Class Action Complaint Jury Trial Demanded

4/6/2020 1:30 PM
20CV14727
4 IN THE CIRCUIT COURT OF THE STATE OF OREGON
5 FOR THE COUNTY OF MULTNOMAH
6 JANICE EVANS, LEE GREGORY, and Case No.

DARLENE MCALPINE, on behalf of
7 themselves and all others similarly situated,
CLASS ACTION COMPLAINT
8 Plaintiffs,
JURY TRIAL DEMANDED
9 vs.
ACTION FOR EQUITABLE RELIEF
10 HEALTH SHARE OF OREGON, (Filing Fee Pursuant to ORS 21.135)
11 Defendant. CLAIM NOT SUBJECT TO MANDATORY

ARBITRATION
12
Pursuant to ORCP 32, Plaintiffs Janice Evans, Lee Gregory, and Darlene McAlpine,
13
individually and on behalf of all others similarly situated (“the Class”), bring this action against
14
Defendant Health Share of Oregon (“Health Share” or “Defendant”) to obtain restitution and
15
injunctive relief for the Class, as defined below. After giving notice as required by ORCP 32 H,
16
Plaintiffs anticipate amending this complaint to seek damages for Plaintiffs and the Class.
17
Plaintiffs make the following allegations with actual knowledge as to their own actions and upon
18
information and belief and the investigation of their counsel as to all other matters.
19
NATURE OF THIS ACTION
20
1.
21
This class action arises out of the recent data breach (“Data Breach”) involving Defendant’s
22
organization. As a result of the Data Breach, Plaintiffs and approximately 654,000 individuals
23
(“Class Members”) suffered ascertainable losses in the form of the loss of the benefit of their
24
{00385282;7}
Page 1 – CLASS ACTION COMPLAINT
1 bargain, out-of-pocket expenses and the value of their time reasonably incurred to remedy or
2 mitigate the effects of the attack. In addition, Plaintiffs’ and Class Members’ sensitive personal
3 information—which was entrusted to Defendant—was compromised and unlawfully accessed due
4 to the Data Breach. Information compromised in the Data Breach includes names, addresses,
5 phone numbers, dates of birth, Social Security numbers, Medicaid ID numbers, other protected
6 health information as defined by the Health Insurance Portability and Accountability Act of 1996
7 (“HIPAA”), and additional personally identifiable information (“PII”) and protected health
8 information (“PHI”) that Defendant collected and maintained (collectively the “Private
9 Information”).
10 2.
11 Plaintiffs bring this class action lawsuit to address Defendant’s inadequate safeguarding of
12 Class Members’ Private Information that it collected and maintained, and for failing to provide
13 timely and adequate notice to Plaintiffs and Class Members that their information had been subject
14 to the unauthorized access of an unknown third party and precisely what specific type of
15 information was accessed.
16 3.
17 Defendant, through its agent, GridWorks Lab, Inc., (“GridWorks”), maintained the Private
18 Information in a reckless manner such that it was vulnerable to data thieves. Due to highly valuable
19 nature of the Private Information, the potential for improper disclosure of Plaintiffs’ and Class
20 Members’ Private Information was a known risk to Defendant, and thus, Defendant was on notice
21 that failing to take steps necessary to secure the Private Information from those risks left that
22 property in a dangerous condition.
23
24
{00385282;7}
1 4.
2 Plaintiffs’ and Class Members’ identities are now at risk because of Defendant’s negligent
3 conduct since the Private Information that Defendant collected and maintained is now in the hands
4 of data thieves.
5 5.
6 Armed with the Private Information accessed in the Data Breach, data thieves can commit
7 a variety of crimes including, e.g., opening new financial accounts in Class Members’ names,
8 taking out loans in Class Members’ names, using Class Members’ names to obtain medical
9 services, using Class Members’ health information to target other phishing and hacking intrusions
10 based on their individual health needs, using Class Members’ information to obtain government
11 benefits, filing fraudulent tax returns using Class Members’ information, obtaining driver’s
12 licenses in Class Members’ names but with another person’s photograph, and giving false
13 information to police during an arrest.
14 6.
15 As a result of the Data Breach, Plaintiffs and Class Members have been exposed to a
16 heightened and imminent risk of fraud and identity theft. Plaintiffs and Class Members must now
17 and in the future closely monitor their financial accounts to guard against identity theft.
18 7.
19 Plaintiffs and Class Members may also incur out of pocket costs for, e.g., purchasing credit
20 monitoring services, credit freezes, credit reports, or other protective measures to deter and detect
21 identity theft.
22 8.
23 Plaintiffs seek to remedy these harms on behalf of themselves and all similarly situated
24 individuals whose Private Information was accessed during the Data Breach.
{00385282;7}
1 9.
2 Plaintiffs seek injunctive relief including improvements to Defendant’s data security
3 systems, future annual audits, and adequate credit monitoring services funded by Defendant.
4 PARTIES
5 10.
6 Plaintiff JANICE EVANS is, and at all times mentioned herein was, an individual citizen
7 of the State of Oregon residing in the City of Milwaukie.
8 11.
9 Plaintiff LEE GREGORY is, and at all times mentioned herein was, an individual citizen
10 of the State of Oregon residing in the City of Portland.
11 12.
12 Plaintiff DARLENE MCALPINE is, and at all times mentioned herein was, an individual
13 citizen of the State of Oregon residing in the City of Gresham.
14 13.
15 Defendant HEALTH SHARE OF OREGON (“Health Share” or “Defendant”) is Oregon’s
16 largest Medicaid coordinated care organization with its principal place of business in Portland,
17 Multnomah County, Oregon.
18 JURISDICTION AND VENUE
19 14.
20 Defendant is a corporation organized and existing under the laws of Oregon with its
21 principal place of business in Portland, Oregon, thus rendering the exercise of personal jurisdiction
22 by this Court proper and necessary.
23
24
{00385282;7}
1 15.
2 Venue is proper because Defendant resides in this County and a substantial part of the
3 events and omissions giving rise to these claims occurred in this County.
4 DEFENDANT’S BUSINESS
5 16.
6 Health Share of Oregon is an organization founded in 2012 to coordinate the provision of
7 medical, dental, and behavioral health care for Medicaid beneficiaries in a tri-county region
8 encompassing Portland, which includes the counties of Multnomah, Clackamas, and Washington.
9 17.
10 As one of 16 coordinated care organizations designated by the state to oversee and improve
11 the delivery of these services for a geographically defined population, it receives a global budget.
12 18.
13 It distributes per-capita payments to health plans—some of which are integrated delivery
14 systems—and county-run mental health agencies that have agreed to accept risk for providing or
15 ensuring access to defined services.
16 19.
17 These risk-bearing entities—all founders of Health Share—serve on its governing board,
18 along with representatives of community-based organizations and social service agencies
19 committed to this population.
20 20.
21 Health Share brings these stakeholders together intending to serve high-need, high-cost
22 patients; achieve efficiencies by centralizing certain administrative and enrollment functions; and
23 create accountability for performance.
24
{00385282;7}
1 21.
2 In the ordinary course of receiving health care services from Health Share, patients are
3 required to provide sensitive personal and private information such as:
4  Name, address, phone number and email address;
5  Date of birth;
6  Demographic information;
7
 Social Security number;
8
 Information relating to individual medical history;
9
 Insurance information and coverage;
10
 Information concerning an individual’s doctor, nurse or other medical providers;
11
 Photo identification;
12
 Employer information; and
13
 Other information that may be deemed necessary to provide care.
14
22.
15
According to Defendant’s Notice of Privacy Practices 1, it shares patients’ Private
16
Information under a very limited set of circumstances to, in essence, carry out treatment and
17
otherwise run its business operations.
18
23.
19
The Privacy Notice is provided to every patient upon request and is posted on Defendant’s
20
website.2
21
22
1
Health Share of Oregon, Notice of Privacy Policies, available at
23
https://www.healthshareoregon.org/privacy-policy (last accessed Apr. 2, 2020).
24 2
Id.
{00385282;7}
1 24.
2 Because of the highly sensitive and personal nature of the information Defendant acquires
3 and stores with respect to its patients, Health Share promises to, among other things “keep[] the
4 privacy of your health information”.3 As Health Share acknowledges: “we are required by law do
5 so for any information created or kept by us.”
6 25.
7 Health Share also makes a host of other representations and promises in respect to its
8 supposed safeguarding practices of consumers’ Private Information, including, but not limited to
9 the following:
10  Health Share has many ways to protect your PHI, such as locks, passwords and
11 firewalls.
12  Only people who need your PHI for health care operations, coordinating your care
13 and other reasons explained below are allowed to see your PHI.
14  Because PHI may be oral, written, or electronic, Health Share has many ways to keep
15 it safe. We use methods such as cabinet locks for paper records, passwords,
16 encryption and firewalls for our computer systems. Paper that is no longer needed is
17 shredded or destroyed in such a way that your PHI cannot be read or reconstructed.
18 Electronic information is cleared, purged or destroyed so that PHI cannot be
19 retrieved.4
20
21
22
23 3
Id.
24 4
Id.
{00385282;7}
1 THE DATA BREACH
2 26.
3 Sometime prior to March 2019, Health Share contracted with GridWorks to provide its
4 members with transportation to non-emergency medical appointments through its Ride to Care
5 program.
6 27.
7 Between April 2019 and January 2020, Health Share conducted zero security audits of
8 GridWorks to ensure that the Private Information of Health Share’s members was being adequately
9 secured and protected.
10 28.
11 On November 18, 2019, a burglary occurred at the facilities of GridWorks, and a laptop
12 was stolen containing the Private Information of 654,362 current and former members of Health
13 Share.5
14 29.
15 The laptop was unencrypted and contained current and former Health Share members’
16 names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID
17 numbers.
18 30.
19 Health Share did not safeguard its members’ Private Information, including by conducting
20 appropriate security audits of its vendor, GridWorks, and so it did not discover the Data Breach
21 until another six weeks later on January 2, 2020.
22
23 5
Health Share of Oregon, Health Share of Oregon transportation vendor, GridWorks, confirms
data breach, PRNewswire (Feb. 5, 2020), https://www.prnewswire.com/news-releases/health-
24 share-of-oregon-transportation-vendor-gridworks-confirms-data-breach-300999722.html.
{00385282;7}
1 31.
2 Despite acknowledging the high likelihood that the Private Information of Plaintiffs and
3 Class Members was compromised in this targeted burglary, Defendant did not begin to notify
4 affected patients until February 5, 2020, approximately two and a half months after the Data
5 Breach.
6 32.
7 Plaintiffs believe their Private Information was stolen (and subsequently sold) in the Data
8 Breach. Notably, in its Notification of Data Security Incident, Health Share did not deny that
9 Plaintiffs’ and Class Members’ Private Information was compromised during this Data Breach,
10 and “strongly urged” Class Members to take steps to enroll in identity theft protection services.
11 33.
12 Defendant had obligations created by HIPAA, contract, industry standards, common law,
13 and representations made to Plaintiffs and Class Members to keep their Private Information
14 confidential and to protect it from unauthorized access and disclosure.
15 34.
16 Plaintiffs and Class Members provided their Private Information to Defendant with the
17 reasonable expectation and mutual understanding that Defendant would comply with its
18 obligations to keep such information confidential and secure from unauthorized access.
19 35.
20 Defendant’s data security obligations were particularly important given the substantial
21 increase in cyberattacks and/or data breaches in the healthcare industry preceding the date of the
22 breach.
23
24
{00385282;7}
1 36.
2 Indeed, cyberattacks have become so notorious that the Federal Bureau of Investigation
3 and U.S. Secret Service have issued a warning to potential targets so they are aware of, and
4 prepared for, a potential attack. As one report explained, “[e]ntities like smaller municipalities and
5 hospitals are attractive to ransomware criminals . . . because they often have lesser IT defenses
6 and a high incentive to regain access to their data quickly.”6
7 37.
8 Also, data breaches involving stolen laptops are a common and widely publicized
9 phenomenon. In 2016, the website PC World noted that “[e]very time a stolen laptop leads to a
10 data breach, you wonder why the business involved hadn’t set up any safeguards,” and goes on to
11 report on multiple stolen laptop data breaches involving hospitals and medical care providers,
12 including one (the EMC and Hartford Hospital data breach) that dates back to 2012.7
13 38.
14 Therefore, the risk of a stolen laptop data breach was widely known to the public and to
15 anyone in Defendant’s industry, including Defendant.
16 39.
17 Defendant breached its obligations to Plaintiffs and Class Members and/or was otherwise
18 negligent and reckless because it failed to properly maintain and safeguard its computer systems
19
20
6
Ben Kochman, FBI, Secret Service Warn Of Targeted Ransomware, Law360 (Nov. 18, 2019),
21
https://www.law360.com/consumerprotection/articles/1220974/fbi-secret-service-warn-of-
targeted-ransomware (emphasis added).
22
7
Jonathan Keane, Why stolen laptops still cause data breaches, and what's being done to stop
23 them, PCWorld (Jan. 13, 2016), https://www.pcworld.com/article/3021316/why-stolen-laptops-
still-cause-data-breaches-and-whats-being-done-to-stop-them.html.
24
{00385282;7}
1 and data. Defendant’s unlawful conduct includes, but is not limited to, the following acts and/or
2 omissions:
3 (a) Failing to maintain an adequate data security system, including proper controls
4 over laptops and electronic data storage devices, to reduce the risk of data
5 breaches;
6 (b) Failing to adequately protect patients’ Private Information;
7 (c) Failing to update its encryption and audit procedures, revise its equipment custody
8 protocols, retrain employees on privacy and data security, and install remote-wipe
9 software on portable devices;
10 (d) Failing to implement a robust policy for the handling of professional devices,
11 including full disk encryption as well as encrypted cloud and removable media
12 and strong password protocols;
13 (e) Failing to ensure that its vendors with access to its computer systems and data
14 employed reasonable security procedures;
