CIRCUIT COURT FOR BALTIMORE COUNTY,

MARYLAND

401 Bosley Avenue, P.O. Box 6754

Towson, MD 21285-6754

To: MARYLAND HEALTH ENTERPRISES, INC., D/B/A LORIEN HEALTH SERVICES

1205 YORK ROAD LUTHERVILLE, MD 21093

Main: 410-887-2601

Fax: 410-887-3062

Case Number: C-03-CV-20-002899 Other Reference Number(s):

PAMELA KLEMM, ET AL. VS. MARYLAND HEALTH ENTERPRISES, INC., D/B/A LORIEN HEALTH

SERVICES Issue Date: 8/17/2020

WRIT OF SUMMONS

You are hereby summoned to file a written response by pleading or motion, within 30 days after service of this summons upon you, in this Court, to the attached complaint filed by:

PAMELA KLEMM; CATHERINE ROMANS No Known Address; No Known Address

This summons is effective for service only if served within 60 days after the date it is issued.

Julie L. Ensor Clerk of the Circuit Court

To the person summoned: Failure to file a response within the time allowed may result in a judgment by default or the granting of the relief sought against you. Personal attendance in court on the day named is NOT required.

Instructions for Service:

1. This summons is effective for service only if served within 60 days after the date issued. 2. Proof of Service shall set out the name of the person served, date and the particular place and manner of service.

If service is not made, please state the reasons. 3. Return of served or unserved process shall be made promptly and in accordance with Maryland Rule 2-126. 4. If this notice is served by private process, process server shall file a separate affidavit as required by Maryland

Rule 2-126(a).

CC-CV-032 (Rev. 06/2019) Page 1 of 2 08/17/2020 1:53 PM

Pamela Klemm, et al. vs. MARYLAND HEALTH ENTERPRISES, INC., d/b/a LORIEN HEALTH SERVICESCase Numl

SHERIFF'S RETURN Circuit Court for Baltimore County

Sheriff fee:

Served:

Time:

By:

With the following:

Date:

❑ Summons

❑ Complaint

❑ Motions

❑ Petition and Show Cause Order

Was unable to serve because:

Sheriff fee: $

❑ Moved left no forwarding address

1-7 Address not in jurisdiction

Instructions to Private Process Server:

❑ Counter Complaint

7 Domestic Case Information Report

❑ Financial Statement

❑ Other

Please specify

❑ No such address

['Other

Please specify

Serving Sheriff's Signature & Date

1. This Summons is effective for service only if served within 60 days after the date issued. 2. Proof of Service shall set out the name of the person served, date and the particular place and manner of service.

If service is not made, please state the reasons. 3. Return of served or unserved process shall be made promptly and in accordance with Rule 2-126. 4. If this summons is served by private process, process server shall file a separate affidavit as required by Rule 2-

126(a).

CC-CV-032 (Rev. 06/2019) Page 2 of 2 08/17/2020 1:53 PM

E-FILED; Baltimore County Circuit Court Docket: 7/28/2020 11:26 AM; Submission: 7/28/2020 11:26 AM

IN THE CIRCUIT COURT FOR Baltimore County (city or County)

CIVIL - NON-DOMESTIC CASE INFORMATION REPORT DIRECTIONS

Plaintiff This Information Report must be completed and attached to the complaint filed with the Clerk of Court unless your case is exempted from the requirement by the Chief Judge of the Court of Appeals pursuant to Rule 2-111(a).

Defendant: You must file an Information Report as required by Rule 2-323(h). THIS INFORMATION REPORT CANNOT BE ACCEPT dscvl ojam

- - - FORM FILED BY: OPLAINTIFF ODEFENDANT CASE NUMBE Pamela Klemm and Catherine Romans, on behalf Maryland HealtIcEnterprises, Inc., 13/147A

CASE NAME: of themselyes and a151lItilgrif.5imilarly situated, vs. Lorien Health ServicesPlaintiff DèFé

iiaant

PARTY'S NAME: Pamela Klemm PHONE: (443) 536-5718

PARTY'S ADDRESS: 622 Hornbeam Rd, Edgewood, MD, 21040

PARTY'S E-MAIL: poohisfree62@msn.com

If represented by an attorney: PARTY'S ATTORNEY'S NAME: Gary E. Mason PHONE. (202) 429-2290

PARTY'S ATTORNEY'S ADDRESS:5101 Wisconsin Ave., NW, Suite 305, Washington, D.C. 20016

PARTY'S ATTORNEY'S E-MAIL: Mason@masonllp.com

JURY DEMAND? CglYes ON° RELATED CASE PENDING? 171Yes ON° If yes, Case #(s), if known -

ANTICIPATED LENGTH OF TRIAL?: hours days

PLEADING TYPE New Case: 0 Original El Administrative Appeal El Appeal Existing Case: CI Post-Judgment El Amendment if filing in an existing case, skip Case Category/ Subcategory section - go to Relief section.

IF NEW CASE: CASE CATEGORY/SUBCATEGORY (Check one box.) TORTS

R Asbestos Assault and Battery

0 Business and Commercial CI Conspiracy El Conversion 0 Defamation CI False Arrest/Imprisonment 0 Fraud 0 Lead Paint - DOB of

Youngest Plt: 0 Loss of Consortium El Malicious Prosecution El Malpractice-Medical El Malpractice-Professional El Misrepresentation El Motor Tort 0 Negligence El Nuisance 0 Premises Liability El Product Liability El Specific Performance 0 Toxic Tort 0 Trespass

Wrongful Death CONTRACT Ci Asbestos gel Breach 0 Business and Commercial El Con else Judgment

(Cont'd) 0 Construction 0 Debt CI Fraud

El Government Insurance Product Liability

PROPERTY El Adverse Possession

Breach of Lease Detinue

O Distress/Distrain CI Ejectment 0 Forcible Entry/Detainer El Foreclosure

0 Commercial El Residential CI Currency or Vehicle 0 Deed of Trust 0 Land Installments 0 Lien0 Mortgage Might of Redemption 0 Statement Condo

0 Forfeiture of Property / Personal Item

El Fraudulent Conveyance El Landlord-Tenant Ei Lis Pendens El Mechanic's Lien 0 Ownership El Partition/Sale in Lieu El Quiet Title 0 Rent Escrow El Return of Seized Property El Right of Redemption 0 Tenant Holding Over

PUBLIC LAW CI Attorney Grievance 0Bond Forfeiture Remission 0 Civil Rights CI County/Mncpl Code/Ord 0 Election Law aminent Domain/Condemn. El Environment 0 Error Coram Nobis 0 Habeas Corpus 0 Mandamus El Prisoner Rights 0 Public Info. Act Records El Quarantine/Isolation El Writ of Certiorari

EMPLOYMENT CI ADA 0 Conspiracy El EEO/HR CI FLSA

FMLA El Workers' Compensation El Wrongful Termination

INDEPENDENT PROCEEDINGS

0 Assumption of Jurisdiction 0 Authorized Sale 0 Attorney Appointment 0 Body Attachment Issuance 0 Commission Issuance

El Constructive Trust 0 Contempt El Deposition Notice 0 Dist Ct Mtn Appeal 0 Financial 0 Grand Jury/Petit Jury Ei Miscellaneous 0 Perpetuate Testimony/Evidence 0 Prod. of Documents Req. El Receivership 0 Sentence Transfer CI Set Aside Deed 0 Special Adm. - Atty 0 Subpoena Issue/Quash 0 Trust Established 0 Trustee Substitution/Removal 0 Witness Appearance-Compel PEACE ORDER GI Peace Order EQUITY El Declaratory Judgment El Equitable Relief 0 Injunctive Relief 0 Mandamus OTHER 0 Accounting 0 Friendly Suit 0 Grantor in Possession 0 Maryland Insurance Administration CI Miscellaneous CI Specific Transaction 0 Structured Settlements

CC-DCM-002 (Rev. 04/2017) Page 1 of 3

IF NEW OR EXISTING CASE: RELIEF (Check All that Apply)

0 Abatement 0 Administrative Action 0 Appointment of Receiver 0 Arbitration 0 Asset Determination 0 Attachment b/f Judgment 0 Cease & Desist Order 0 Condemn Bldg 0 Contempt

Court Costs/Fees RI Damages-Compensatory

Damages-Punitive

0 Earnings Withholding 0 Judgment-Interest 0 Return of Property 0 Enrollment 0 Judgment-Summary 0 Sale of Property 0 Expungement 0 Liability 0 Specific Performance 0 Findings of Fact 0 Oral Examination 0 Writ-Error Coram Nobis 0 Foreclosure 0 Order 0 Writ-Execution 0 Injunction 0 Ownership of Property 0 Writ-Garnish Property 0 Judgment-Affidavit 0 Partition of Property 0 Writ-Garnish Wages

0 Writ-Habeas Corpus 0 Judgment-Attorney Fees 0 Peace Order 0 Judgment-Confessed 0 Possession 0 Writ-Mandamus

0 Writ-Possession 0 Judgment-Consent 0 Production of Records 0 Judgment-Declaratory 0 Quarantine/Isolation Order 0 Judgment-Default 0 Reinstatement of Employment

If you indicated Liability above, mark one of the following. This information is not an admission and may not be used for any purpose other than Track Assignment.

OLiability is conceded. OLiability is not conceded, but is not seriously in dispute. OLiability is seriously in dispute.

