author photo
By Bruce Sussman
Wed | Dec 4, 2019 | 9:54 AM PST

This is the story of a phishing campaign, failed cybersecurity, and a data breach notification violation.

At least, that's how a new lawsuit against Solara Medical Supplies tells it.

The data breach at the largest U.S. independent supplier of insulin pumps and Continuous Glucose Monitors impacted 114,000 patients.

Two things seem clear at first glance:

  1. This data breach could make the hacker behind it a lot of money on the Dark Web. 
  2. This data breach could cost the company involved some serious cash if the accusations against it are true.

Medical vendor data breach: what we know for certain

According to the data breach notification letter from Solara Medical Supplies, employees fell for a phishing attack which compromised nine email accounts.

The company admits it was months before it knew about this:

"Solara determined that an unknown actor gained access to a limited
number of employee Office 365 accounts, from April 2, 2019 to June 20, 2019, as a result of a phishing email campaign."

This means for more than two and a half months, the hacker had access to all kinds of identifying information and records. Check out the list, which is a hacker's paradise:

  • name
  • address
  • date of birth
  • Social Security number
  • Employee Identification Number
  • medical information
  • health insurance information
  • financial information
  • credit / debit card information
  • driver's license / state ID
  • passport information
  • password / PIN or account login information
  • billing / claims information
  • Medicare ID / Medicaid ID

SecureWorld recently covered the profit this kind of information can lead to for cybercriminals. If you've wondered about this, be sure to read Hacked Credit Card Numbers: $20M in Fraud from a Single Marketplace. It is eye-opening.

Beyond that, anytime medical information is included in a data breach, the stakes go up; the personal impacts go up.

"You can fix things that happen with your Social Security Number, you can get a new credit card when your card information is compromised. But when your protected health information is compromised, it's a totally different situation," says Tamika Bass, CISO at the Georgia Department of Public Health.

We interviewed Bass at a SecureWorld cybersecurity conference after her presentation. You can't change your medical information if it gets breached; there is no taking things back.

And according to HIPPA Journal, that's part of the complaint from the lawsuit's named victim:

"The plaintiff, Juan Maldonado, is a customer of Solara Medical Supplies who uses products supplied by the company to help manage his medical condition. The lawsuit states that the sensitive, personal information of Maldonado is now in the hands of cybercriminals...."

Data breach lawsuit against Solara

The lawsuit against Solara Medical Supplies makes a number of accusations, and Health IT Security does a nice job of summing them up:

"Filed in the US District Court of the Southern District of California, the lawsuit argues that Solara's failure to protect patients' personal and medical information allowed hackers 'to steal everything they could possibly need to commit nearly every conceivable form of identity theft.'

The breach victims also claim Solara failed to implement reasonable security measures that would ensure the vendor's systems were protected. The vendor is also accused of failing to take adequate steps to prevent the breach and timely detect the security incident."

The lawsuit also points to a HIPPA data breach violation in this case. Because the healthcare privacy law contains specific requirements that the suit says Solara failed to follow.

"Under HIPAA, covered entities must report breaches impacting more than 500 patients within 60 days of discovering the breach—not at the close of an investigation. The breach victims argue that 'during this time, the cybercriminals had free reign to defraud their unsuspecting victims.'

Solara apparently chose to complete its internal investigation and develop its excuses and speaking points before giving class members the information they needed to protect themselves against fraud and identity theft."

We know that 60-day window was missed in this case. The breach notification letter from the company says its investigation started in July:

"Through this investigation on July 3, 2019, Solara determined that certain information present within the employee Office 365 accounts may have been accessed or acquired by an unknown actor at the time of the incident."

Yet data breach notification did not occur until November.

We'll see if there is some exception to that rule or an extenuating circumstance in this case.

After the Solara Medical data breach: law firms compete for business

Chances are good that the new lawsuit against Solara Medical is the first to be filed but not the last.

Law firms are actively seeking victims in the case—and they're tweeting about it:

By the way, if you get a phone call from law firm Federman & Sherwood, it probably means you have a data breach on your hands.

In Q4-2019, the company announced it was "opening investigations" and looking for plaintiffs in these cases:

  • Data breach at Church's Fried Chicken
  • Data breach at Hy-Vee Inc.
  • Data breach of Chegg, Incorporated

And now, Solara Medical Supplies.

If you're a law firm that sues after data breaches, these are busy times.

[RELATED: Cybersecurity and privacy law is a moving target. How can your organization think of it strategically? Listen to our podcast interview with Jordan Fischer, cyber attorney at XPAN Law Goup.]