15 (f) Failing to ensure the confidentiality and integrity of electronic PHI it created,
16 received, maintained, and/or transmitted, in violation of 45 CFR § 164.306(a)(1);
17 (g) Failing to implement technical policies and procedures for electronic information
18 systems that maintain electronic PHI to allow access only to those persons or
19 software programs that have been granted access rights in violation of 45 CFR
20 § 164.312(a)(1);
21 (h) Failing to implement policies and procedures to prevent, detect, contain, and
22 correct security violations in violation of 45 CFR § 164.308(a)(1)(i);
23 (i) Failing to protect against reasonably anticipated threats or hazards to the security
24 or integrity of electronic PHI in violation of 45 CFR § 164.306(a)(2);
{00385282;7}
1 (j) Failing to protect against reasonably anticipated uses or disclosures of electronic
2 PHI that are not permitted under the privacy rules regarding individually
3 identifiable health information in violation of 45 CFR § 164.306(a)(3);
4 (k) Failing to ensure compliance with HIPAA security standard rules by its
5 workforces in violation of 45 CFR § 164.306(a)(4);
6 (l) Failing to train all members of its workforces effectively on the policies and
7 procedures regarding PHI as necessary and appropriate for the members of its
8 workforces to carry out their functions and to maintain security of PHI, in
9 violation of 45 CFR § 164.530(b); and/or
10 (m) Failing to render the electronic PHI it maintained unusable, unreadable, or
11 indecipherable to unauthorized individuals, as it had not encrypted the electronic
12 PHI as specified in the HIPAA Security Rule by “the use of an algorithmic
13 process to transform data into a form in which there is a low probability of
14 assigning meaning without use of a confidential process or key” (45 CFR
15 § 164.304’s definition of “encryption”).
16 40.
17 As the result of Defendant’s negligence and failure to safeguard Plaintiffs’ and Class
18 Members’ Private Information, Plaintiffs’ and Class Members’ daily lives were severely disrupted.
19 What’s more, they now face an increased risk of fraud and identity theft. Plaintiffs and the Class
20 Members also lost the benefit of the bargain they made with Defendant.
21
22
23
24
{00385282;7}
1 DATA BREACHES CAUSE DISRUPTION AND PUT CONSUMERS AT AN
INCREASED RISK OF FRAUD AND IDENTIFY THEFT
2
41.
3
Data breaches at medical organizations like Health Share are especially problematic
4
because of the disruption they cause to the medical treatment and overall daily lives of patients
5
affected by the attack.
6
42.
7
Researchers have found that at medical organizations that experienced a data security
8
incident, the death rate among patients increased in the months and years after the attack.8
9
43.
10
Researchers have further found that at medical organizations that experienced a data
11
security incident, the incident was associated with deterioration in timeliness and patient outcomes,
12
generally.9
13
44.
14
Data breaches present additional problems for patients who have already experienced
15
inconvenience and disruption of medical care associated with a breach.
16
17
18
19
20
21 8
See Nsikan Akpan, Ransomware and data breaches linked to uptick in fatal heart attacks, PBS
News Hour (Oct. 24, 2019), https://www.pbs.org/newshour/science/ransomware-and-other-data-
22
breaches-linked-to-uptick-in-fatal-heart-attacks.
23 9
See Sung J. Choi, PhD, M. Eric Johnson, PhD, Christoph U. Lehmann, MD, Data breach
remediation efforts and their implications for hospital quality, Health Servs. Research 54:5, at
24 971 (Oct. 2019), available at https://onlinelibrary.wiley.com/doi/epdf/10.1111/1475-6773.13203.
{00385282;7}
1 45.
2 The United States Government Accountability Office released a report in 2007 regarding
3 data breaches (“GOA Report”) in which it noted that victims of identity theft will face “substantial
4 costs and time to repair the damage to their good name and credit record.”10
5 46.
6 The FTC recommends that identity theft victims take several steps to protect their personal
7 and financial information after a data breach, including contacting one of the credit bureaus to
8 place a fraud alert (consider an extended fraud alert that lasts for 7 years if someone steals their
9 identity), reviewing their credit reports, contacting companies to remove fraudulent charges from
10 their accounts, placing a credit freeze on their credit, and correcting their credit reports.11
11 47.
12 Identity thieves use stolen personal information such as Social Security numbers for a
13 variety of crimes, including credit card fraud, phone or utilities fraud, and bank/finance fraud.
14 48.
15 Identity thieves can also use Social Security numbers to obtain a driver’s license or official
16 identification card in the victim’s name but with the thief’s picture; use the victim’s name and
17 Social Security number to obtain government benefits; or file a fraudulent tax return using the
18 victim’s information. In addition, identity thieves may obtain a job using the victim’s Social
19 Security number, rent a house or receive medical services in the victim’s name, and may even give
20
21 10
See U.S. Gov’t Accountability Off., GAO-07-737, PERSONAL INFORMATION Data
Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full
22
Extent Is Unknown 2 (June 2007), available at https://www.gao.gov/new.items/d07737.pdf
(“GAO Report”).
23
11
See Fed. Trade Comm’n, Identify Theft Recovery Steps, https://www.identitytheft.gov/Steps
24 (last visited Apr. 2, 2020).
{00385282;7}
1 the victim’s personal information to police during an arrest resulting in an arrest warrant being
2 issued in the victim’s name. A study by Identity Theft Resource Center shows the multitude of
3 harms caused by fraudulent use of personal and financial information:12
10
11
12
13
14
15
49.
16
Moreover, theft of Private Information is also gravely serious. PII/PHI is a valuable
17
property right.13 Its value is axiomatic, considering the value of “big data” in corporate America
18
and the fact that the consequences of cyber thefts include heavy prison sentences. Even this
19
20 12
Jason Steele, Credit Card and ID Theft Statistics, CreditCards.com (Oct. 24, 2017),
https://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-
21
1276.php.
22 13
See, e.g., John T. Soma, Justin Courson, John Cadkin, Corporate Privacy Trend: The “Value”
of Personally Identifiable Information (“PII”) Equals the “Value" of Financial Assets, 15 Rich.
23 J.L. & Tech. 11, at *3-4 (2009) (“PII, which companies obtain at little cost, has quantifiable
value that is rapidly reaching a level comparable to the value of traditional financial assets.”)
24 (citations omitted).
{00385282;7}
1 obvious risk to reward analysis illustrates beyond doubt that Private Information has considerable
2 market value.
3 50.
4 Theft of PHI, in particular, is gravely serious: “A thief may use your name or health
5 insurance numbers to see a doctor, get prescription drugs, file claims with your insurance provider,
6 or get other care. If the thief’s health information is mixed with yours, your treatment, insurance
7 and payment records, and credit report may be affected.”14 Drug manufacturers, medical device
8 manufacturers, pharmacies, hospitals and other healthcare service providers often purchase
9 PII/PHI on the black market for the purpose of target marketing their products and services to the
10 physical maladies of the data breach victims themselves. Insurance companies purchase and use
11 wrongfully disclosed PHI to adjust their insureds’ medical insurance premiums.
12 51.
13 It must also be noted there may be a substantial time lag – measured in years -- between
14 when harm occurs and when it is discovered, and also between when Private Information and/or
15 financial information is stolen and when it is used. According to the U.S. Government
16 Accountability Office, which conducted a study regarding data breaches:
17 “[L]aw enforcement officials told us that in some cases, stolen data may be held
for up to a year or more before being used to commit identity theft. Further, once
18 stolen data have been sold or posted on the Web, fraudulent use of that
information may continue for years. As a result, studies that attempt to measure
19 the harm resulting from data breaches cannot necessarily rule out all future harm.”
20 See GAO Report, at p. 29.
21
22
23
14
See Fed. Trade Comm’n, Medical Identity Theft, http://www.consumer.ftc.gov/articles/0171-
24 medical-identity-theft (last visited Mar. 27, 2020).
{00385282;7}
1 52.
2 Private Information and financial information are such valuable commodities to identity
3 thieves that once the information has been compromised, criminals often trade the information on
4 the “cyber black-market” for years.
5 53.
6 There is a strong probability that entire batches of stolen information have been dumped
7 on the black market and are yet to be dumped on the black market, meaning Plaintiffs and Class
8 Members are at an increased risk of fraud and identity theft for many years into the future. Thus,
9 Plaintiffs and Class Members must vigilantly monitor their financial and medical accounts for
10 many years to come.
11 54.
12 Medical information is especially valuable to identity thieves. According to account
13 monitoring company LogDog, coveted Social Security numbers were selling on the dark web for
14 just $1 in 2016 – the same as a Facebook account. That pales in comparison with the asking price
15 for medical data, which was selling for $50 and up.15
16 55.
17 Because of its value, the medical industry has experienced disproportionally higher
18 numbers of data theft events than other industries. Defendant therefore knew or should have known
19 this and strengthened its data systems accordingly. Defendant was put on notice of the substantial
20 and foreseeable risk of harm from a data breach, yet it failed to properly prepare for that risk.
21
22
23 15
Lisa Vaas, Ransomware attacks paralyze, and sometimes crush, hospitals, NakedSecurity Be
Sophos (Oct. 3, 2019), https://nakedsecurity.sophos.com/2019/10/03/ransomware-attacks-
24 paralyze-and-sometimes-crush-hospitals.
{00385282;7}
1 CLASS ACTION ALLEGATIONS
2 56.
3 Plaintiffs propose the following Class definition, subject to amendment as appropriate:
4 All persons whose Private Information was compromised in the Data Breach and
received notice of same.
5
Excluded from the Class are Defendant’s officers, directors, and employees; any entity in which
6
Defendant has a controlling interest; and the affiliates, legal representatives, attorneys, successors,
7
heirs, and assigns of Defendant. Excluded also from the Class are members of the judiciary to
8
whom this case is assigned, their families and members of their staff.
9
57.
10
Numerosity. The Members of the Class are so numerous that joinder of all of them is
11
impracticable. Plaintiffs are informed and believe that the Class consists of approximately 654,362
12
patients of Defendant whose Private Information was compromised in the Data Breach.
13
58.
14
Commonality. There are questions of law and fact common to the Class, which
15
predominate over any questions affecting only individual Class Members. These common
16
questions of law and fact include, without limitation:
17
(a) Whether Defendant unlawfully used, maintained, lost, or disclosed Plaintiffs’ and
18
Class Members’ Private Information;
19
(b) Whether Defendant failed to implement and maintain reasonable security
20
procedures and practices appropriate to the nature and scope of the information
21
compromised in the Data Breach;
22
23
24
{00385282;7}
1 (c) Whether Defendant’s data security systems prior to and during the Data Breach
2 complied with applicable data security laws and regulations including, e.g.,
3 HIPAA;
4 (d) Whether Defendant’s data security systems prior to and during the Data Breach
5 were consistent with industry standards;
6 (e) Whether, following the Data Breach, Defendant has improved its data security
7 systems such that they are adequate to protect patients’ Private Information and
8 comport with industry standards and applicable data security laws and
9 regulations;
10 (f) Whether Defendant owed a duty to Class Members to safeguard their Private
11 Information;
12 (g) Whether Defendant breached its duty to Class Members to safeguard their Private
13 Information;
14 (h) Whether data thieves obtained Class Members’ Private Information in the Data
15 Breach;
16 (i) Whether Defendant knew or should have known that its data security systems and
17 monitoring processes were deficient;
18 (j) Whether Plaintiffs and Class Members suffered legally cognizable damages as a
19 result of Defendant’s misconduct;
20 (k) Whether Defendant’s conduct was negligent;
21 (l) Whether Defendant’s conduct was per se negligent;
22 (m) Whether Defendant’s acts, inactions, and practices complained of herein amount
23 to acts of intrusion upon seclusion under the law;
24
{00385282;7}
1 (n) Whether Defendant failed to provide notice of the Data Breach in a timely
2 manner; and
3 (o) Whether Plaintiffs and Class Members are entitled to damages, civil penalties,
4 punitive damages, and/or injunctive relief.
5 59.
6 Typicality. Plaintiffs’ claims are typical of those of other Class Members because
7 Plaintiffs’ information, like that of every other Class member, was compromised in the Data
8 Breach.
9 60.
10 Adequacy of Representation. Plaintiffs will fairly and adequately represent and protect the
11 interests of the Members of the Class. Plaintiffs’ Counsel are competent and experienced in
12 litigating class actions.
13 61.
14 Predominance. Defendant has engaged in a common course of conduct toward Plaintiffs
15 and Class Members, in that all the Plaintiffs’ and Class Members’ data was stored on the same
16 computer systems and unlawfully accessed in the same way. The common issues arising from
17 Defendant’s conduct affecting Class Members set out above predominate over any individualized
18 issues. Adjudication of these common issues in a single action has important and desirable
19 advantages of judicial economy.
20 62.
21 Superiority. A class action is superior to other available methods for the fair and efficient
22 adjudication of the controversy. Class treatment of common questions of law and fact is superior
23 to multiple individual actions or piecemeal litigation. Absent a class action, most Class Members
24
{00385282;7}
1 would likely find that the cost of litigating their individual claims is prohibitively high and would
2 therefore have no effective remedy.
3 63.
4 The prosecution of separate actions by individual Class Members would create a risk of
5 inconsistent or varying adjudications with respect to individual Class Members, which would
6 establish incompatible standards of conduct for Defendant. By contrast, the conduct of this action
7 as a class action presents far fewer management difficulties, conserves judicial resources and the
8 parties’ resources, and protects the rights of each Class Member.
9 64.
10 Defendant has acted on grounds that apply generally to the Class as a whole, so that class
11 certification, injunctive relief, and corresponding declaratory relief are appropriate on a Class-wide
12 basis.
13 PLAINTIFFS’ AND CLASS MEMBERS’