MONETARY DAMAGES (Do not include Attorney's Fees, Interest, or Court Costs)

0 Under $10,000 0 $10,000 - $30,000 0 $30,000 - $100,000 0 Over $100,000

0 Medical Bills $ 0 Wage Loss $ 0 Property Damages $

ALTERNATIVE DISPUTE RESOLUTION INFORMATION

Is this case appropriate for referral to an ADR process under Md. Rule 17-101? (Check all that apply) A. Mediation 0Yes IJNo C. Settlement Conference 0Yes g1No B. Arbitration 0Yes tJNo D. Neutral Evaluation 0Yes gi No

SPECIAL REQUIREMENTS

0 If a Spoken Language Interpreter is needed, check here and attach form CC-DC-041

0 If you require an accommodation for a disability under the Americans with Disabilities Act, check here and attach form CC-DC-049

ESTIMATED LENGTH OF TRIAL

With the exception of Baltimore County and Baltimore City, please fill in the estimated LENGTH OF TRIAL. (Case will be tracked accordingly)

0 1/2 day of trial or less 0 3 days of trial time

0 1 day of trial time 0 More than 3 days of trial time

0 2 days of trial time

BUSINESS AND TECHNOLOGY CASE MANAGEMENT PROGRAM

For all jurisdictions, if Business and Technology track designation under Md. Rule 16-308 is requested, attach a duplicate copy of complaint and check one of the tracks below.

0 Expedited- Trial within 7 months of 0 Standard - Trial within 18 months of Defendant's response Defendant's response

EMERGENCY RELIEF REQUESTED

CC-DCM-002 (Rev. 04/2017) Page 2 of 3

COMPLEX SCIENCE AND/OR TECHNOLOGICAL CASE MANAGEMENT PROGRAM (ASTAR)

FOR PURPOSES OF POSSIBLE SPECIAL ASSIGNMENT TO ASTAR RESOURCES JUDGES under Md. Rule 16-302, attach a duplicate copy of complaint and check whether assignment to an ASTAR is requested.

El Expedited - Trial within 7 months of 0 Standard - Trial within 18 months of Defendant's response Defendant's response

IF YOU ARE FILING YOUR COMPLAINT IN BALTIMORE CITY, OR BALTIMORE COUNTY, PLEASE FILL OUT THE APPROPRIATE BOX BELOW.

CIRCUIT COURT FOR BALTIMORE CITY (CHECK ONLY ONE)

❑ Expedited Trial 60 to 120 days from notice. Non jury matters.

• Civil-Short Trial 210 days from first answer.

in Civil-Standard Trial 360 days from first answer.

■ Custom Scheduling order entered by individual judge.

0 Asbestos Special scheduling order.

0 Lead Paint Fill in: Birth Date of youngest plaintiff

0 Tax Sale Foreclosures Special scheduling order.

■ Mortgage Foreclosures No scheduling order.

CIRCUIT COURT FOR BALTIMORE COUNTY

CI Expedited Attachment Before Judgment, Declaratory Judgment (Simple), (Trial Date-90 days) Administrative Appeals, District Court Appeals and Jury Trial Prayers,

Guardianship, Injunction, Mandamus.

n Standard Condemnation, Confessed Judgments (Vacated), Contract, Employment (Trial Date-240 days) Related Cases, Fraud and Misrepresentation, International Tort, Motor Tort,

Other Personal Injury, Workers' Compensation Cases.

❑ Extended Standard Asbestos, Lender Liability, Professional Malpractice, Serious Motor Tort or (Trial Date-345 days) Personal Injury Cases (medical expenses and wage loss of $100,000, expert

and out-of-state witnesses (parties), and trial of five or more days), State Insolvency.

0 Complex Class Actions, Designated Toxic Tort, Major Construction Contracts, Major (Trial Date-450 days) Product Liabilities, Other Complex Cases.

07/28/2020 Date

5101 Wisconsin Ave., NW, Suite 305 Address

Washington DC 20016 City State Zip Code

/s/ Gary E. Mason Esq. Signature of Counsel / Party

Gary E. Mason Printed Name

CC-DCM-002 (Rev. 04/2017) Page 3 of 3

E-FILED; Baltimore County Circuit Court Docket: 7/28/2020 1:30 PM; Submission: 7/30/2020 1:30 PM

IN THE CIRCUIT COURT FOR BALTIMORE COUNTY, MARYLAND

PAMELA KLEMM and CATHERINE ROMANS, on behalf of themselves and all others similarly situated,

Plaintiffs, v.

MARYLAND HEALTH ENTERPRISES, INC., d/b/a LORIEN HEALTH SERVICES,

Defendant.

Case No. C-03-CV-20-002899

CLASS ACTION COMPLAINT

Plaintiffs, PAMELA KLEMM ("Klemm") and Catherine Romans ("Romans")

(collectively, "Plaintiffs"), on behalf of themselves and all others similarly situated, bring this

action against Defendant MARYLAND HEALTH ENTERPRISES, INC., d/b/a LORIEN

HEALTH SERVICES ("Defendant" or "MHE") to obtain damages, restitution, and injunctive

relief for the Class, as defined below, from the Defendant. Plaintiffs make the following

allegations upon information and belief, except as to their own actions, the investigation of their

counsel, and the facts that are a matter of public record.

I. NATURE OF THE ACTION

1. This class action arises out of the recent ransomware attack and data breach that

was perpetrated against Defendant MHE (the "Ransomware Attack"), which held in its possession

certain personally identifiable information ("PIP") and protected health information ("PHI")

(collectively, "the Private Information") of the Plaintiffs and the putative Class Members (defined

below).

2. The Private Information compromised in the Ransomware Attack included highly

sensitive information such as names, Social Security numbers, dates of birth, addresses, and health

diagnosis and treatment information.

3. The Ransomware Attack was a direct result of Defendant's failure to implement

adequate and reasonable cyber-security procedures and protocols necessary to protect consumers'

Private Information.

4. Plaintiffs bring this class action lawsuit on behalf of those similarly situated to

address Defendant's inadequate safeguarding of Class Members' Private Information that it

collected and maintained, and for failing to provide timely and adequate notice to Plaintiffs and

other Class Members that their information had been subject to the unauthorized access of an

unknown third party and precisely what specific type of information was accessed.

5. In addition, Defendant MHE and its employees failed to properly monitor the

computer network and systems that housed the Private Information. Had MHE properly monitored

its property, it would have discovered the intrusion sooner.

6. Defendant maintained the Private Information in a reckless manner. In particular,

the Private Information was maintained on Defendant's computer network in a condition

vulnerable to cyberattacks. Upon information and belief, the mechanism of the cyberattack and

potential for improper disclosure of Plaintiffs' and Class Members' Private Information was a

known risk to Defendant and thus Defendant was on notice that failing to take steps necessary to

secure the Private Information from those risks left that property in a dangerous condition.

7. Defendant disregarded the rights of Plaintiffs and Class Members by, inter alia,

intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures

to ensure their data systems were protected against unauthorized intrusions; failing to disclose that

2

they did not have adequately robust computer systems and security practices to safeguard Class

Members' Private Information; failing to take standard and reasonably available steps to prevent

the Ransomware Attack; and failing to provide Plaintiffs and Class Members prompt and accurate

notice of the Ransomware Attack.

8. In addition, Defendant and its employees failed to properly monitor the computer

network and systems that housed the Private Information. Had Defendant properly monitored its

property, it would have discovered the intrusion sooner.

9. Plaintiffs' and Class Members' identities are now at risk because of Defendant's

negligent conduct since the Private Information that Defendant collected and maintained is now in

the hands of data thieves.

10. Armed with the Private Information accessed in the Ransomware Attack, data

thieves can commit a variety of crimes including, e.g., opening new financial accounts in Class

Members' names, taking out loans in Class Members' names, using Class Members' information

to obtain government benefits, filing fraudulent tax returns using Class Members' information,

filing false medical claims using Class Members' information, obtaining driver's licenses in Class

Members' names but with another person's photograph, and giving false information to police

during an arrest.

11. As a result of the Ransomware Attack, Plaintiffs and Class Members have been

exposed to a heightened and imminent risk of fraud and identity theft. Plaintiffs and Class

Members must now and in the future closely monitor their financial accounts to guard against

identity theft.

3

12. Plaintiffs and Class Members may also incur out of pocket costs for, e.g.,

purchasing credit monitoring services, credit freezes, credit reports, or other protective measures

to deter and detect identity theft.

13. Through this Complaint, Plaintiffs seek to remedy these harms on behalf of

themselves and all similarly situated individuals whose Private Information was accessed during

the Ransomware Attack.

14. Plaintiffs seeks remedies including, but not limited to, compensatory damages,

reimbursement of out-of-pocket costs, and injunctive relief including improvements to

Defendant's data security systems, future annual audits, and adequate credit monitoring services

funded by Defendant.

15. Accordingly, Plaintiffs bring this action against Defendant seeking redress for their

unlawful conduct, and asserting claims for: (i) negligence, (ii) breach of express contract, (iii)

breach of implied contract, (iv) breach of fiduciary duty, and (v) violation of Maryland's Consumer

Protection Act, § 1301, et seq.

II. JURISDICTION AND VENUE

16. This Court has jurisdiction over this action pursuant to § 1-501 of the Courts and

Judicial Proceedings Article of the Maryland Code Annotated.

17. This Court has jurisdiction over Defendant pursuant to § 6-201 and § 6-103 of the

Courts and Judicial Proceedings Article of the Maryland Code Annotated because Defendant is

organized under the laws of the State of Maryland and the causes of action alleged herein arise

from Defendant transacting business in Maryland.

4

18. Venue is proper in this district pursuant to § 6-102 of the Courts and Judicial

Proceedings Article of the Maryland Code Annotated because Defendant (i) maintains its principal

offices and carries on a regular business in this county; and (ii) a substantial part of the events and

omissions giving rise to this action occurred in this county.

III. PARTIES

19. Plaintiff Klemm is and at all times mentioned herein was as individual citizen of

the State of Maryland, residing in the city of Edgewood. Plaintiff Klemm was a customer of

Defendant MHE and received notice of the Ransomware Attack from MHE.

20. Plaintiff Romans is and at all times mentioned herein was as individual citizen of

the State of Maryland, residing in the city of Edgewood. Plaintiff Romans was a customer of

Defendant MHE and received notice of the Ransomware Attack from MHE.

