Communications Litigation Today was a Warren News publication.
'Long Lasting and Severe'

Dish Fell Short of Duties Required by HIPAA in Feb. Data Breach, Says Class Action

May 30, 2023 by Rebecca Day|Top News

Dish Network failed to secure and safeguard customers’ personal health information (PHI) and personally identifiable information (PII) stored on its data network, said a privacy class action (1:23-cv-01319) Wednesday in U.S. District Court for Colorado in Denver, following the company's February network outage and data breach.

Customers’ social security numbers; vaccination records; health insurance information; government identification, financial account and driver’s license numbers; dates of birth; and payment card numbers are among plaintiffs’ information exposed in Dish’s Feb. 23 data breach, which the company didn’t begin notifying customers’ about until May 8, said the complaint. It disclosed the outage and breach in a Feb. 23 SEC filing.

Dish also failed to inform victims when or for how long the data breach occurred, said the complaint. Plaintiff John Cruse, a Tennessee resident, received his notification in a letter dated May 15, the complaint said.

Dish knew or should have known customers would use its services to store and share highly sensitive data, said the complaint. It cited the Health Insurance Portability and Accountability Act (HIPAA) that sets minimum standards for the protection of individuals’ medical records and other personal health information, the complaint said. HIPAA requires appropriate safeguards to be maintained by organizations such as Dish to protect individuals’ personal health information, and it sets limits and conditions on uses and disclosures that may be made of such information without customer authorization, it said.

Cruse’s claims aren’t for direct violations of HIPAA but for “various legal violations merely predicated upon the duties set forth in HIPAA,” the complaint said. Members’ PHI/PII was compromised through “disclosure to an unknown and unauthorized third party -- an undoubtedly nefarious third party seeking to profit off this disclosure by defrauding” plaintiff and class members in the future, it said.

Following notification of the breach, Cruse spent time dealing with its consequences, which continues to include time spent verifying its impact, exploring credit monitoring and identity theft insurance options, self-monitoring accounts and seeking legal counsel for remedying and mitigating the effects of the breach. Cruse has suffered lost time, annoyance, interference and inconvenience due to the breach and “imminent and impending injury” from the “substantially increased risk of fraud, identity theft and misuse” of his personal information, it said.

The ramifications of Dish’s failure to keep plaintiffs’ PHI/PII secure are “long lasting and severe,” said the complaint. Once identification numbers are stolen, their fraudulent use and damage to victims “may continue for years,” it said. Hackers stole the data “to engage in identity theft" or sell it to other criminals who will use it for that purpose, it said. The fraudulent activity resulting from the data breach “may not come to light for years,” it said.

Plaintiff claims negligence and breach of implied contract. He seeks for himself and the class an award of actual, nominal and consequential damages; an award of attorneys’ fees and legal costs; an order to cease and desist from unlawful activities; and orders requiring it to delete and purge class members’ PHI/PII, implement an information security program, engage third-party security auditors to run automated monitoring of its systems; cease storing PHI/PII on a cloud-based database; plus other threat-management processes. Dish didn’t comment.