PAST HARM AND THREAT OF FUTURE HARM
14
65.
15
This case is being commenced with only a request for equitable relief. Along with service
16
of the Complaint, Plaintiffs will provide written notice in accordance with ORCP 32 H by
17
delivering notice and demand on Defendant in writing by certified mail, return receipt requested.
18
If, after 30 days, Defendant fails to cure, Plaintiffs intend to amend this Complaint to seek money
19
damages.
20
66.
21
Plaintiffs and Class Members have been damaged by the compromise of their Private
22
Information in the Data Breach.
23
24
{00385282;7}
1 67.
2 As a direct and proximate result of Defendant’s conduct, Plaintiffs and Class Members
3 have been placed at an imminent, immediate, and continuing increased risk of harm from fraud
4 and identity theft.
5 68.
6 As a direct and proximate result of Defendant’s conduct, Plaintiffs and Class Members
7 have been forced to expend time dealing with the effects of the Data Breach.
8 69.
9 Plaintiffs and Class Members face substantial risk of out-of-pocket fraud losses such as
10 loans opened in their names, medical services billed in their names, tax return fraud, utility bills
11 opened in their names, credit card fraud, and similar identity theft.
12 70.
13 Plaintiffs and Class Members face substantial risk of being targeted for future phishing,
14 data intrusion, and other illegal schemes based on their Private Information as potential fraudsters
15 could use that information to more effectively target such schemes to Plaintiffs and Class
16 Members.
17 71.
18 Plaintiffs and Class Members may also incur out-of-pocket costs for protective measures
19 such as credit monitoring fees, credit report fees, credit freeze fees, and similar costs directly or
20 indirectly related to the Data Breach.
21 72.
22 Plaintiffs and Class Members also suffered a loss of value of their Private Information
23 when it was acquired by cyber thieves in the Data Breach. Numerous courts have recognized the
24 propriety of loss of value damages in related cases.
{00385282;7}
1 73.
2 Plaintiffs and Class Members were also damaged via benefit-of-the-bargain damages.
3 Plaintiffs and Class Members overpaid for a service that was intended to be accompanied by
4 adequate data security but was not. Part of the price Plaintiffs and Class Members paid to
5 Defendant was intended to be used by Defendant to fund adequate security of Defendant’s
6 computer property and protect Plaintiffs’ and Class Members’ Private Information. Thus, Plaintiffs
7 and the Class Members did not get what they paid for.
8 74.
9 Plaintiffs and Class Members have spent and will continue to spend significant amounts of
10 time to monitor their financial and medical accounts and records for misuse.
11 75.
12 Plaintiffs and Class Members have suffered or will suffer actual injury as a direct result of
13 the Data Breach. Many victims suffered ascertainable losses in the form of out-of-pocket expenses
14 and the value of their time reasonably incurred to remedy or mitigate the effects of the Data Breach
15 relating to:
16 (a) Finding fraudulent charges;
17 (b) Canceling and reissuing credit and debit cards;
18 (c) Purchasing credit monitoring and identity theft prevention;
19 (d) Addressing their inability to withdraw funds linked to compromised accounts;
20 (e) Taking trips to banks and waiting in line to obtain funds held in limited accounts;
21 (f) Placing “freezes” and “alerts” with credit reporting agencies;
22 (g) Spending time on the phone with or at a financial institution to dispute fraudulent
23 charges;
24 (h) Contacting financial institutions and closing or modifying financial accounts;
{00385282;7}
1 (i) Resetting automatic billing and payment instructions from compromised credit
2 and debit cards to new ones;
3 (j) Paying late fees and declined payment fees imposed as a result of failed automatic
4 payments that were tied to compromised cards that had to be cancelled; and
5 (k) Closely reviewing and monitoring bank accounts and credit reports for
6 unauthorized activity for years to come.
7 76.
8 Moreover, Plaintiffs and Class Members have an interest in ensuring that their Private
9 Information, which is believed to remain in the possession of Defendant, is protected from further
10 breaches by the implementation of security measures and safeguards, including but not limited to,
11 making sure that the storage of data or documents containing personal and financial information
12 is not accessible online, that access to such data is password-protected, and that such data is
13 properly encrypted.
14 77.
15 Further, as a result of Defendant’s conduct, Plaintiffs and Class Members are forced to live
16 with the anxiety that their Private Information—which contains the most intimate details about a
17 person’s life, including what ailments they suffer, whether physical or mental—may be disclosed
18 to the entire world, thereby subjecting them to embarrassment and depriving them of any right to
19 privacy whatsoever.
20 78.
21 As a direct and proximate result of Defendant’s actions and inactions, Plaintiffs and Class
22 Members have suffered a loss of privacy and are at an imminent and increased risk of future harm.
23
24
{00385282;7}
1 79.
2 Defendant’s actions demonstrate a reckless and outrageous indifference to a highly
3 unreasonable risk of harm in acting with the conscious indifference to the safety of Plaintiff and
4 the rest of the public. Plaintiffs intend to amend their Complaint to add punitive damages against
5 Defendant pursuant to ORS 31.725.
6 CAUSES OF ACTION
7 FIRST COUNT
8 Negligence
9 (On Behalf of Plaintiffs and All Class Members)
10 80.
11 Plaintiffs re-allege and incorporate by reference Paragraphs 1 through 79 above as if fully
12 set forth herein.
13 81.
14 Defendant required Plaintiffs and Class Members to submit non-public personal
15 information in order to obtain healthcare services.
16 82.
17 By collecting and storing this data in its computer property, and sharing it and using it for
18 commercial gain, Defendant had a duty of care to use reasonable means to secure and safeguard
19 its computer property—and Class Members’ Private Information held within it—to prevent
20 disclosure of the information, and to safeguard the information from theft. Defendant’s duty
21 included a responsibility to implement processes by which they could detect a breach of its security
22 systems in a reasonably expeditious period of time and to give prompt notice to those affected in
23 the case of a data breach.
24
{00385282;7}
1 83.
2 Defendant owed a duty of care to Plaintiffs and Class Members to provide data security
3 consistent with industry standards and other requirements discussed herein, and to ensure that its
4 systems and networks, and the personnel responsible for them, adequately protected the Private
5 Information.
6 84.
7 Defendant’s duty of care to use reasonable security measures arose as a result of the special
8 relationship that existed between Defendant and its members, which is recognized by laws and
9 regulations including but not limited to HIPAA, as well as common law. Defendant was in a
10 position to ensure that its systems were sufficient to protect against the foreseeable risk of harm to
11 Class Members from a data breach.
12 85.
13 Defendant’s duty to use reasonable security measures under HIPAA required Defendant to
14 “reasonably protect” confidential data from “any intentional or unintentional use or disclosure”
15 and to “have in place appropriate administrative, technical, and physical safeguards to protect the
16 privacy of protected health information.” 45 CFR § 164.530(c)(1). Some or all of the medical
17 information at issue in this case constitutes “protected health information” within the meaning of
18 HIPAA.
19 86.
20 In addition, Defendant had a duty to employ reasonable security measures under Section 5
21 of the Federal Trade Commission Act, 15 USC § 45, which prohibits “unfair * * * practices in or
22 affecting commerce,” including, as interpreted and enforced by the FTC, the unfair practice of
23 failing to use reasonable measures to protect confidential data.
24
{00385282;7}
1 87.
2 Defendant’s duty to use reasonable care in protecting confidential data arose not only as a
3 result of the statutes and regulations described above, but also because Defendant is bound by
4 industry standards to protect confidential Private Information.
5 88.
6 Defendant breached its duties, and thus was negligent, by failing to use reasonable
7 measures to protect Class Members’ Private Information. The specific negligent acts and
8 omissions committed by Defendant include, but are not limited to, the following:
9 (a) Failing to adopt, implement, and maintain adequate security measures to
10 safeguard Class Members’ Private Information;
11 (b) Failing to adequately monitor the security of computer property;
12 (c) Allowing unauthorized access to Class Members’ Private Information;
13 (d) Failing to detect in a timely manner that Class Members’ Private Information had
14 been compromised; and
15 (e) Failing to timely notify Class Members about the Data Breach so that they could
16 take appropriate steps to mitigate the potential for identity theft and other
17 damages.
18 89.
19 It was foreseeable that Defendant’s failure to use reasonable measures to protect Class
20 Members’ Private Information would result in injury to Class Members. Further, the breach of
21 security was reasonably foreseeable given the known high frequency of cyberattacks and data
22 breaches in the medical industry.
23
24
{00385282;7}
1 90.
2 It was foreseeable that the failure to adequately safeguard Class Members’ Private
3 Information would result in injuries to Class Members.
4 91.
5 Plaintiffs and Class Members are entitled to injunctive relief requiring Defendant to, e.g.,
6 (i) strengthen its data security systems and monitoring procedures; (ii) submit to future annual
7 audits of those systems and monitoring procedures; and (iii) continue to provide adequate credit
8 monitoring to all Class Members.
9 92.
10 Following providing notice pursuant to ORCP 32 H, Plaintiffs intend to amend their
11 Complaint to allege that Plaintiffs and Class Members are also entitled to compensatory and
12 consequential damages suffered as a result of the Data Breach
13 SECOND COUNT
14 Intrusion upon Seclusion / Invasion of Privacy
16 93.
19 94.
20 Oregon recognizes the tort of Intrusion upon Seclusion, and adopts the formulation of that
21 tort found in the Restatement (Second) of Torts, which states:
22 “One who intentionally intrudes, physically or otherwise, upon the solitude or