21. Defendant MHE is a Maryland corporation with its principal place of business at

1205 York Road, Lutherville, Maryland 21093.

IV. STATEMENT OF FACTS

A. Nature of Defendant's Businesses

22. Defendant is a for-profit nursing home, assisted living and rehabilitation company

that operates nine (9) facilities in Baltimore, Howard, Harford and Carroll counties.

23. Defendant's services include, but are not limited to, assisted living, rehabilitation

and therapy, dialysis, respite care, hospice services, tracheotomy care, and at-home care.

24. In the ordinary course of receiving health care services from Defendant, Plaintiffs

and Class members provided Defendant with sensitive, personal, and private information such as:

a. name, address, phone number and email address;

5

b. dates of birth;

c. Social Security numbers;

d. information relating to individual medical history;

e. medical record information;

f. insurance information and coverage; and

g. treatment details

25. Plaintiffs and Class Members were required to provide their sensitive, personal, and

private information to Defendant as a condition of receiving services from Defendant.

26. Defendant maintains this Private Information on its servers and within its data

infrastructure.

27. All of Defendant's employees, staff, entities, sites, and locations may share patient

information with each other for various purposes, as disclosed in the Notice of Privacy Practices

("Privacy Policy") that Defendant is required to maintain.

28. The Privacy Policy is posted on Defendant's website and is provided to every

patient upon request.

29. Because of the highly sensitive and personal nature of the information Defendant

acquires and stores with respect to its patients, Defendant promises to: (1) maintain the privacy of

patients' PHI; (2) maintain the confidentiality of health information that identifies its patients; (3)

follow the terms of the notice of privacy practices that Defendant has in effect at the time; (4)

https://www.lorienhealth.com/application/files/8515/9121/1315/LHS_NPP_6.1.20.pdf.

6

obtain patients' written authorization for uses and disclosures that are not identified by the privacy

notice; and (5) notify patients in the event it discovers a breach.

30. Defendant MHE agreed to and undertook legal duties to maintain the PHI entrusted

to it by Plaintiffs and Class Members safely, confidentially, and in compliance with all applicable

laws, including the Health Insurance Portability and Accountability Act ("HIPAA").

31. The patient information held by Defendant in its computer systems and networks

included the Private Information of Plaintiffs and Class Members.

B. The Ransomware Attack

32. A ransomware attack is a type of malicious software that blocks access to a

computer system or data, usually by encrypting it, until the victim pays a fee to the attacker.'

33. On June 6, 2020, computer hackers gained access to Defendant MHE's computer

servers and data infrastructure which resulted in widespread file encryption of files containing

Personal Information that had been collected by Defendant.3

34. The computer hackers exfiltrated data and files from Defendant MHE's computer

servers.

35. The data and files exfiltrated from Defendant MHE's computer servers included

the PII and PHI of Plaintiffs and Class Members, including names, Social Security numbers, dates

of birth, addresses, and health diagnosis and treatment information.

2 https://www.proofpoint.com/us/threat-reference/ransomware (last visited July 27, 2020).

3 See https://www.lorienhealth.com/contact/security-incident (last visited July 27, 2020).

7

36. The computer hackers also installed ransomware software on Defendant MHE's

computers and servers.

37. The cyber criminals responsible for the hack of Defendant MHE's systems have

been publicly identified themselves as the notorious NetWalker ransomware gang.'

38. The NetWalker ransomware gang began targeting the healthcare sector in May

2020,5 and targeted Defendant MHE for this ransomware attack. Defendant's vulnerability to

remote desktop hacks, the type and variety of data stored by Defendant MHE, and the disruption

to hospital operations that ransomware causes made Defendant a prime target for the NetWalker

gang.

39. In recent years, the NetWalker ransomware gang has gained notoriety for

"shaming" victims by exfiltrating and publishing organizations' sensitive data.6 In particular, the

NetWalker ransomware gang has been known to extort businesses by publicly posting breached

data on the Internet—and threatening full dumps of stolen data if the gang's `customers' do not

pay for their files to be unencrypted.7 Victims have included Australian transportation and

logistics firm Toll Group, the Champaign Urbana Public Health District (CHUPD) in Illinois, the

city of Weiz in Austria, and, most recently, Michigan State University.

https://healthitsecurity.com/news/magellan-health-data-breach-victim-tally-reaches-365k-patients (reporting that the Maze hacking group posted a zip file with data allegedly stolen from HFM during a ransomware attack in April)(last visited July 11, 2020).

https://healthitsecurity.com/news/lorien-health-services-ransomware-attack-impacts-48k-patients (last visited July

27, 2020) 6 https://www.cyberdefensemagazine.com/netwalker-ransomware-gang-threatens-to-release-michigan-state-university-files/ (last visited July 27, 2020).

https://www.tripwire.com/state-of-security/featured/netwalker-ransomware-what-need-know/ (last visited July 27,

2020).

8

40. As one media outlet has described the NetWalker ransomware gang: "This is worse

than a regular ransomware attack." In particular, "there remains the problem of the exfiltrated

data. If that's released by the NetWalker gang then there are clear dangers — not only to your

business, but also to your partners and customers."8

41. Unsurprisingly, in mid-June of 2020, NetWalker operators made the Ransomware

Attack known, publishing screenshots of directory listings with 2020 date stamps and admission

records as proof of compromise.9

42. According to reports, some of the data has been dumped online and a password-

protected archive of 147MB is currently available via a file-sharing service.

43. The hackers also published the unlock key for the archive and labeled this cache

"Part 1," indicating that they may leak more data in the future.

44. On or about July 16, 2020—well after breached Private Information was dumped

online—Defendant MHE finally notified affected persons of the Ransomware Attack. The Notice

of Data Incident ("Notice") stated in relevant part the following 10:

m 9 http s://www.bleep ingcomputer. com/news/security/lorien-health-services-discloses-ransomware-attack-affecting-nearly-50-000/ (last visited July 27, 2020). 10 https://ago.vermont.gov/blog/2020/07/16/lorien-health-services-notice-of-data-breach-to-consumers/ (last visited

July 27, 2020).

9

Re: Notice of Data Security Incident

Dear 'First -Name La>t Naml

I am writing to inform you of a data security incident that involved your personal information. At Lorien Health Services ("Lorien"), which you may know as FA( TLITY. we take the privacy and security of your information very seriously. This is why I am notifying you of the incident, offering you credit monitoring and identity monitoring services, and informing you about steps you can take to help protect your personal information.

What Happened? On June 6. 2020. Lorien learned that data on our network had been encrypted. Upon discovering this incident, Lorien immediately engaged a team of cybersecurity experts to assist with our response and to determine whether any personal information may have been accessed during the incident. On June 10. 2020 the investigation determined that your information may have been accessed during the incident.

What Information Was Involved? The information involved resident admission forms which typically include names, Social Security numbers, dates of birth, addresses, and health diagnosis and treatment information.

What Are We Doing? As soon as we discovered the incident, we took the steps described above. We also notified the

Federal Bureau of Investigation and will provide whatever cooperation is necessary to hold the perpetrators accountable.

In addition, we are providing you with information to help protect your personal information, and offering identity

monitoring and recovery services for 12 months through IDExperts as described below.

What You Can Do: You can follow the recommendations included with this letter to protect your personal information.

We strongly encourage you to enroll in the credit monitoring and identity protection services through ID Experts. To

enroll, please visit https://app.myidcare.comiaccount-creationfprotect or 1-833-431-1278 and provide the following

enrollment code: ::,XXXXXXXX Please note you must enroll by October 16, 2020. If you have questions or need

assistance, please call ID Experts at 1-833-431-1278.

For More Information: If you have any questions about this letter, please contact Lorien at 1-833-431-1278. Please accept our sincere apologies and know that we deeply regret any worry or inconvenience that this may cause you.

45. Upon information and belief, this notice was sent to 47,754 patients, including

Plaintiffs, and has been posted on Defendant's website.

46. Incredibly, Defendant had not publicly disclosed the security breach when

NetWalker named MHE online in mid-June, and publicly posted the Private Information of

Plaintiffs and Class Members. As one cybersecurity expert observed about the failure to

immediately disclose ransomware attacks:

10

The lack of disclosure obviously means that customers/clients/vendors /partners do not know that their data is now in the hands of cybercriminals and can be downloaded by anybody with an Internet connection....And that means they do not know that they should set up credit monitoring, notify their financial institution, be on the lookout for scams or spear phishing attempts."

47. "[T]he fact that the information is posted on a publicly accessible website puts

victims at risk of others stealing the personal data," reported one news outlet about the

ramifications of ransomware attacks.12

48. Overall, the Private Information of 47,754 patients was impacted in the

Ransomware Attack, including the Private Information of Plaintiffs.

49. Despite learning of the Ransomware Attack on June 6, 2020, despite the fact that

Defendant knew or should have known by June 10, 2020 that the NetWalker gang had exfiltrated

patient data and would inevitably publish it online, breach notification letters were not sent to

affected patients until July 16, 2020, almost forty (40) days after first learning of the breach.

50. The July notification date was approximately one month after the NetWalker

ransomware gang published a sampling of the Private Information online for all cyberthieves to

access and well after the time period in which compromised breach victims could take prophylactic

measures to safeguard their identities and Private Information.

C. Defendant's Patient Privacy Policies.

11 https://www.timesunion.com/business/article/Computer-breach-exposes-some-Community-Care-15067744.php

(last visited July 12, 2020). 12 Id.

11

51. As a healthcare service provider, Defendant is bound by HIPAA, which requires

subject providers to comply with a series of administrative, physical security, and technical

security requirements in order to protect patient information. Among other things, it mandates that

medical providers develop, publish, and adhere fo a privacy policy.

52. Defendant recognizes its obligations under HIPAA along with the commensurate

obligation to safeguard and protect patient PHI and PII:

We will notify you of certain breaches of your personal health information, if they occur, as required by the HIPAA Privacy Rule requirements.13

53. Defendant assures consumers that "We will not use or disclose your health

information without your authorization, except as described in this Notice."'

