Communications Litigation Today was a Warren News publication.
'Improperly Removed'

Amended Complaint in Dish Privacy Suit Adds HIPAA Violation Claims

June 1, 2023 by Rebecca Day|Top News

Four plaintiffs, including current and former Dish Network employees, joined a class action against Dish after a Feb. 23 data breach, said the first amended complaint (docket 1:23-cv-01168) to a May 9 lawsuit in U.S. District Court for Colorado in Denver (see 2305110027). The privacy suit alleges Dish failed to properly secure customers’ and employees’ personally identifiable information (PII) from hackers after a February network outage. The amended complaint also added violations of the Health Insurance Portability and Accountability Act (HIPAA).

After plaintiff Susan Owen-Brooks of Ahoskie, North Carolina, learned of the security incident, she discovered more than $200 had been “improperly removed” from her Dish account without her consent, alleged the complaint. The amended complaint clarified that Owen-Brooks pays her bills “at least one or two months in advance,” and when she checked her account in late February, she discovered the $200 in her account “had been improperly removed” without her consent. A customer support representative told her Dish had been hacked and confirmed to Owen-Brooks her PII was part of the breach, it said.

Joining the class action, plaintiff Suzanne Cook, a Florida resident, said she was informed as a Dish employee that her private information was compromised in the data breach, as was that of Florida resident and Dish employee Crystal Bane, said the amended complaint. Plaintiff and Colorado resident Rebecca Dougherty, a former Dish employee, was informed by Dish that her private information was compromised in the data breach, said the complaint, and plaintiff Jada Looney of Kansas is suing Dish in the privacy suit on behalf of her three minor children, M.L., J.L., and S.L., whose private information was also allegedly compromised in the breach.

In the original complaint, Owen-Brooks said Dish hasn’t divulged to plaintiffs, or the public, the exact information that was accessed in the data breach but “given the widespread nature of the breach” and that Dish collects “all of this data” as part of a requirement for service, she believes it “includes or may include: individuals’ names, addresses, telephone numbers, email addresses, Social Security numbers, dates of birth, driver’s license numbers, bank account data, and credit card numbers.”

The amended complaint added HIPAA allegations. It cited HIPAA’s Title II administration simplification provisions designed to streamline standards for handling protected health information (PHI), which plaintiffs called “similar to the data Defendant left unguarded and vulnerable to attack.”

The data breach resulted from a “combination of insufficiencies that indicate DISH failed to comply with safeguards mandated by HIPAA regulations and industry standards,” said the amended complaint. The company either failed to implement, or inadequately implemented, information security policies to protect class members’ PHI, it said. Private information compromised in the breach included protected health information as defined by the Code of Federal Regulations, it said. Dish didn't comment.