seclusion of another or his private affairs or concerns, is subject to liability to the
23 other for invasion of his privacy, if the intrusion would be highly offensive to a
reasonable person.”
24
{00385282;7}
1 Restatement (Second) of Torts § 652B (1977).
2 95.
3 Plaintiffs and Class Members had a reasonable expectation of privacy in the Private
4 Information Defendant mishandled.
5 96.
6 Defendant’s conduct as alleged above intruded upon Plaintiffs’ and Class Members’
7 seclusion under common law.
8 97.
9 By intentionally failing to keep Plaintiffs’ and Class Members’ Private Information safe,
10 and by intentionally misusing and/or disclosing said information to unauthorized parties for
11 unauthorized use, Defendant intentionally invaded Plaintiffs’ and Class Members’ privacy by:
12 (a) Intentionally and substantially intruding into Plaintiffs’ and Class Members’
13 private affairs in a manner that identifies Plaintiffs and Class Members and that
14 would be highly offensive and objectionable to an ordinary person;
15 (b) Intentionally publicizing private facts about Plaintiffs and Class Members, which
16 is highly offensive and objectionable to an ordinary person; and
17 (c) Intentionally causing anguish or suffering to Plaintiffs and Class Members.
18 98.
19 Defendant knew that an ordinary person in Plaintiffs’ or a Class Member’s position would
20 consider Defendant’s intentional actions highly offensive and objectionable.
21 99.
22 Defendant invaded Plaintiffs’ and Class Members’ right to privacy and intruded into
23 Plaintiffs’ and Class Members’ private affairs by intentionally misusing and/or disclosing their
24 Private Information without their informed, voluntary, affirmative, and clear consent.
{00385282;7}
1 100.
2 Defendant intentionally concealed from Plaintiffs and Class Members an incident that
3 misused and/or disclosed their Private information without their informed, voluntary, affirmative,
4 and clear consent.
5 101.
6 As a proximate result of such intentional misuse and disclosures, Plaintiffs’ and Class
7 Members’ reasonable expectations of privacy in their Private Information was unduly frustrated
8 and thwarted. Defendant’s conduct, amounting to a substantial and serious invasion of Plaintiffs’
9 and Class Members’ protected privacy interests causing anguish and suffering such that an
10 ordinary person would consider Defendant’s intentional actions or inaction highly offensive and
11 objectionable.
12 102.
13 In failing to protect Plaintiffs’ and Class Members’ Private Information, and in
14 intentionally misusing and/or disclosing their Private Information, Defendant acted with
15 intentional malice and oppression and in conscious disregard of Plaintiffs’ and Class Members’
16 rights to have such information kept confidential and private. Therefore, following providing
17 notice pursuant to ORCP 32 H, if Defendant fails to cure, Plaintiffs intend to amend their
18 Complaint to seek an award of damages and equitable relief on behalf of themselves and the Class.
19 THIRD COUNT
20 Breach of Express Contract
22 103.