54. Defendant had an obligation created by HIPAA, contract, industry standards,

common law, and representations made to Class Members, to keep Class Members' Private

Information confidential and to protect it from unauthorized access and disclosure.

55. Plaintiffs and Class Members provided their Private Information to Defendant with

the reasonable expectation and mutual understanding that Defendant would comply with its

obligations to keep such information confidential and secure from unauthorized access.

56. Defendant's data security obligations were particularly important given the

substantial increase in ransomware attacks and/or data breaches in the healthcare industry

preceding the date of the breach.

L3 https://wwvv.lorienhealth.com/application/files/8515/9121/1315/LHS_NPP_6.1.20.pdf (last visited July 27, 2020). 14 Id.

12

57. Data breaches, including those perpetrated against the healthcare sector of the

economy, have become widespread. In 2016, the number of U.S. data breaches surpassed 1,000,

a record high and a forty percent increase in the number of data breaches from the previous year.

In 2017, a new record high of 1,579 breaches were reported, representing a 44.7 percent increase

over 2016. In 2018, there was an extreme jump of 126 percent in the number of consumer records

exposed from data breaches. In 2019, there was a 17 percent increase in the number of breaches

(1,473) over 2018, with 164,683,455 sensitive records exposed.

58. The number of data breaches in the healthcare sector skyrocketed in 2019, with 525

reported breaches exposing nearly 40 million sensitive records (39,378,157), compared to only

369 breaches that exposed just over 10 million sensitive records (10,632,600) in 2018.

59. Indeed, ransomware attacks, such as the one experienced by Defendant, have

become so notorious that the Federal Bureau of Investigation ("FBI") and U.S. Secret Service have

issued a warning to potential targets so they are aware of, and prepared for, a potential attack.

Indeed, one media outlet specifically reported that "[t]he operators of NetWalker ransomware have

been aggressively targeting healthcare organizations."15

60. Therefore, the increase in such attacks, and attendant risk of future attacks, was

widely known to the public and to anyone in Defendant's industry, including Defendant.

15 https://www.spamtitan.com/web-filtering/netwalker-ransomware-aggressive-campaign-healthcare-organizations-

universities/ (last visited July 27, 2020).

13

DEFENDANT FAILS TO COMPLY WITH FTC GUIDELINES

61. The Federal Trade Commission ("FTC") has promulgated numerous guides for

businesses which highlight the importance of implementing reasonable data security practices.

According to the FTC, the need for data security should be factored into all business decision-

making.

62. In 2016, the FTC updated its publication, Protecting Personal Information: A Guide

for Business, which established cyber-security guidelines for businesses. The guidelines note that

businesses should protect the personal customer information that they keep; properly dispose of

personal information that is no longer needed; encrypt information stored on computer networks;

understand their network's vulnerabilities; and implement policies to correct any security

problems. The guidelines also recommend that businesses use an intrusion detection system to

expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating someone

is attempting to hack the system; watch for large amounts of data being transmitted from the

system; and have a response plan ready in the event of a breach.

63. The FTC further recommends that companies not maintain PII longer than is

needed for authorization of a transaction; limit access to sensitive data; require complex passwords

to be used on networks; use industry-tested methods for security; monitor for suspicious activity

on the network; and verify that third-party service providers have implemented reasonable security

measures.

64. The FTC has brought enforcement actions against businesses for failing to

adequately and reasonably protect customer data, treating the failure to employ reasonable and

appropriate measures to protect against unauthorized access to confidential consumer data as an

14

unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act ("FTCA"), 15

U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses must take

to meet their data security obligations.

65. These FTC enforcement actions include actions against healthcare providers like

Defendant. See, e.g., In the Matter of Labmd, Inc., A Corp, 2016-2 Trade Cas. (CCH) ¶ 79708,

2016 WL 4128215, at *32 (MSNET July 28, 2016) ("[T]he Commission concludes that LabMD's

data security practices were unreasonable and constitute an unfair act or practice in violation of

Section 5 of the FTC Act.")

66. Defendant failed to properly implement basic data security practices. Defendant's

failure to employ reasonable and appropriate measures to protect against unauthorized access to

patient PII and PHI constitutes an unfair act or practice prohibited by Section 5 of the FTC Act,

15 U.S.C. § 45.

67. Defendant was at all times fully aware of its obligation to protect the PII and PHI

of its patients. Defendant was also aware of the significant repercussions that would result from

its failure to do so.

DEFENDANT FAILS TO COMPLY WITH INDUSTRY STANDARDS

68. Experts studying cyber security routinely identify healthcare providers as being

particularly vulnerable to cyberattacks because of the value of the PII and PHI which they collect

and maintain.

69. As an article about a recent Microsoft ransomware study stated, "All hospitals and

healthcare organizations need to defend themselves against ransomware, especially during this

15

challenging time.s16 Microsoft provided a list of 11 best practices tips for how hospitals should

protect themselves against ransomware.

70. Several best practices have been identified that a minimum should be implemented

by healthcare providers like Defendant, including but not limited to: educating all employees;

strong passwords; multi-layer security, including firewalls, anti-virus, and anti-malware software;

encryption, making data unreadable without a key; multi-factor authentication; backup data, and;

limiting which employees can access sensitive data.

71. A number of industry and national best practices have been published and should

be used as a go-to resource when developing an institution's cybersecurity standards. The Center

for Internet Security (CIS) released its Critical Security Controls, and all healthcare institutions

are strongly advised to follow these actions. The CIS Benchmarks are the overwhelming option

of choice for auditors worldwide when advising organizations on the adoption of a secure build

standard for any governance and security initiative, including PCI DSS, HIPAA, NIST 800-53,

SOX, FISMA, ISO/IEC 27002, Graham Leach Bliley and ITIL.

72. Other best cybersecurity practices that are standard in the healthcare industry

include installing appropriate malware detection software; monitoring and limiting the network

ports; protecting web browsers and email management systems; setting up network systems such

as firewalls, switches and routers; monitoring and protection of physical security systems;

protection against any possible communication system; training staff regarding critical points.

16 https://www.techrepublic.com/article/microsoft-to-hospitals-11-tips-on-how-to-combat-ransomware/ (last visited July 27, 2020).

16

73. Defendant failed to meet the minimum standards of any of the following

frameworks: the NIST Cybersecurity Framework, NIST Special Publications 800-53, 53A, or 800-

171; General Accounting Office (GAO) standards; the Federal Risk and Authorization

Management Program (FEDRAMP); and the Center for Internet Security's Critical Security

Controls (CIS CSC), which are all established standards in reasonable cybersecurity readiness.

DEFENDANT'S CONDUCT VIOLATES HIPAA AND EVIDENCES ITS INSUFFICIENT DATA SECURITY

74. HIPAA requires covered entities to protect against reasonably anticipated threats

to the security of sensitive patient health information.

75. Covered entities must implement safeguards to ensure the confidentiality, integrity,

and availability of PHI. Safeguards must include physical, technical, and administrative

components.

76. Title II of HIPAA contains what are known as the Administrative Simplification

provisions. 42 U.S.C. §§ 1301, et seq. These provisions require, among other things, that the

Department of Health and Human Services ("HHS") create rules to streamline the standards for

handling PIT like the data Defendant left unguarded. The HHS subsequently promulgated multiple

regulations under authority of the Administrative Simplification provisions of HIPAA. These rules

include 45 C.F.R. § 164.306(a)(1-4); 45 C.F.R. § 164.312(a)(1); 45 C.F.R. § 164.308(a)(1)(i); 45

C.F.R. § 164.308(a)(1)(ii)(D), and 45 C.F.R. § 164.530(b).

77. Defendant's data breach resulted from a combination of insufficiencies that

demonstrate they failed to comply with safeguards mandated by HIPAA regulations.

17

DEFENDANT'S BREACH

78. Defendant breached its obligations to Plaintiffs and Class Members and/or was

otherwise negligent and reckless because it failed to properly maintain and safeguard its computer

systems and data infrastructure. Defendant's unlawful conduct includes, but is not limited to, their

failure to:

a. maintain an adequate data security system to reduce the risk of data breaches and

cyber-attacks;

b. adequately protect patients' Private Information;

c. properly monitor its own data security systems for existing intrusions;

d. ensure that vendors with access to Defendant's protected health data employed

reasonable security procedures;

e. ensure the confidentiality and integrity of electronic PHI they created, received,

maintained, and/or transmitted, in violation of 45 C.F.R. § 164.306(a)(1);

f. implement technical policies and procedures for electronic information systems

that maintain electronic PHI to allow access only to those persons or software programs

that have been granted access rights in violation of 45 C.F.R. § 164.312(a)(1);

g. implement policies and procedures to prevent, detect, contain, and correct security

violations in violation of 45 C.F.R. § 164.308(a)(1)(i);

h. implement procedures to review records of information system activity regularly,

such as audit logs, access reports, and security incident tracking reports in violation of 45

C.F.R. § 164.308(a)(1)(ii)(D);

18

i. protect against reasonably anticipated threats or hazards to the security or integrity

of electronic PHI in violation of 45 C.F.R. § 164.306(a)(2);

J. protect against reasonably anticipated uses or disclosures of electronic PHI that are

not permitted under the privacy rules regarding individually identifiable health information

in violation of 45 C.F.R. § 164.306(a)(3);

k. ensure compliance with HIPAA security standard rules by Defendant ' workforce

in violation of 45 C.F.R. § 164.306(a)(4);

1. train all members of Defendant ' workforce effectively on the policies and

procedures regarding PHI as necessary and appropriate for the members of their

workforces to carry out their functions and to maintain security of PHI, in violation of 45

C.F.R. § 164 .530 (b) ; and/or

m. render the electronic PHI they maintained unusable, unreadable, or indecipherable

to unauthorized individuals, as they had not encrypted the electronic PHI as specified in

the HIPAA Security Rule by "the use of an algorithmic process to transform data into a

form in which there is a low probability of assigning meaning without use of a confidential

process or key" (45 CFR 164.304 definition of encryption).

