In late January 2021, a class action lawsuit was filed in the U.S. District Court for the Southern District of California against a children’s hospital for allegedly failing to properly safeguard minor patients’ medical information in light of a ransomware attack on its cloud software provider. Plaintiffs allege claims against the hospital based on purported violations of the Confidentiality of Medical Information Act (CMIA), California Consumer Records Act (CCRA), negligence, invasion of privacy, and implied contract. See John Doe v. Rady Children’s Hospital-San Diego, Inc., Case No. 21CV00114-JM-RBB (S.D. Cal. Jan. 20, 2021).

Plaintiffs allege in the complaint that the hospital failed to use a vendor with “fair, reasonable, or adequate computer systems and data security policies” and that the hospital did not obtain authorization for the disclosure of patient information—as required of healthcare providers under the CMIA—to the unauthorized individuals. The hack allegedly took place over several months in 2020 and involved medical information of nearly 20,000 patients, including their names, addresses, birthdates, physician names, and admission information.

In light of the pending case, healthcare providers are reminded to properly safeguard health information to reduce the risk of class action litigation, even if relying on a cloud software provider. Some of the ways to reduce risk in this area include (1) carefully vetting the use of vendors, in particular their security controls and procedures, (2) reviewing and updating vendor contracts to ensure that proper protections are in place, and (3) reviewing security policies and procedures to ensure that they are up to date and comprehensive to meet applicable laws.