{00385282;7}
1 104.
2 Plaintiffs and Members of the Class allege that they entered into valid and enforceable
3 express contracts, or were third party beneficiaries of valid and enforceable express contracts, with
4 Defendant.
5 105.
6 The valid and enforceable express contracts that Plaintiffs and Class Members entered into
7 with Defendant include Defendant’s promise to protect nonpublic personal information given to
8 Defendant or that Defendant gathers on its own from disclosure.
9 106.
10 Under these express contracts, Defendant and/or its agents, promised and were obligated
11 to Plaintiffs’ and Class Members’ Private Information. In exchange, Plaintiffs and Members of the
12 Class agreed to pay money for these services, and to turn over their Private Information.
13 107.
14 Both the provision of healthcare services and the protection of Plaintiffs’ and Class
15 Members’ PII/PHI were material aspects of these contracts.
16 108.
17 As alleged herein, Defendant promised to protect the privacy of Plaintiffs’ and Class
18 Members’ Private Information in its Privacy Notice.16
19 109.
20 Defendant’s express representations, including, but not limited to, the express
21 representations found in its Privacy Notice, formed an express contract requiring Defendant to
22
23
24 16
https://www.healthshareoregon.org/privacy-policy.
{00385282;7}
1 implement data security adequate to safeguard and protect the privacy of Plaintiffs’ and Class
2 Members’ PII/PHI.
3 110.
4 Consumers of healthcare value their privacy, the privacy of their dependents, and the ability
5 to keep their PII/PHI associated with obtaining healthcare private. To customers such as Plaintiffs
6 and Class Members, healthcare that does not adhere to industry standard data security protocols to
7 protect PII/PHI is fundamentally less useful and less valuable than healthcare that adheres to
8 industry-standard data security. Plaintiffs and Class Members would not have entered into these
9 contracts with Defendant as a direct or third-party beneficiary without an understanding that their
10 PII/PHI would be safeguarded and protected.
11 111.
12 A meeting of the minds occurred, as Plaintiffs and Members of the Class provided their
13 PII/PHI to Defendant, and paid for the provided healthcare services in exchange for, amongst other
14 things, protection of their PII/PHI.
15 112.
16 Plaintiffs and Class Members performed their obligations under the contract when they
17 paid for their health care services and provided their PII/PHI.
18 113.
19 Defendant materially breached its contractual obligation to protect the nonpublic personal
20 information Defendant gathered when the information was accessed and exfiltrated by
21 unauthorized personnel as part of the Data Breach.
22 114.
23 Defendant materially breached the terms of these express contracts, including, but not
24 limited to, the terms stated in the relevant Privacy Notice. Defendant did not maintain the privacy
{00385282;7}
1 of Plaintiffs’ and Class Members’ PII/PHI as evidenced by its notifications of the Data Breach to
2 Plaintiffs and Class Members. Specifically, Defendant did not comply with industry standards, or
3 otherwise protect Plaintiffs’ and the Class Members’ PII/PHI, as set forth above.
4 115.
5 The Data Breach was a reasonably foreseeable consequence of Defendant’s actions in
6 breach of these contracts.
7 116.
8 As a result of Defendant’s failure to fulfill the data security protections promised in these
9 contracts, Plaintiffs and Members of the Class did not receive the full benefit of the bargain, and
10 instead received healthcare and other services that were of a diminished value to that described in
11 the contracts. Therefore, following providing notice pursuant to ORCP 32 H, Plaintiffs intend to
12 amend their Complaint to allege that Plaintiffs and Class Members were damaged in an amount at
13 least equal to the difference in the value of the healthcare with data security protection they paid
14 for and the healthcare they received.
15 117.
16 Had Defendant disclosed that its security was inadequate or that it did not adhere to
17 industry-standard security measures, neither the Plaintiffs, the Class Members, nor any reasonable
18 person would have purchased healthcare from Defendant and/or its affiliated healthcare providers.
19 118.
20 As a direct and proximate result of the Data Breach, Plaintiffs and Class Members have
21 been harmed and have suffered, and will continue to suffer, actual harm and injuries, including
22 without limitation the release, disclosure, and publication of their PII/PHI, the loss of control of
23 their PII/PHI, the imminent risk of suffering additional harm in the future, disruption of their
24
{00385282;7}
1 medical care and treatment, out-of-pocket expenses, and the loss of the benefit of the bargain they
2 had struck with Defendant.
3 119.
5 Complaint to allege that Plaintiffs and Class Members are entitled to equitable relief, and
6 compensatory and consequential damages suffered as a result of the Data Breach.
7 FOURTH COUNT
8 Breach of Implied Contract
10 120.
13 121.
14 When Plaintiffs and Class Members provided their Private Information to Defendant in
15 exchange for Defendant’s services, they entered into implied contracts with Defendant pursuant to
16 which Defendant agreed to reasonably protect such information.
17 122.
18 Defendant solicited and invited Class Members to provide their Private Information as part
19 of Defendant’s regular business practices. Plaintiffs and Class Members accepted Defendant’s
20 offers and provided their Private Information to Defendant.
21 123.
22 In entering into such implied contracts, Plaintiffs and Class Members reasonably believed
23 and expected that Defendant’s data security practices complied with relevant laws and regulations,
24 including HIPAA, and were consistent with industry standards.