79. As the result of computer systems in need of security upgrading, inadequate

procedures for handling emails containing ransomware or other malignant computer code, and

inadequately trained employees who opened files containing the ransomware virus, Defendant

negligently and unlawfully failed to safeguard Plaintiffs' and Class Members' Private Information.

80. Accordingly, Plaintiffs' and Class Members now face an increased risk of fraud

and identity theft.

19

D. Ransomware Attacks and Data Breaches Cause Disruption and Put Consumers at an Increased Risk of Fraud and Identify Theft

81. Ransomware attacks also constitute data breaches in the traditional sense. For

example, in a recent ransomware attack on the Florida city of Pensacola, and while the City was

still recovering from the ransomware attack, the hackers released 2GB of data files from the total

32GB of data that they claimed was stolen prior to encrypting the City's network with ransomware.

In the statement given to a news outlet, the hackers said, "This is the fault of mass media who

writes that we don't exfiltrate data ...."17

82. Also, in a ransomware advisory, the Department of Health and Human Services

informed entities covered by HIPAA that "when electronic protected health information (ePHI) is

encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted

by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control

of the information)."18

83. Ransomware attacks are also considered a breach under the HIPAA Rules because

there is an access of PHI not permitted under the HIPAA Privacy Rule:

A breach under the HIPAA Rules is defined as, "...the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI." See 45 C.F.R. 164.4019

84. Other security experts agree that when a ransomware attack occurs, a data breach

does as well, because such an attack represents a loss of control of the data within a network.

17 https://www.cisomag.com/pensacola-ransomware-hackers-release-2gb-data-as-a-proof/ (last visited July 12,

2020). 18 See https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf (last visited July 12, 2020).

19 See https://onlinelibrary.wiley.com/doi/ful1/10.1111/1475-6773.13203 (last visited July 12, 2020).

20

85. Ransomware attacks are also Security Incidents under HIPAA because they impair

both the integrity (data is not interpretable) and availability (data is not accessible) of patient health

information:

The presence of ransomware (or any malware) on a covered entity's or business associate's computer systems is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. See the definition of security incident at 45 C.F.R. 164.304. Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures. See 45 C.F.R.164.308(a)(6).2°

86. The United States Government Accountability Office released a report in 2007

regarding data breaches ("GOA Report") in which they noted that victims of identity theft will

face "substantial costs and time to repair the damage to their good name and credit record."21

87. The FTC recommends that identity theft victims take several steps to protect their

personal and financial information after a data breach, including contacting one of the credit

bureaus to place a fraud alert (consider an extended fraud alert that lasts for 7 years if someone

steals their identity), reviewing their credit reports, contacting companies to remove fraudulent

charges from their accounts, placing a credit freeze on their credit, and correcting their credit

reports. 22

88. Identity thieves use stolen personal information such as Social Security numbers

for a variety of crimes, including credit card fraud, phone or utilities fraud, and bank/finance fraud.

20 See https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf (last visited July 12, 2020). 21 See "Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown," p. 2, U.S. Government Accountability Office, June 2007, https://www.gao.gov/new.items/d07737.pdf (last visited July 12) ("GAO Report"). 22 See https://www.identitytheft.gov/Steps (last visited July 12, 2020).

21

89. Identity thieves can also use Social Security numbers to obtain a driver's license or

official identification card in the victim's name but with the thief's picture; use the victim's name

and Social Security number to obtain government benefits; or file a fraudulent tax return using the

victim's information. In addition, identity thieves may obtain a job using the victim's Social

Security number, rent a house or receive medical services in the victim's name, and may even give

the victim's personal information to police during an arrest resulting in an arrest warrant being

issued in the victim's name. A study by Identity Theft Resource Center shows the multitude of

harms caused by fraudulent use of personal and financial information:23

Americans' expenses/disruptions as a result of criminal activity in their name [2016)

I hod to request government assistance 29.5%

I hod to borrow money 60.7%

Hod to use my savings to pay for expenses 322%

Couldn't qualify for a home loon 32.8%

I lost my home/place of residence 31.1%

I couldn't care for my family 34.4%

Hod to rekg on family/friends for assistance 49.2%

Lost out on on employment opportunity 44.3%

Lost tine away from school 19.7%

Missed time away from work 55.7%

Was generally inconvenienced 73.8%

Other 23%

None of these a3%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Sou/ce Identity Theft Restlice "- tter creclitcards•corn

23 "Credit Card and ID Theft Statistics" by Jason Steele, 10/24/2017, at: https://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statisties-1276.php (last visited

July 12, 2020).

22

90. What's more, theft of Private Information is also gravely serious. PII/PHI is a

valuable property right.24 Its value is axiomatic, considering the value of Big Data in corporate

America and the consequences of cyber thefts include heavy prison sentences. Even this obvious

risk to reward analysis illustrates beyond doubt that Private Information has considerable market

value.

91. Theft of PHI, in particular, is gravely serious: "A thief may use your name or health

insurance numbers to see a doctor, get prescription drugs, file claims with your insurance provider,

or get other care. If the thief s health information is mixed with yours, your treatment, insurance

and payment records, and credit report may be affected."25 Drug manufacturers, medical device

manufacturers, pharmacies, hospitals and other healthcare service providers often purchase

PII/PHI on the black market for the purpose of target marketing their products and services to the

physical maladies of the data breach victims themselves. Insurance companies purchase and use

wrongfully disclosed PHI to adjust their insureds' medical insurance premiums.

92. It must also be noted there may be a substantial time lag — measured in years --

between when harm occurs versus when they is discovered, and also between when Private

Information and/or financial information is stolen and when they is used. According to the U.S.

Government Accountability Office, which conducted a study regarding data breaches:

[L]aw enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen

24 See, e.g., John T. Soma, et al, Corporate Privacy Trend: The "Value" of Personally Identifiable Information ("PII") Equals the "Value" of Financial Assets, 15 Rich. J.L. & Tech. 11, at *34 (2009) ("PII, which companies obtain at little cost, has quantifiable value that is rapidly reaching a level comparable to the value of traditional financial assets.") (citations omitted). 25 See Federal Trade Commission, Medical Identity Theft, http://www.consumerftc.gov/articles/0171-medical-identity-theft (last visited July 12, 2020).

23

data have been sold or posted on the Web, fraudulent use of that information may continue for years. As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm.

See GAO Report, at p. 29.

93. Private Information and financial information are such valuable commodities to

identity thieves that once the information has been compromised, criminals often trade the

information on the "cyber black-market" for years.

94. As evidenced by the NetWalker's public posting of a sample of the stolen data,

there is a strong probability that the entirety of the stolen information has been dumped on the

black market or will be dumped on the black market, meaning Plaintiffs and Class Members are

at an increased risk of fraud and identity theft for many years into the future. Thus, Plaintiffs and

Class Members must vigilantly monitor their financial and medical accounts for many years to

come.

95. Medical information is especially valuable to identity thieves. According to account

monitoring company LogDog, coveted Social Security numbers were selling on the dark web for

just $1 in 2016 — the same as a Facebook account. That pales in comparison with the asking price

for medical data, which was selling for $50 and up.26

96. Of recent, the medical and financial services industries have experienced

disproportionally higher numbers of data theft events than other industries. Defendant therefore

knew or should have known this and strengthened its data systems accordingly. Defendant was put

26 https ://nakedsecurity. s ophos.com/2019/10/03/ransomware-attacks-paralyze-and-sometimes-crush-

hospitalsfficontent (last visited July 12, 2020).

24

on notice of the substantial and foreseeable risk of harm from a data breach, yet it failed to properly

prepare for that risk.

V. PLAINTIFFS' AND CLASS MEMBERS' DAMAGES

97. To date, Defendant has done absolutely nothing to compensate Class Members

for the damages they sustained in the Ransomware Attack. Defendant has merely offered

identity monitoring services for a paltry 12 months through ID Experts to patients whose data

was stolen. The offer is wholly inadequate as it fails to provide for the fact that victims of

Ransomware Attacks and other unauthorized disclosures commonly face multiple years of

ongoing identity theft and they entirely fails to provide any compensation for the unauthorized

release and disclosure of Plaintiffs' and Class Members' Private Information. Furthermore,

Defendant MHE's credit monitoring offer squarely places the burden on Plaintiffs and Class

Members, rather than on the Defendant, to investigate and protect themselves from Defendant's

tortious acts resulting in the Ransomware Attack. Rather than automatically enrolling Plaintiffs

and Class Members in credit monitoring services upon discovery of the breach, Defendant merely

sent instructions to Plaintiffs and Class Members about actions they can affirmatively take to

protect themselves.

98. Plaintiffs and Class Members have been damaged by the compromise and

exfiltration of their Private Information in the Ransomware Attack.

99. Plaintiffs' Private Information was compromised and exfiltrated by cyber-criminals

as a direct and proximate result of the Ransomware Attack.

25

100. As a direct and proximate result of Defendant's conduct, Plaintiffs and Class

Members have been placed at an imminent, immediate, and continuing increased risk of harm from

fraud and identity theft.

101. As a direct and proximate result of Defendant's conduct, Plaintiffs and Class

Members have been forced to expend time dealing with the effects of the Ransomware Attack.

102. Plaintiffs and Class Members face substantial risk of out-of-pocket fraud losses

such as loans opened in their names, medical services billed in their names, tax return fraud, utility

bills opened in their names, credit card fraud, and similar identity theft.

103. Plaintiffs and Class Members face substantial risk of being targeted for future

phishing, data intrusion, and other illegal schemes based on their Private Information as potential

fraudsters could use that information to more effectively target such schemes to Plaintiffs and

Class Members.

104. Plaintiffs and Class Members may also incur out-of-pocket costs for protective

measures such as credit monitoring fees, credit report fees, credit freeze fees, and similar costs

directly or indirectly related to the Ransomware Attack.

