You can hardly believe it, can you? Back in July 2021, remember hearing about the Washington-based Chelan Douglas Health District’s data breach? Well, they only told us all about it in March 2022, seemingly quite pleased with themselves for only taking half a year or so to investigate!
Now, there’s a bit of confusion over how many patients it affected. Some folks in the media reckon it was near 109,000, but then when the breach was reported to our friends at the Department of Health and Human Services in March 2022, they seemed to think it was nearer to 188,236 affected patients.
As for what got nicked? Well, it was a bit of an all-you-can-eat buffet – Social Security numbers, dates of birth and even death, financial information, and a fair share of medical records. Fairly vital stuff if you ask me!
Cut to a couple of plucky individuals – Sarah Nunley and Michelle Slater – who took matters into their own hands and pitched a class-action lawsuit against the Health District at Chelan County Superior Court. They reckoned they’d been bombarded with nuisance calls and spam email and even more worryingly, Nunley argued her data had been used to apply for a business license without her knowledge, and her Social Security number had ended up on the dark web. But, get this – their case was thrown to one side in February 2023 by Judge Kristin Ferrera, because in her view, they couldn’t prove any harm.
Fast forward a bit, and we see the State Court of Appeals reverting the dismissal decision. According to KPQ, the judges announced that the Health District held a responsibility to correctly handle the stored personal information, giving the plaintiffs a chance to show they indeed suffered damages in a trial. Acting Chief Judge Tracy Staab even wrote how the court thought the Health District knew the risks as far back as 2020 but did nothing with that information, despite also being aware of the attempts by cyber criminals to compromise their systems.
What’s more, when they received a warning from the FBI in May, 2021 about an impending cyber attack, they carried on as normal, ignoring the warning. Even after getting a phishing email warning of a potential attack, they didn’t tighten their security.
For now, the case bounces back to the Chelan County Superior Court who will get the ball rolling again. Oddly, a glance at the Health and Human Services public breach tool suggests they considered the case closed following the cyber attack. Even though they acknowledged the breach impacted the personal health information of 188,236 patients, they don’t mention a thing about the Health District’s failure to act on the FBI’s warnings adequately. It all seems a bit odd, doesn’t it? But don’t you worry, we’ll keep our eyes peeled and let you know the moment we hear more on this thrilling tale of cyber drama.
by Parker Bytes