{00385282;7}
1 124.
2 Class Members who paid money to Defendant reasonably believed and expected that
3 Defendant would use part of those funds to obtain adequate data security. Defendant failed to do
4 so.
5 125.
6 Plaintiffs and Class Members would not have entrusted their Private Information to
7 Defendant in the absence of the implied contract between them and Defendant to keep their
8 information reasonably secure. Plaintiffs and Class Members would not have entrusted their
9 Private Information to Defendant in the absence of their implied promise to monitor their computer
10 systems and networks to ensure that they adopted reasonable data security measures.
11 126.
12 Plaintiffs and Class Members fully and adequately performed their obligations under the
13 implied contracts with Defendant.
14 127.
15 Defendant breached its implied contracts with Class Members by failing to safeguard and
16 protect their Private Information.
17 128.
18 As a direct and proximate result of Defendant’s breaches of the implied contracts, Class
19 Members have been harmed and have suffered, and will continue to suffer, harm and injuries as
20 alleged herein.
21 129.
22 Plaintiffs and Class Members are entitled to injunctive relief requiring Defendant to, e.g.,
23 (i) strengthen its data security systems and monitoring procedures; (ii) submit to future annual
24
{00385282;7}
1 audits of those systems and monitoring procedures; and (iii) immediately provide adequate credit
2 monitoring to all Class Members.
3 130.
5 Complaint to allege that Plaintiffs and Class Members are also entitled to compensatory and
6 consequential damages suffered as a result of the Data Breach.
7 FIFTH COUNT
8 Negligence Per Se
10 131.
13 132.
14 Pursuant to the Federal Trade Commission Act (15 USC § 45), Defendant had a duty to
15 provide fair and adequate computer systems and data security practices to safeguard Plaintiffs’ and
16 Class Members’ Private Information.
17 133.
18 Pursuant to HIPAA (42 USC §§ 1302d et seq.), Defendant had a duty to implement
19 reasonable safeguards to protect Plaintiffs’ and Class Members’ Private Information.
20 134.
21 Pursuant to HIPAA, Defendant had a duty to render the electronic PHI it maintained
22 unusable, unreadable, or indecipherable to unauthorized individuals, as specified in the HIPAA
23 Security Rule by “the use of an algorithmic process to transform data into a form in which there is
24
{00385282;7}
1 a low probability of assigning meaning without use of a confidential process or key” (45 CFR
2 § 164.304’s definition of “encryption”).
3 135.
4 Pursuant to the Gramm-Leach-Bliley Act (15 USC § 6801), Defendant had a duty to protect
5 the security and confidentiality of Plaintiffs’ and Class Members’ Private Information.
6 136.
7 Defendant breached its duties to Plaintiffs and Class Members under the Federal Trade
8 Commission Act, HIPAA, and the Gramm-Leach-Bliley Act by failing to provide fair, reasonable,
9 or adequate computer systems and data security practices to safeguard Plaintiffs’ and Class
10 Members’ Private Information.
11 137.
12 Defendant’s failure to comply with applicable laws and regulations constitutes negligence
13 per se.
14 138.
15 But for Defendant’s wrongful and negligent breach of its duties owed to Plaintiffs and
16 Class Members, Plaintiffs and Class Members would not have been injured.
17 139.
18 The injury and harm suffered by Plaintiffs and Class Members was the reasonably
19 foreseeable result of Defendant’s breach of its duties. Defendant knew or should have known that
20 it was failing to meet its duties, and that Defendant’s breach would cause Plaintiffs and Class
21 Members to experience the foreseeable harms associated with the exposure of their Private
22 Information.
23
24
{00385282;7}
1 140.
2 As a direct and proximate result of Defendant’s negligent conduct, Plaintiffs and Class
3 Members have suffered injury and are entitled to equitable relief. Following providing notice
4 pursuant to ORCP 32 H, Plaintiffs intend to amend their Complaint to seek an award of damages
5 on behalf of themselves and the Class.
6 SIXTH COUNT
7 Breach of Fiduciary Duty
9 141.
12 142.
13 In light of the special relationship between Defendant and Plaintiffs and Class Members,
14 whereby Defendant became guardians of Plaintiffs’ and Class Members’ Private Information,
15 Defendant became a fiduciary by its undertaking and guardianship of the Private Information, to
16 act primarily for the benefit of its patients, including Plaintiffs and Class Members, (1) for the
17 safeguarding of Plaintiffs’ and Class Members’ Private Information; (2) to timely notify Plaintiffs
18 and Class Members of a data breach and disclosure; and (3) maintain complete and accurate
19 records of what patient information (and where) Defendant did and does store.
20 143.
21 Defendant has a fiduciary duty to act for the benefit of Plaintiffs and Class Members upon
22 matters within the scope of its members’ relationship, in particular, to keep secure the Private
23 Information of its patients.
24
{00385282;7}
1 144.
2 Defendant breached its fiduciary duties to Plaintiffs and Class Members by failing to
3 diligently discovery, investigate, and give notice of the Data Breach in a reasonable and practicable
4 period of time.
5 145.
6 Defendant breached its fiduciary duties to Plaintiffs and Class Members by failing to
7 encrypt and otherwise protect the integrity of the systems containing Plaintiffs’ and Class
8 Members’ Private Information.
9 146.
10 Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by failing to
11 timely notify and/or warn Plaintiffs and Class Members of the Data Breach.
12 147.
14 ensure the confidentiality and integrity of electronic PHI Defendant created, received, maintained,
15 and transmitted, in violation of 45 CFR § 164.306(a)(1).
16 148.
18 implement technical policies and procedures for electronic information systems that maintain
19 electronic PHI to allow access only to those persons or software programs that have been granted
20 access rights in violation of 45 CFR § 164.312(a)(1).
21 149.
23 implement policies and procedures to prevent, detect, contain, and correct security violations, in
24 violation of 45 CFR § 164.308(a)(1).
{00385282;7}
1 150.
3 identify and respond to suspected or known security incidents and to mitigate, to the extent
4 practicable, harmful effects of security incidents that are known to the covered entity in violation
5 of 45 CFR § 164.308(a)(6)(ii).
6 151.
8 protect against any reasonably anticipated threats or hazards to the security or integrity of
9 electronic PHI in violation of 45 CFR § 164.306(a)(2).
10 152.
12 protect against any reasonably anticipated uses or disclosures of electronic PHI that are not
13 permitted under the privacy rules regarding individually identifiable health information in
14 violation of 45 CFR § 164.306(a)(3).
15 153.
17 ensure compliance with the HIPAA security standard rules by its workforce in violation of 45 CFR
18 § 164.306(a)(94).
19 154.
20 Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by
21 impermissibly and improperly using and disclosing PHI that is and remains accessible to
22 unauthorized persons in violation of 45 CFR §§ 164.502 et seq.
23
24
{00385282;7}
1 155.
3 effectively train all members of its workforce (including independent contractors) on the policies
4 and procedures with respect to PHI as necessary and appropriate for the members of its workforce
5 to carry out their functions and to maintain security of PHI in violation of 45 CFR § 164.530(b)
6 and 45 CFR § 164.308(a)(5).
7 156.
9 design, implement, and enforce policies and procedures establishing physical and administrative
10 safeguards to reasonably safeguard PHI, in compliance with 45 CFR § 164.530(c).
11 157.
12 Defendant breached its fiduciary duties to Plaintiffs and Class Members by otherwise
13 failing to safeguard Plaintiffs’ and Class Members’ Private Information.
14 158.
15 As a direct and proximate result of Defendant’s breaches of its fiduciary duties, Plaintiffs
16 and Class Members have suffered and will suffer injury, including but not limited to: (i) actual
17 identity theft; (ii) the compromise, publication, and/or theft of their Private Information; (iii) out-
18 of-pocket expenses associated with the prevention, detection, and recovery from identity theft
19 and/or unauthorized use of their Private Information; (iv) lost opportunity costs associated with
20 effort expended and the loss of productivity addressing and attempting to mitigate the actual and
21 future consequences of the Data Breach, including but not limited to efforts spent researching how
22 to prevent, detect, contest, and recover from identity theft; (v) the continued risk to their Private
23 Information, which remains in Defendant’s possession and is subject to further unauthorized
24 disclosures so long as Defendant fails to undertake appropriate and adequate measures to protect
{00385282;7}
1 the Private Information in its continued possession; (vi) future costs in terms of time, effort, and
2 money that will be expended as result of the Data Breach for the remainder of the lives of Plaintiffs
3 and Class Members; and (vii) the diminished value of Defendant’s services they received.
4 159.
5 As a direct and proximate result of Defendant’s breaches of its fiduciary duties, Plaintiffs
6 and Class Members have suffered and will continue to suffer other forms of injury and/or harm.
7 Therefore, following providing notice pursuant to ORCP 32 H, Plaintiffs intend to amend their
8 Complaint to seek an award of damages on behalf of themselves and the Class.
9 SEVENTH COUNT
10 OREGON UNLAWFUL TRADE PRACTICES ACT
11 ORS 646.607 and 646.608 et seq.
12 (On Behalf of Plaintiffs and the Class)
13 160.
16 161.
17 Defendant is a “person,” as defined by ORS 646.605(4).
18 162.
19 Defendant engaged in the sale of “goods and services,” as defined by ORS 646.605(6)(a).
20 163.
21 Defendant sold “goods or services,” as defined by ORS 646.605(6)(a).
22 164.
23 Defendant advertised, offered, or sold goods or services in Oregon and engaged in trade or
24 commerce directly or indirectly affecting the people of Oregon.