105. Plaintiffs and Class Members also suffered a loss of value of their Private

Information when they was acquired by cyber thieves in the Ransomware Attack. Numerous courts

have recognized the propriety of loss of value damages in related cases.

106. Plaintiffs and Class Members have spent and will continue to spend significant

amounts of time to monitor their financial accounts and records for misuse.

107. Plaintiffs and Class Members have suffered or will suffer actual injury as a direct

result of the Ransomware Attack. Many victims suffered ascertainable losses in the form of out-

26

of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects

of the Ransomware Attack relating to:

a. finding fraudulent charges;

b. canceling and reissuing credit and debit cards;

c. purchasing credit monitoring and identity theft prevention;

d. addressing their inability to withdraw funds linked to compromised accounts;

e. taking trips to banks and waiting in line to obtain funds held in limited accounts;

f. lacing "freezes" and "alerts" with credit reporting agencies;

g. spending time on the phone with or at a financial institution to dispute fraudulent

charges;

h. contacting financial institutions and closing or modifying financial accounts;

i. resetting automatic billing and payment instructions from compromised credit and

debit cards to new ones;

paying late fees and declined payment fees imposed as a result of failed automatic

payments that were tied to compromised cards that had to be cancelled; and

k. reviewing and monitoring bank accounts and credit reports for unauthorized

activity for years to come.

108. Moreover, Plaintiffs and Class Members have an interest in ensuring that their

Private Information, which is believed to remain in the possession of the Defendant, is protected

from further breaches by the implementation of security measures and safeguards, including but

27

not limited to, making sure that the storage of data or documents containing personal and financial

information is not accessible online and that access to such data is password-protected.

109. Further, as a result of Defendant's conduct, Plaintiffs and Class Members are forced

to live with the anxiety that their Private Information —which contains the most intimate details

about a person's life—may be disclosed to the entire world, thereby subjecting them to

embarrassment and depriving them of any right to privacy whatsoever.

110. As a direct and proximate result of Defendant's actions and inactions, Plaintiffs and

Class Members have suffered anxiety, emotional distress, and loss of privacy, and are at an

increased risk of future harm.

111. Defendant's delay in identifying and reporting the Ransomware Attack caused

additional harm. It is axiomatic that "[t]he quicker a financial institution, credit card issuer,

wireless carrier or other service provider is notified that fraud has occurred on an account, the

sooner these organizations can act to limit the damage. Early notification can also help limit the

liability of a victim in some cases, as well as allow more time for law enforcement to catch the

fraudsters in the act."27

112. Indeed, once a Ransomware Attack has occurred, "[o]ne thing that does matter is

hearing about a Ransomware Attack quickly. That alerts consumers to keep a tight watch on credit

card bills and suspicious emails, It can prompt them to change passwords and freeze credit reports.

271dentity Fraud Hits Record High with 15.4 Million U.S. Victims in 2016, Up 16 PercentAccording to New Javelin

Strategy & Research Study, Business Wire, https://www.businesswire.corninews/home/20170201005166/en/Identity-Fraud-Hits-Record-High-15.4-Million.

28

And notifying officials can help them catch cybercriminals and warn other businesses of emerging

dangers. If consumers don't know about a breach because they wasn't reported, they can't take

action to protect themselves" (internal citations omitted).28

113. Although their Private Information was improperly compromised on June 6, 2020,

and published by the hackers in mid-June, affected consumers were not notified of the

Ransomware Attack until July 16, 2020, depriving them of the ability to promptly mitigate

potential adverse consequences resulting from the Ransomware Attack.

114. As a result of Defendant's delay in detecting and notifying consumers of the

Ransomware Attack, the risk of fraud for Plaintiffs and Class Members has been driven even

higher.

VI. CLASS ACTION ALLEGATIONS

115. Plaintiffs bring this action on behalf of themselves and on behalf of all other persons

similarly situated (the "Class") pursuant to Rule 2-231 of the Maryland Rules.

116. Plaintiffs propose the following Class definition, subject to amendment as

appropriate:

All persons whose Private Information was compromised in the Ransomware Attack, and who were sent Notice of the Ransomware Attack.

117. Excluded from the Class are Defendant's officers and directors, and any entity in

which Defendant have a controlling interest; and the affiliates, legal representatives, attorneys,

28Consumer Reports, The Ransomware Attack Next Door: Security breaches don't just hit giants like Equifax and Marriott. Breaches at small companies put consumers at risk, too, January 31, 2019, https://www.consumerreports.org/data-theftithe-data-breach-next-door.

29

successors, heirs, and assigns of Defendant. Excluded also from the Class are Members of the

judiciary to whom this case is assigned, their families and Members of their staff.

118. Plaintiffs hereby reserve the right to amend or modify the class definitions with

greater specificity or division after having had an opportunity to conduct discovery. The proposed

Class meets the criteria for certification under Rule 2-231 of the Maryland Rules.

119. Numerosity. The Members of the Class are so numerous that joinder of all of them

is impracticable. While the exact number of Class Members is unknown to Plaintiffs at this time,

based on information and belief, the Class consists of approximately 47,754 consumers whose data

was compromised in the Ransomware Attack.

120. Commonality. There are questions of law and fact common to the Class, which

predominate over any questions affecting only individual Class Members. These common question

of law and fact include, without limitation:

a. Whether Defendant unlawfully used, maintained, lost, or disclosed Plaintiffs' and

Class Members' Private Information;

b. Whether Defendant failed to implement and maintain reasonable security

procedures and practices appropriate to the nature and scope of the information

compromised in the Ransomware Attack;

c. Whether Defendant's data security systems prior to and during the Ransomware

Attack complied with applicable data security laws and regulations;

d. Whether Defendant's data security systems prior to and during the Ransomware

Attack were consistent with industry standards;

30

e. Whether Defendant owed a duty to Class Members to safeguard their Private

Information;

f. Whether Defendant breached its duty to Class Members to safeguard their Private

Information;

g. Whether computer hackers obtained Class Members' Private Information in the

Ransomware Attack;

h. Whether Defendant knew or should have known that their data security systems

and monitoring processes were deficient;

i. Whether Plaintiffs and Class Members suffered legally cognizable damages as a

result of Defendant's misconduct;

j. Whether Defendant's conduct was negligent;

k. Whether Defendant's conduct was per se negligent;

1. Whether the Ransomware Attack constitutes a violation of Maryland's Consumer

Protection Act, § 1301, et seq.;

m. Whether Defendant was unjustly enriched;

n. Whether Defendant failed to provide notice of the Ransomware Attack in a timely

manner; and

o. Whether Plaintiffs and Class Members are entitled to damages, civil penalties,

punitive damages, and/or injunctive relief.

121. Typicality. Plaintiffs' claims are typical of those of other Class Members because

Plaintiffs' Private Information, like that of every other Class member, was compromised in the

Ransomware Attack.

31

122. Adequacy of Representation. Plaintiffs will fairly and adequately represent and

protect the interests of the Members of the Class. Plaintiffs' Counsel is competent and experienced

in litigating class actions, including data privacy litigation of this kind.

123. Predominance. Defendant have engaged in a common course of conduct toward

Plaintiffs and Class Members, in that all the Plaintiffs' and Class Members' data was stored on the

same computer systems and unlawfully accessed in the same way. The common issues arising

from Defendant's conduct affecting Class Members set out above predominate over any

individualized issues. Adjudication of these common issues in a single action has important and

desirable advantages of judicial economy.

124. Superiority. A class action is superior to other available methods for the fair and

efficient adjudication of the controversy. Class treatment of common questions of law and fact is

superior to multiple individual actions or piecemeal litigation. Absent a class action, most Class

Members would likely find that the cost of litigating their individual claims is prohibitively high

and would therefore have no effective remedy. The prosecution of separate actions by individual

Class Members would create a risk of inconsistent or varying adjudications with respect to

individual Class Members, which would establish incompatible standards of conduct for

Defendant . In contrast, the conduct of this action as a class action presents far fewer management

difficulties, conserves judicial resources and the parties' resources, and protects the rights of each

Class member.

125. Defendant has acted on grounds that apply generally to the Class as a whole, so that

class certification, injunctive relief, and corresponding declaratory relief are appropriate on a

Class-wide basis.

32

126. Finally, all members of the proposed Class are readily ascertainable. Defendant has

access to Class Members' names and addresses affected by the Ransomware Attack. Class

Members have already been preliminarily identified and sent notice of the Ransomware Attack by

Defendant.

CAUSES OF ACTION

FIRST COUNT Negligence

(On Behalf of Plaintiffs and All Class Members)

127. Plaintiffs re-allege and incorporate by reference Paragraphs 1 through 126 above

as if fully set forth herein.

128. Defendant required Plaintiffs and Class Members to submit non-public personal

information in order to obtain medical services.

129. By collecting and storing this data in Defendant's computer property, and sharing

and using it for commercial gain, Defendant had a duty of care to use reasonable means to secure

and safeguard their computer property—and Class Members' Private Information held within it—

to prevent disclosure of the information, and to safeguard the information from theft. Defendant '

duty included a responsibility to implement processes by which they could detect a breach of their

security systems in a reasonably expeditious period of time and to give prompt notice to those

affected in the case of a ransomware attack.

130. Defendant owed a duty of care to Plaintiffs and Class Members to provide data

security consistent with industry standards and other requirements discussed herein, and to ensure

that their systems and networks, and the personnel responsible for them, adequately protected the

Private Information.

33

131. Defendant's duty of care to use reasonable security measures arose as a result of

the special relationship that existed between Defendant and its patients, which is recognized by

laws and regulations including but not limited to HIPAA, as well as common law. Defendant was

in a position to ensure that its systems were sufficient to protect against the foreseeable risk of

harm to Class Members from a ransomware attack or data breach.

132. Defendant's duty to use reasonable security measures under HIPAA required

Defendant to "reasonably protect" confidential data from "any intentional or unintentional use or

disclosure" and to "have in place appropriate administrative, technical, and physical safeguards to

protect the privacy of protected health information." 45 C.F.R. § 164.530(c)(1). Some or all of the

medical information at issue in this case constitutes "protected health information" within the

meaning of HIPAA.

