Communications Litigation Today was a Warren News publication.
'On Notice'

Former Employee Sues Dish for Negligence Following Data Breach

June 5, 2023 by Rebecca Day|Top News

Dish failed to protect current and former customers’ and employees’ personally identifiable information (PII) from hackers, alleged a class action (1:23-cv-01372) Wednesday in U.S. District Court for Colorado in Denver.

Plaintiff Alan Ellerbrock, an Ohio resident and a Dish employee from 2015-2018, was informed by the company in a letter May 17 that his “highly sensitive” personal information, and that of family members, had been compromised in the Feb. 23 breach, said the complaint. The letter informed him the PII stolen "appears to include" his health insurance information and Social Security number, the complaint said.

Dish offered Ellerbrock two years of credit monitoring services if he took “the additional step” of signing up before Aug. 31, the complaint said. The plaintiff called the two-year term “not sufficient” since he “will now experience a lifetime of increased risk of identity and potential medical fraud.

Ellerbrock suffered “imminent and impending injury” arising from the “substantially increased risk of future fraud, identity theft and misuse” caused by his PII being “placed in the hands of criminals,” said the complaint. It also cost him out-of-pocket costs that he spent to enroll in Norton cybersecurity protection services, it said. He expects to have to buy more comprehensive protection in the future due to “increased, imminent, and impending risks resulting from the exposure of his sensitive information.”

The potential for improper disclosure of Ellerbrock’s and class members’ private information was a known risk to Dish, which was “on notice” that failing to take necessary action to secure the private information from those risks “left that property in a dangerous condition,” said the complaint. The company failed to properly monitor the computer network and systems that housed the personal information; if it had monitored the information properly, it could have prevented the data breach from occurring “or at least discovered” it sooner, the complaint said.

Dish employees are required to give the company personal information including name, address, Social Security and driver’s license numbers, financial account and payment card information, and vaccine and health insurance information, said the complaint. Its privacy policy touts that the company takes personal information seriously and uses “commercially reasonable” efforts to protect and maintain it against loss, misuse, unauthorized access and disclosure, said the complaint.

Dish failed to comply with safeguards mandated by the administrative simplification provisions of the Health Insurance Portability and Accountability Act, said the complaint. Based on the notice to class members, Ellerbrock believes his unsecured personal health information has been “acquired, accessed, used, and/or disclosed" in a manner not permitted under Title 45 of the Code of Federal Regulations, it said.

Ellerbrock asserts claims of negligence, breach of contract and unjust enrichment and seeks actual and statutory damages, equitable relief, restitution, disgorgement and legal costs, said the complaint. He also seeks an injunctive order to protect his and the class’ interests and an order requiring Dish to pay for lifetime credit monitoring and identity theft insurance for its data breach victims, it said. Dish didn't comment.