{00385282;7}
1 165.
2 Defendant engaged in unlawful practices in the course of its business and occupation, in
3 violation of ORS 646.608, included the following:
4 (a) Representing that its goods and services have approval, characteristics, uses,
5 benefits, and qualities that they do not have, in violation of ORS 646.608(1)(e);
6 (b) Representing that its goods and services are of a particular standard or quality if
7 they are of another, in violation of ORS 646.608(1)(g);
8 (c) Advertising its goods or services with intent not to provide them as advertised, in
9 violation of ORS 646.608(1)(i); and
10 (d) Concurrent with tender or delivery of its goods and services, failing to disclose
11 any known material defect, in violation of ORS 646.608(1)(t).
12 166.
13 Defendant’s unlawful practices include:
14 (a) Failing to implement and maintain reasonable security and privacy measures for
15 its computer equipment, including without limitation laptop computers and other
16 portable data storage devices, in a manner so as to protect Plaintiffs’ and Class
17 Members’ Private Information, which was a direct and proximate cause of the
18 Data Breach;
19 (b) Failing to implement and maintain reasonable security and privacy measures to
20 protect Plaintiffs’ and Class Members’ Private Information, which was a direct
21 and proximate cause of the Data Breach;
22 (c) Failing to identify foreseeable security and privacy risks, remediate identified
23 security and privacy risks, and adequately improve security and privacy measures,
24 which was a direct and proximate cause of the Data Breach;
{00385282;7}
1 (d) Failing to comply with common law and statutory duties pertaining to the security
2 and privacy of Plaintiffs’ and Class Members’ Private Information, including
3 duties imposed by the FTC, 15 USC § 45, HIPAA, 42 USC §§ 1302d et seq., and
4 the GLBA, 15 USC §§ 6801 et seq., which was a direct and proximate cause of
5 the Data Breach;
6 (e) Misrepresenting that it would protect the privacy and confidentiality of Plaintiffs’
7 and Class Members’ Private Information, including implementing and
8 maintaining reasonable security measures;
9 (f) Misrepresenting that it would comply with common law and statutory duties
10 pertaining to the security and privacy of Plaintiffs’ and Class Members’ Private
11 Information, including duties imposed by the FTC Act, 15 USC § 45, HIPAA, 42
12 USC §§ 1302d et seq., and the GLBA, 15 USC §§ 6801 et seq.;
13 (g) Omitting, suppressing, and concealing the material fact that it did not reasonably
14 or adequately secure Plaintiffs’ and Class Members’ Private Information;
15 (h) Violating ORS 646A.622(1) through its failure to develop, implement and
16 maintain reasonable safeguards to protect the security, confidentiality and
17 integrity of the Private Information, including safeguards that protect the Private
18 Information when disposing of it; and
19 (i) Omitting, suppressing, and concealing the material fact that it did not comply with
20 common law and statutory duties pertaining to the security and privacy of
21 Plaintiffs’ and Class Members’ Private Information, including duties imposed by
22 the FTC Act, 15 USC § 45, HIPAA, 42 USC §§ 1302d et seq., and the GLBA, 15
23 USC §§ 6801 et seq.
24
{00385282;7}
1 167.
2 Defendant’s violation of ORS 646A.622(1) has been designated by statute as an unlawful
3 practice under ORS 646.607, by operation of ORS 646A.604(9).
4 168.
5 Defendant’s representations and omissions were material because they were likely to
6 deceive reasonable consumers about the adequacy of Defendant’s data security and ability to
7 protect the confidentiality of consumers’ Personal Information.
8 169.
9 Defendant intended to mislead Plaintiffs and Class members and induce them to rely on its
10 misrepresentations and omissions.
11 170.
12 Had Defendant disclosed to Plaintiffs and Class members that its data storage systems were
13 not secure and vulnerable to theft, Defendant would have been unable to continue in business and
14 it would have been forced to adopt reasonable data security measures and comply with the law.
15 171.
16 Defendant accepted the responsibility of being a “steward of data” while keeping the
17 inadequate state of its security controls secret from the public.
18 172.
19 Plaintiffs and the Class Members acted reasonably in relying on Defendant’s
20 misrepresentations and omissions, the truth of which they could not have discovered.
21 173.
22 Defendant acted intentionally, knowingly, and maliciously to violate Oregon’s Unlawful
23 Trade Practices Act, and recklessly disregarded Plaintiffs and Class Members’ rights. Numerous
24
{00385282;7}
1 past data breaches and stolen laptop incidents in the healthcare industry put Defendant on notice
2 that its data storage device security and privacy protections were inadequate.
3 174.
4 As a direct and proximate result of Defendant’s unlawful practices, Plaintiffs and Class
5 Members have suffered and will continue to suffer injury, ascertainable losses of money or
6 property, and monetary and non-monetary damages, including from fraud and identity theft; time
7 and expenses related to monitoring their financial accounts for fraudulent activity; an increased,
8 imminent risk of fraud and identity theft; and loss of value of their Personal Information.
9 175.
10 Plaintiffs and Class Members seek equitable relief and reasonable attorneys’ fees and costs.
11 Following providing notice pursuant to ORCP 32 H, Plaintiffs intend to amend their Complaint to
12 seek an award of actual damages or statutory damages of $200 per violation (whichever is greater)
13 on behalf of themselves and the Class. Plaintiffs also intend to amend their complaint to add
14 punitive damages punitive damages against Defendant pursuant to ORS 31.725..
15 PRAYER FOR RELIEF
16 WHEREFORE, Plaintiffs pray for judgment as follows:
17 (a) For an Order certifying this action as a Class action and appointing Plaintiffs and
18 their counsel to represent the Class;
19 (b) For equitable relief enjoining Defendant from engaging in the wrongful conduct
20 complained of herein pertaining to the misuse and/or disclosure of Plaintiffs’ and
21 Class Members’ Private Information, and from refusing to issue prompt, complete
22 and accurate disclosures to Plaintiffs and Class Members;
23 (c) For equitable relief compelling Defendant to utilize appropriate methods and
24 policies with respect to consumer data collection, storage, and safety, and to
{00385282;7}
1 disclose with specificity the type of Private Information compromised during the
2 Data Breach;
3 (d) For equitable relief requiring restitution and disgorgement of the revenues
4 wrongfully retained as a result of Defendant’s wrongful conduct;
5 (e) For equitable relief ordering Defendant to pay for ongoing and continuing credit
6 monitoring services for Plaintiffs and the Class;
7 (f) For an award of attorneys’ fees and costs, and any other expense, including expert
8 witness fees pursuant to ORS 646.638;
9 (g) Pre- and post-judgment interest on any amounts awarded; and
10 (h) Such other and further relief as this court may deem just and proper.
11 JURY TRIAL DEMAND
12 Plaintiffs demand a jury trial on all issues so triable.
13 DATED this 6th day of April, 2020.
14 D’AMORE LAW GROUP, P.C.
15
By:
16 Thomas D’Amore, OSB No. 922735
Email: tom@damorelaw.com
17 Amy Bruning, OSB No. 175811
Email: amy@damorelaw.com
18 4230 Galewood Street, Suite 200
Lake Oswego, OR 97035
19 Telephone: (503) 222-6333
20 MASON LIETZ & KLINGER LLP