133. Pursuant to HIPAA, 42 U.S.C. § 1302d, et seq., Defendant had a duty to implement

reasonable safeguards to protect Plaintiffs' and Class Members' Private Information.

134. Pursuant to HIPAA, Defendant had a duty to render the electronic PHI they

maintained unusable, unreadable, or indecipherable to unauthorized individuals, as specified in the

HIPAA Security Rule by "the use of an algorithmic process to transform data into a form in which

there is a low probability of assigning meaning without use of a confidential process or key." See

definition of encryption at 45 C.F.R. § 164.304.

135. In addition, Defendant had a duty to employ reasonable security measures under

Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits "unfair . . .

practices in or affecting commerce," including, as interpreted and enforced by the FTC, the unfair

practice of failing to use reasonable measures to protect confidential data.

34

136. Pursuant to the Federal Trade Commission Act, 15 U.S.C. § 45, Defendant had a

duty to provide fair and adequate computer systems and data security practices to safeguard

Plaintiffs' and Class Members' Private Information.

137. Pursuant to the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801, Defendant had a duty

to protect the security and confidentiality of Plaintiffs' and Class Members' Private Information.

138. Defendant breached its duties to Plaintiffs and Class Members under the Federal

Trade Commission Act, HIPAA, and the Gramm-Leach-Bliley Act by failing to provide fair,

reasonable, or adequate computer systems and data security practices to safeguard Plaintiffs' and

Class Members' Private Information.

139. Defendant's failure to comply with applicable laws and regulations is evidence of

its negligence.

140. Defendant's duty to use reasonable care in protecting confidential data arose not

only as a result of the statutes and regulations described above, but also because Defendant is

bound by industry standards to protect confidential Private Information.

141. Defendant breached its duties, and thus was negligent, by failing to use reasonable

measures to protect Class Members' Private Information. The specific negligent acts and

omissions committed by Defendant include, but are not limited to, the following:

a. Failing to adopt, implement, and maintain adequate security measures to safeguard

Class Members' Private Information;

b. Failing to adequately monitor the security of their networks and systems;

c. Failure to periodically ensure that their email system had plans in place to maintain

reasonable data security safeguards;

35

d. Allowing unauthorized access to Class Members' Private Information;

e. Failing to detect in a timely manner that Class Members' Private Information had

been compromised; and

f. Failing to timely notify Class Members about the Ransomware Attack so that they

could take appropriate steps to mitigate the potential for identity theft and other damages.

142. It was foreseeable that Defendant's failure to use reasonable measures to protect

Class Members' Private Information would result in injury to Class Members. Further, the breach

of security was reasonably foreseeable given the known high frequency of cyberattacks and data

breaches in both the financial services and medical industry.

143. It was therefore foreseeable that the failure to adequately safeguard Class Members'

Private Information would result in one or more types of injuries to Class Members.

144. Plaintiffs and Class Members are entitled to compensatory and consequential

damages suffered as a result of the Ransomware Attack.

145. Defendant's negligent conduct is ongoing, in that it still holds the Private

Information of Plaintiffs and Class Members in an unsafe and unsecure manner, and has not

reported securing its servers that were breached in the Ransomware Attack (as evidenced by the

data posted publicly online by the ransomware gang). Plaintiffs and Class Members are also

entitled to injunctive relief requiring Defendant to (i) strengthen its data security systems and

monitoring procedures; (ii) submit to future annual audits of those systems and monitoring

procedures; and (iii) continue to provide adequate credit monitoring to all Class Members.

36

SECOND COUNT Breach of Express Contract

(On Behalf of Plaintiffs and All Class Members)

146. Plaintiffs re-allege and incorporate by reference Paragraphs 1 through 126

above as if fully set forth herein.

147. Plaintiffs and Class Members allege that they entered into valid and enforceable

express contracts with Defendant.

148. The valid and enforceable express contracts that Plaintiffs and Class Members

entered into with Defendant include Defendant's promise to protect nonpublic personal

information given to Defendant or that Defendant gathers on its own from disclosure.

149. Under these express contracts, Defendant and/or affiliated healthcare providers,

promised and were obligated to: (a) provide healthcare to Plaintiffs and Class Members; and (b)

protect Plaintiffs and the Class Members' PII/PHI: (i) provided to obtain such healthcare; and/or

(ii) created as a result of providing such healthcare. In exchange, Plaintiffs and Class Members

agreed to pay money for these services, and to turn over their Private Information.

150. Both the provision of healthcare and the protection of Plaintiffs' and Class

Members' PII/PHI were material aspects of these contracts.

151. At all relevant times, Defendant expressly represented in its Privacy Policy that it

would, among other things: (A) protect patients' medical information; (B) keep medical

information private; (C) give notice of Defendant's legal duties and privacy practices with respect

to medical information about patients, (D) follow the terms of the privacy notice that is currently

in effect; (E) to make any other uses and disclosures of medical information not covered by the

37

Privacy Notice or the laws that apply to use only with written permission, and; F) notify patients

in the event of a breach of unsecured medical information.

152. Defendant's express representations, including, but not limited to, express

representations found in Defendant's Privacy Policy, formed an express contract requiring

Defendant to implement data security adequate to safeguard and protect the privacy of Plaintiffs'

and Class Members' PII/PHI.

153. Consumers of healthcare value their privacy, the privacy of their dependents, and

the ability to keep their PII/PHI associated with obtaining healthcare private. To customers such

as Plaintiffs and Class Members, healthcare that does not adhere to industry standard data security

protocols to protect PII/PHI is fundamentally less useful and less valuable than healthcare that

adheres to industry-standard data security. Plaintiffs and Class Members would not have entered

into these contracts with Defendant without an understanding that their PII/PHI would be

safeguarded and protected.

154. A meeting of the minds occurred, as Plaintiffs and Class Members provided their

PII/PHI to Defendant and paid for the provided healthcare in exchange for, amongst other things,

protection of their PII/PHI.

155. Plaintiffs and Class Members performed their obligations under the contract when

they paid for their health care services and provided their PII/PHI.

156. Defendant materially breached its contractual obligation to protect the nonpublic

personal information Defendant gathered when the information was accessed and exfiltrated by

unauthorized personnel as part of the Ransomware Attack.

38

157. Defendant materially breached the terms of these express contracts, including, but

not limited to, the terms stated in the Privacy Policy. Defendant did not maintain the privacy of

Plaintiffs' and Class Members' PII/PHI as evidenced by MHE's disclosure of the Ransomware

Attack. Specifically, Defendant did not comply with industry standards, or otherwise protect

Plaintiffs' and the Class Members' PII/PHI, as set forth above.

158. The Ransomware Attack was a reasonably foreseeable consequence of Defendant's

actions in breach of these contracts.

159. As a result of Defendant's failure to fulfill the data security protections promised

in these contracts, Plaintiffs and Class Members did not receive the full benefit of the bargain, and

instead received healthcare and other services that were of a diminished value to that described in

the contracts. Plaintiffs and Class Members therefore were damaged in an amount at least equal

to the difference in the value of the healthcare with data security protection they paid for and the

healthcare they received.

160. Had Defendant disclosed that its data security was inadequate or that it did not

adhere to industry-standard security measures, neither the Plaintiffs, the Class Members, nor any

reasonable person would have purchased healthcare from Defendant.

161. As a direct and proximate result of the Ransomware Attack, Plaintiffs and Class

Members have been harmed and have suffered, and will continue to suffer, actual damages and

injuries, including without limitation the release, disclosure, and publication of their PII/PHI, the

loss of control of their PIPPHI, the imminent risk of suffering additional damages in the future,

disruption of their medical care and treatment, out-of-pocket expenses, and the loss of the benefit

of the bargain they had struck with Defendant.

39

162. Plaintiffs and Class Members are entitled to compensatory and consequential

damages suffered as a result of the Ransomware Attack.

THIRD COUNT Breach of Implied Contract

(On Behalf of Plaintiffs and All Class Members)

163. Plaintiffs re-allege and incorporate by reference Paragraphs 1 through 126

above as if fully set forth herein.

164. When Plaintiffs and Class Members provided their Private Information to

Defendant in exchange for Defendant's services, they entered into implied contracts with

Defendant pursuant to which Defendant agreed to reasonably protect such information.

165. Defendant solicited, offered, and invited Class Members to provide their Private

Information as part of Defendant's regular business practices. Plaintiffs and Class Members

accepted Defendant's offers and provided their Private Information to Defendant.

166. In entering into such implied contracts, Plaintiffs and Class Members reasonably

believed and expected that Defendant's data security practices complied with relevant laws and

regulations, including HIPAA, and were consistent with industry standards.

167. Class Members who paid money to Defendant reasonably believed and expected

that Defendant would use part of those funds to obtain adequate data security. Defendant failed to

do so.

168. Plaintiffs and Class Members would not have entrusted their Private Information to

Defendant in the absence of the implied contract between them and Defendant to keep their

information reasonably secure.

40

169. Plaintiffs and Class Members would not have entrusted their Private Information to

Defendant in the absence of their implied promise to monitor their computer systems and networks

to ensure that they adopted reasonable data security measures.

170. Plaintiffs and Class Members fully and adequately performed their obligations

under the implied contracts with Defendant.

171. Defendant breached its implied contracts with Class Members by failing to

safeguard and protect their Private Information.

172. As a direct and proximate result of Defendant's breach of the implied contracts,

Class Members sustained damages as alleged herein.

173. Plaintiffs and Class Members are entitled to compensatory and consequential

damages suffered as a result of the Ransomware Attack.

174. Plaintiffs and Class Members are also entitled to injunctive relief requiring

Defendant to, e.g., (i) strengthen its data security systems and monitoring procedures; (ii) submit

to future annual audits of those systems and monitoring procedures; and (iii) immediately provide

adequate credit monitoring to all Class Members.

