Parker-Hannifin Ransomware Attack and Data Breach California Class Action

This class action brings suit against Parker-Hannifin Corporation, which suffered a ransomware attack and accompanying data breach by the Conti ransomware group in March 2022. The complaint alleges that the company failed to take adequate measures to safeguard the personal and medical information of employees or persons enrolled in its health plans.

A class and a subclass have been proposed for this action.

• The Class is all current residents of California who are present or former employees of Parker-Hannifin or one of its subsidiaries and whose information was accessed and released or disclosed as a result of the Conti ransomware attack in or about March 2022.
• The Medical Information Subclass is all persons in the above class whose medical information was accessed and released or disclosed as a result of the Conti ransomware attack in or about March 2022.

On or around March 11, 2022 the Conti group got into Parker-Hannifin’s computer systems. The complaint alleges that it then used malware to encrypt data and took more than 400 gigabytes of company employees’ personal information. The complaint alleges, “It appears Parker-Hannifin did not make a ransomware payment, as now all of this employee data is available on the dark web.”

The attack involved the personal and medical information of more than 100,000 employees and former employees, including names, Social Security numbers, dates of birth, driver’s license numbers, passport numbers, and bank account and routing numbers, among other things. The complaint alleges that the information was “negligently created, maintained, preserved, and stored…”

The company’s first public statement about this data breach came in its Form 8-K filed with Securities and Exchange Commission on or around April 5, 2022, the complaint alleges, stating that the breach occurred between March 11-14, 2022. But the company did not begin telling individual victims until around May 13, 2022, about two months after the incident occurred.

The California Constitution guarantees consumers a right to privacy. A state law, the Confidential Medical Information Act (CMIA) regulates the use of private medical information, a category of information that is much sought after by cybercriminals. Another law, the California Consumer Privacy Act (CCPA), requires that entities maintain reasonably practices and procedures to protect personal information from unauthorized access, exfiltration, theft, or disclosure.

The complaint claims that the Federal Bureau of Investigation (FBI) has warned companies like Parker-Hannifin about the Conti ransomware group, including via a Flash Alert in May 2021, a Joint Cybersecurity Advisory in September 2021, and an update to that Advisory in March 2022—just two days before the Parker-Hannifin attack. The complaint reproduces a list of recommendations for resisting such attacks from the Flash Alert. Yet despite these and other public announcements of data security threats and attacks, the complaint alleges, Parker-Hannifin did not take sufficient steps to prevent the data breach.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy