Sunshine Behavioral Health Group Data Breach Class Action

The Sunshine Behavioral Health Group, LLC, says the complaint for this class action, “operates luxury drug and alcohol addiction rehabilitation facilities in California, Colorado, and Texas.” In that role, it possessed a good deal of confidential and personal information on patients and payors. The complaint alleges Sunshine did not take adequate measures to protect this information. On September 4, 2019, it learned that a data breach had exposed the information of some 3,500 patients.

The Nationwide Class for this action is all persons in the US whose personal and medical information was compromised as a result of the Sunshine Data Breach announced by Sunshine on or around January 21, 2020. In the alternative, the complaint proposes California and Pennsylvania Subclasses.

The exposed information included names, addresses, credit and debit card numbers, electronic or digital signatures, insurance policy and membership numbers, medical information, and Social Security numbers.

Why was this information vulnerable? The first reason, the complaint alleges, was because Sunshine failed to take “necessary security precautions” to protect it.

However, there’s another reason that’s more disturbing: “Additionally, due to a webpage setting that permitted search engines to index internal webpages that [Sunshine] uses for business operations, Affected Patients’ Personal and Medical Information was also searchable, findable, viewable, and downloadable by anyone with access to an internet search engine such as Google, Yahoo, Bing, etc.”

The report of the data breach also seems to have been delayed. The plaintiff in this case, Hector Fuentes, was a patient between January 17, 2019 and February 17, 2019. Fuentes found out about the data breach when he received a letter from Sunshine dated January 21, 2020, approximately four months after the data breach was discovered. On that day as well, Sunshine put out a press release announcing the data breach.

Someone has since tried to open a credit card account in Fuentes’s name; he has also received magazine subscriptions that he did not ask for. The complaint claims he “has spent in excess of 10 hours of his own time trying to make sure he has not and does not become victimized because of the Data Breach.”

That’s not all. The complaint claims that “according to the California Attorney General, the Data Breach began on March 1, 2017. Thus, [Sunshine] did not learn of the data breach until 30 months after it began.” Also alarming, the complaint alleges that Sunshine did not discover the data breach itself “but first learned of the Data Breach after being notified by an individual not affiliated with [Sunshine].” The company then changed the settings to stop making the information freely available and then in November “took additional actions to remove the records from general Internet access.”

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Sunshine Behavioral Health Group Data Breach Complaint

March 10, 2020

The Sunshine Behavioral Health Group, LLC, says the complaint for this class action, “operates luxury drug and alcohol addiction rehabilitation facilities in California, Colorado, and Texas.” In that role, it possessed a good deal of confidential and personal information on patients and payors. The complaint alleges Sunshine did not take adequate measures to protect this information. On September 4, 2019, it learned that a data breach had exposed the information of some 3,500 patients.

Sunshine Behavioral Health Group Data Breach Complaint

Case Event History

Sunshine Behavioral Health Group Data Breach Complaint

March 10, 2020

The Sunshine Behavioral Health Group, LLC, says the complaint for this class action, “operates luxury drug and alcohol addiction rehabilitation facilities in California, Colorado, and Texas.” In that role, it possessed a good deal of confidential and personal information on patients and payors. The complaint alleges Sunshine did not take adequate measures to protect this information. On September 4, 2019, it learned that a data breach had exposed the information of some 3,500 patients.

Sunshine Behavioral Health Group Data Breach Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Stolen Medical Information