Document 1 Filed 02/10/20 Page 6 of 45 PageID: 6

Name, address, phone number and email address;

Date of birth;

Demographic information;

Social Security number;

Information relating to individual medical history;

Insurance information and coverage;

Information concerning an individual's doctor, nurse or other medical providers;

Photo identification;

Employer information, and;

Other information that may be deemed necessary to provide care.

23. Defendant HMH also gathers certain medical information about patients and

creates records of the care it provides to them.

24. Additionally, Defendant HMH may receive private and personal information from

other individuals and/or organizations that are part of a patient's "circle of care", such as referring

physicians, patients' other doctors, patient's health plan(s), close friends, and/or family members.

25. All of Defendant's employees, staff, entities, clinics, sites, and locations may share

patient information with each other for various purposes, as disclosed in the Joint Notice of Privacy

Practices (the "Privacy Notice").1

26. The Privacy Notice is provided to every patient upon request and is posted on

Defendant's website. Patients are asked to "sign an acknowledgement that you have received this

Notice."2

1



8.5x11-18-NEWcolor-1.pdf

2 Id.

6

Case 2:20-cv-01409-JMV-MF Document 1 Filed 02/10/20 Page 7 of 45 PageID: 7

27. Because of the highly sensitive and personal nature of the information Defendant acquires and stores with respect to its patients, HMH promises to: (1) "Maintain the privacy and security of your health information;" (2) "Provide you with this Notice as to our legal duties and privacy practices with respect to information we collect and maintain about you;" (3) "Abide by the terms of this Notice;" (4) "Notify you if a breach occurs that may have compromised the privacy and security of your information," and; (5) "not use or disclose your health information without your authorization, except as described in this Notice and for treatment, payment, or health care operations."3

THE RANSOMWARE ATTACK 28. A ransomware attack is a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a fee to the attacker.4 29. On December 2, 2019, HMH experienced an "IT disruption" and determined that it was the victim of a targeted ransomware attack. 30. The attack brought down HMH's computer network for two days, leaving hospitals in the HMH network to reschedule non-emergency surgeries and doctors and nurses "scrambling to deliver care without access to electronic records."5 31. According to a spokeswoman for the Health Professionals and Allied Employees union, nurses at HMH facilities couldn't rely on computers to do basic tasks, like deliver lab results

3 Id. 4 . 5

7

Case 2:20-cv-01409-JMV-MF Document 1 Filed 02/10/20 Page 8 of 45 PageID: 8

quickly or provide accurate information about patients' medication, resulting in delayed care to patients.6

32. HMH commenced an investigation, working with external cybersecurity and forensic experts, to determine the full nature and scope of the cyber incident.

33. On or about December 13, 201, HMH publicly announced that the investigation resulted in a preliminary assessment of this cyber incident and disclosed that it was a ransomware attack.

34. HMH determining that there had been improper access to certain portions of HMH's network and computer systems and that a computer "ransomware" virus had encrypted (i.e., made unreadable) certain files on HMH's computer systems.

35. The Ransomware Attack held hostage a critical portion of HMH's computer systems, including patient files, medical records, patient names, resulting in service disruptions throughout the organization.

36. All 17 hospitals in HMH's network were affected by the Ransomware Attack. 37. As a consequence of the cyber-attack on HMH's computer systems, certain affected data was encrypted and locked away by the ransomware. This data included the Protected Health Information, or PHI, of Defendant HMH's patients, including Plaintiffs and Class Members, who entrusted Defendant with this highly sensitive and private information. 38. Plaintiffs believe their Private Information was stolen (and subsequently sold) in the Ransomware Attack. In the past year, ransomware variants have expanded to include data exfiltration, participation in distributed denial of service (DDoS) attacks, and anti-detection

6

8

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download