A potential class-action lawsuit has been filed against Rady Children's Hospital over a data breach that went undetected for months, potentially exposing the personal information of thousands of children who received care from their radiology department.
The lawsuit, filed on behalf of a family who was alerted by the hospital that their child's records may have been accessed by an outside source, alleges Rady Children's Hospital personnel were negligent in allowing confidential medical and personal information to be disclosed.
In its communication, the hospital "fails to state whether the information subject to the Breach was encrypted in any fashion," the lawsuit said.
It also alleges the hospital, which is the only in San Diego to focus solely on the care of children, violated the Confidentiality of Medical Information Act (CMIA) and the state's Unfair Competition Law.
"As a minor, Plaintiff is in an especially vulnerable position to be subjected to identity theft before even reaching adulthood," the lawsuit said.
In February, the hospital informed the parents and guardians of 2,360 radiology department patients that some of their records may have been compromised when an internet port was accessed without authorization.
The breach occurred as early as June 20, 2019, and was discovered on Jan. 3, 2020, when an information security firm alerted Rady Children's Hospital personnel, according to the hospital.
The hospital said the information was secured immediately after the breach was discovered. Then, an investigation was launched, though it wasn't until Feb. 5, 2020, that investigators determined patients' personal information was accessed.
Patients were not notified of the breach until late February, nearly two months after the breach was first discovered, according to the lawsuit.
"At no point during its nearly two-month investigation is there a record that Defendants made any public announcement regarding the Breach, nor did it timely inform its patients that their most sensitive personal information had been compromised by any unauthorized third party," the lawsuit said.
The compromised information included the type and date of imaging studies some patients underwent, including their names and genders. In some cases, dates of birth, medical record numbers, the parent or gaurdians' names, descriptions of the imaging study and the names of the referring physician were also accessed.
No social security numbers, credit card numbers, radiology images or reports or diagnoses were involved, according to Rady Children's.
The hospital offered those affected complimentary identity protection services offered by the hospital for 12 months but the lawsuit said, "...this purported 'remedy' is insufficient to cure the harm caused by Defendants."
If the class-action lawsuit advances, it would include thousands of patients who were alerted by the hospital that their information was potentially accessed during the months-long breach.
Attorneys are seeking a trial by jury and statutory, economic and non-economic restitution for the patients affected.
A spokesperson for Rady Children's Hospital said it "does not respond to allegations made in pending litigation and will rely on the legal process to address the allegations."
The hospital also offered any parent or guardian who has questions about the breach to contact them at 1-844-902-2025.
The non-profit Rady Children's Hospital provided care to more than 245,000 children in fiscal year 2019.