Gary E. Mason, Esq. (pro hac vice forthcoming)
21 Email: gmason@masonllp.com
David E. Lietz, Esq. (pro hac vice forthcoming)
22 Email: dlietz@masonllp.com
5301 Wisconsin Avenue, NW, Suite 305
23 Washington, DC 20016
Telephone: (202) 429-2290
24
{00385282;7}
1 MASON LIETZ & KLINGER LLP
Gary M. Klinger (pro hac vice forthcoming)
2 Email: gklinger@masonllp.com
227 W. Monroe Street, Suite 2100
3 Chicago, Illinois 60606
Telephone: (312) 283.3814
4
Of Attorneys for Plaintiffs and the Proposed Class
5
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{00385282;7}

Class Action Complaint Jury Trial Demanded

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Class Action Complaint Jury Trial Demanded

Uploaded by

Copyright:

Available Formats

4/6/2020 1:30 PM

4 IN THE CIRCUIT COURT OF THE STATE OF OREGON

5 FOR THE COUNTY OF MULTNOMAH

6 JANICE EVANS, LEE GREGORY, and Case No.

11 Defendant. CLAIM NOT SUBJECT TO MANDATORY

3 information—which was entrusted to Defendant—was compromised and unlawfully accessed due

15 information was accessed.

22 property in a dangerous condition.

13 information to police during an arrest.

2 Plaintiffs seek injunctive relief including improvements to Defendant’s data security

7 of the State of Oregon residing in the City of Milwaukie.

10 of the State of Oregon residing in the City of Portland.

13 citizen of the State of Oregon residing in the City of Gresham.

15 Defendant HEALTH SHARE OF OREGON (“Health Share” or “Defendant”) is Oregon’s

17 Multnomah County, Oregon.

18 JURISDICTION AND VENUE

22 by this Court proper and necessary.

6 Health Share of Oregon is an organization founded in 2012 to coordinate the provision of

13 It distributes per-capita payments to health plans—some of which are integrated delivery

15 ensuring access to defined services.

17 These risk-bearing entities—all founders of Health Share—serve on its governing board,

18 along with representatives of community-based organizations and social service agencies

19 committed to this population.

23 create accountability for performance.

3 required to provide sensitive personal and private information such as:

4  Name, address, phone number and email address;

5 so for any information created or kept by us.”

9 secured and protected.

21 until another six weeks later on January 2, 2020.

14 confidential and to protect it from unauthorized access and disclosure.

6 and a high incentive to regain access to their data quickly.”6

15 anyone in Defendant’s industry, including Defendant.

6 (b) Failing to adequately protect patients’ Private Information;

9 software on portable devices;

12 and strong password protocols;

14 employed reasonable security procedures;

16 received, maintained, and/or transmitted, in violation of 45 CFR § 164.306(a)(1);

22 correct security violations in violation of 45 CFR § 164.308(a)(1)(i);

24 or integrity of electronic PHI in violation of 45 CFR § 164.306(a)(2);

3 identifiable health information in violation of 45 CFR § 164.306(a)(3);

5 workforces in violation of 45 CFR § 164.306(a)(4);

8 workforces to carry out their functions and to maintain security of PHI, in

9 violation of 45 CFR § 164.530(b); and/or

10 (m) Failing to render the electronic PHI it maintained unusable, unreadable, or

11 indecipherable to unauthorized individuals, as it had not encrypted the electronic

12 PHI as specified in the HIPAA Security Rule by “the use of an algorithmic

13 process to transform data into a form in which there is a low probability of

14 assigning meaning without use of a confidential process or key” (45 CFR

15 § 164.304’s definition of “encryption”).

3 harms caused by fraudulent use of personal and financial information:12

11 wrongfully disclosed PHI to adjust their insureds’ medical insurance premiums.

16 Accountability Office, which conducted a study regarding data breaches:

20 See GAO Report, at p. 29.

4 the “cyber black-market” for years.

10 many years to come.

12 Medical information is especially valuable to identity thieves. According to account

3 Plaintiffs propose the following Class definition, subject to amendment as appropriate:

5 were consistent with industry standards;

17 monitoring processes were deficient;

19 result of Defendant’s misconduct;

20 (k) Whether Defendant’s conduct was negligent;

21 (l) Whether Defendant’s conduct was per se negligent;

23 to acts of intrusion upon seclusion under the law;