FOURTH COUNT Breach of Fiduciary Duty

(On Behalf of Plaintiffs and All Class Members)

175. Plaintiffs re-allege and incorporate by reference Paragraphs 1 through 126

above as if fully set forth herein.

176. At all times during Plaintiffs' and Class Members' interactions with Defendant,

Defendant was fully aware of the confidential and sensitive nature of Plaintiffs' and Class

Members' Private Information that Plaintiffs and Class Members provided to Defendant.

41

177. As alleged herein and above, Defendant's relationship with Plaintiffs and Class

Members was governed by terms and expectations that Plaintiffs' and Class Members' Private

Information would be collected, stored, and protected in confidence, and would not be disclosed

to unauthorized third parties.

178. Plaintiffs and Class Members provided their respective Private Information to

Defendant with the explicit and implicit understandings that Defendant would protect and not

permit the Private Information to be disseminated to any unauthorized parties.

179. Plaintiffs and Class Members also provided their Private Information to Defendant

with the explicit and implicit understandings that Defendant would take precautions to protect that

Private Information from unauthorized disclosure, such as following basic principles of protecting

its networks and data systems.

180. Defendant voluntarily received in confidence Plaintiffs' and Class Members'

Private Information with the understanding that Private Information would not be disclosed or

disseminated to the public or any unauthorized third parties.

181. In light of the special relationship between Defendant and Plaintiffs and Class

Members, whereby Defendant became guardians of Plaintiffs' and Class Members' Private

Information, Defendant became a fiduciary by their undertaking and guardianship of the Private

Information, to act primarily for Plaintiffs and Class Members, (1) for the safeguarding of

Plaintiffs' and Class Members' Private Information; (2) to timely notify Plaintiffs and Class

Members of a Ransomware Attack and disclosure; and (3) to maintain complete and accurate

records of what information (and where) Defendant did and does store.

42

182. Defendant has a fiduciary duty to act for the benefit of Plaintiffs and Class Members

upon matters within the scope of Defendant's relationship with its patients, in particular, to keep

secure their Private Information.

183. Defendant breached its fiduciary duties to Plaintiffs and Class Members by failing

to diligently discover, investigate, and give notice of the Ransomware Attack in a reasonable and

practicable period of time.

184. Defendant breached its fiduciary duties to Plaintiffs and Class Members by failing

to encrypt and otherwise protect the integrity of the systems containing Plaintiffs' and Class

Members' Private Information.

185. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by

failing to timely notify and/or wam Plaintiffs and Class Members of the Ransomware Attack.

186. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by

failing to ensure the confidentiality and integrity of electronic PHI Defendant created, received,

maintained, and transmitted, in violation of 45C.F.R. §164.306(a)(1).

187. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by

failing to implement technical policies and procedures for electronic information systems that

maintain electronic PHI to allow access only to those persons or software programs that have been

granted access rights in violation of 45 C.F.R. § 164.312(a)(1).

188. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by

failing to implement policies and procedures to prevent, detect, contain, and correct security

violations, in violation of 45 C.F.R. § 164.308(a)(1).

43

189. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by

failing to identify and respond to suspected or known security incidents and to mitigate, to the

extent practicable, harmful effects of security incidents that are known to the covered entity in

violation of 45 C.F.R. § 164.308(a)(6)(ii).

190. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by

failing to protect against any reasonably-anticipated threats or hazards to the security or integrity

of electronic PHI in violation of 45 C.F.R. § 164.306(a)(2).

191. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by

failing to protect against any reasonably anticipated uses or disclosures of electronic PHI that are

not permitted under the privacy rules regarding individually identifiable health information in

violation of 45 C.F.R. § 164.306(a)(3).

192. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by

failing to ensure compliance with the HIPAA security standard rules by their workforces in

violation of 45 C.F.R. § 164.306(a)(94).

193. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by

impermissibly and improperly using and disclosing PHI that is and remains accessible to

unauthorized persons in violation of 45 C.F.R. § 164.502, et seq.

194. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by

failing to effectively train all Members of their workforces (including independent contractors) on

the policies and procedures with respect to PHI as necessary and appropriate for the Members of

their workforces to carry out their functions and to maintain security of PHI in violation of 45

C.F.R. § 164.530(b) and 45 C.F.R. § 164.308(a)(5).

44

195. Defendant breached its fiduciary duties owed to Plaintiffs and Class Members by

failing to design, implement, and enforce policies and procedures establishing physical and

administrative safeguards to reasonably safeguard PHI, in compliance with 45 C.F.R. §

164.530(c).

196. Defendant breached its fiduciary duties to Plaintiffs and Class Members by

otherwise failing to safeguard Plaintiffs' and Class Members' Private Information.

197. As a direct and proximate result of Defendant's breaches of its fiduciary duties,

Plaintiffs and Class Members have suffered and will suffer injury, including but not limited to: (i)

actual identity theft; (ii) the compromise, publication, and/or theft of their Private Information;

(iii) out-of-pocket expenses associated with the prevention, detection, and recovery from identity

theft and/or unauthorized use of their Private Information; (iv) lost opportunity costs associated

with effort expended and the loss of productivity addressing and attempting to mitigate the actual

and future consequences of the Ransomware Attack, including but not limited to efforts spent

researching how to prevent, detect, contest, and recover from identity theft; (v) the continued risk

to their Private Information, which remains in Defendant's possession and is subject to further

unauthorized disclosures so long as Defendant fail to undertake appropriate and adequate measures

to protect the Private Information in their continued possession; (vi) future costs in terms of time,

effort, and money that will be expended as result of the Ransomware Attack for the remainder of

the lives of Plaintiffs and Class Members; and (vii) the diminished value of Defendant's services

they received. As a direct and proximate result of Defendant's breaches of their fiduciary duties,

Plaintiffs and Class Members have suffered and will continue to suffer other forms of injury and/or

harm, and other economic and non-economic losses.

45

FIFTH COUNT Violation of Maryland's Consumer Protection Act (On Behalf of Plaintiffs and All Class Members)

198. Plaintiffs repeat and re-allege each and every allegation contained in Paragraphs 1

through 126 as if fully set forth herein.

199. This cause of action is brought pursuant to the Maryland Consumer Protection Act,

§ 13-101, et seq. and the Maryland Personal Information Protection Act, § 14-3501, et seq.

200. The purpose of the Maryland Consumer Protection Act is "to set certain minimum

statewide standards for the protection of consumers across the State [of] [Maryland]."

201. The Maryland Personal Information Protection Act was implemented to, among

other things, "[t]o protect personal information from unauthorized access, use, modification, or

disclosure...of an individual residing in the State [of] [Maryland]."

202. A violation of the Maryland Personal Information Protection Act "is an unfair or

deceptive trade practice."

203. Defendant has violated the Maryland Personal Information Protection Act and, by

extension, the Maryland Consumer Protection Act by engaging in the conduct alleged herein.

204. Independently, Defendant has violated the Maryland Consumer Protection Act by

engaging in the unfair and deceptive practices alleged herein. Pursuant to HIPAA (42 U.S.C. §

1302d et seq.), the FTCA, and Maryland law, Defendant was required by law, but failed, to

maintain adequate and reasonable data and cybersecurity measures to maintain the security and

privacy of Plaintiffs' and Class Members' Private Information. This constitutes a violation of

Maryland's Consumer Protection Act.

46

205. The damages suffered by Plaintiffs and Class Members were directly and

proximately caused by the deceptive, misleading and unfair practices of Defendant, as described

above.

206. Plaintiffs and Class Members seek declaratory judgment that Defendant's data

security practices were not reasonable or adequate and caused the Ransomware Attack under the

Maryland CPA, as well as injunctive relief enjoining the above described wrongful acts and

practices of Defendant MHE and requiring Defendant MHE to employ and maintain industry

accepted standards for data management and security, including, but not limited to, proper

segregation, access controls, password protection, encryption, intrusion detection, secure

destruction of unnecessary data, and penetration testing.

207. Additionally, Plaintiffs and Class Members make claims for actual damages,

attorneys' fees and costs.

PRAYER FOR RELIEF

WHEREFORE, Plaintiffs pray for judgment as follows:

a. For an Order certifying this action as a class action and appointing Plaintiffs and

their counsel to represent the Class;

b. For equitable relief enjoining Defendant from engaging in the wrongful conduct

complained of herein pertaining to the misuse and/or disclosure of Plaintiffs' and Class

Members' Private Information, and from refusing to issue prompt, complete and accurate

disclosures to Plaintiffs and Class Members;

47

c. For equitable relief compelling Defendant to utilize appropriate methods and

policies with respect to consumer data collection, storage, and safety, and to disclose with

specificity the type of Private Information compromised during the Ransomware Attack;

d. For equitable relief requiring restitution and disgorgement of the revenues

wrongfully retained as a result of Defendant ' wrongful conduct;

e. Ordering Defendant to pay for not less than seven years of credit monitoring

services for Plaintiffs and the Class;

f. For an award of actual damages, compensatory damages, statutory damages, and

statutory penalties, in an amount to be determined, as allowable by law;

g. For an award of punitive damages, as allowable by law;

h. For an award of attorneys' fees and costs, and any other expense, including expert

witness fees;

i. Pre- and post judgment interest on any amounts awarded; and

j. Such other and further relief as this court may deem just and proper.

JURY TRIAL DEMANDED

Plaintiffs demand a trial by jury on all claims so triable.

48

Dated: July 30, 2020 Respectfully submitted,

/s/ Gary E. Mason Gary E. Mason (Md. Bar No. 15033) (ID 0106080003) David K. Lietz* MASON LIETZ & KLINGER LLP 5301 Wisconsin Avenue, NW Suite 305 Washington, DC 20016 Tel: (202) 429-2290 Email: gmason@masonllp.com Email: dlietz@masonllp.com

Attorneys for Plaintiffs

*Pro hac vice forthcoming

49