Class Action Lawsuit Filed Against Tandem Diabetes Care Over January 2020 Phishing Attack

Tandem Diabetes Care Inc., the San Diego medical device maker, is dealing with a class-action lawsuit in California in relation to a January 2020 data breach that caused the compromise and probable theft of the protected health information (PHI) of over 140,000 persons.

Unauthorized people got access to an employee’s email account from January 17 to January 20, 2020 as a result of a phishing attack. The email account contained information that varied from one patient to another. The range of private and confidential information included names, dates of birth, insurance details, billing details, healthcare information, and Social Security numbers.

Tandem Diabetes Care reported the incident to the HHS’ Office for Civil Rights on March 17, 2020 indicating that there were 140,781 individuals affected. At the same time, the company sent notification letters to the affected individuals.

The lawsuit was filed in the United States District Court in the Southern District of California and claims that Tandem Diabetes Care committed violations of the Confidentiality of Medical Information Act (CMIA). The plaintiff and class members want damages for the negligent disclosure of their personal and healthcare data and injunctive relief.

CMIA mandates healthcare service providers to enforce safety measures to keep individually identifiable medical information confidential and prohibit the disclosure of that data without prior patient consent. As opposed to HIPAA, CMIA implements a private cause of action which permits patients to take legal action with regards to the negligent disclosure of their confidential medical data.

The plaintiff is named C.H. and the putative class is split up into two subclasses: All California citizens who had their identities, personal data, and medical data contained in the email account and all other people whose data were exposed.

The legal action alleges negligence for not protecting individually identifiable health information. Because the Defendant’s email account was accessible to third parties, the Defendant negligently generated, maintained, saved, kept, and then disclosed the individual identifiable medical information of the Plaintiff and the Class members.

The lawsuit claims that Tandem Diabetes Care failed to sustain sufficient technological safeguards, which directly and proximately brought about the foreseeable risk of patient data loss and hurt, such as identity theft as well as other economic ruin.

The lawsuit claims that patients have endured damages due to the unauthorized disclosure of their private and protected medical information and seeks nominal damages of $1,000 for each class member, repayment for actual damages sustained, damages provided by the common law, and legal charges.

Joshua B. Swigart of the Swigart Law Group filed the lawsuit and is trying to get class action status as well as a jury trial