A successful phishing attempt against a diabetes medical supply company has led to a putative class action lawsuit filed against the company.

A lawsuit by customers of Chula Vista, California-based Solara Medical Supplies LLC charges the company waited four months to notify consumers of a breach. 

Solara reported to the U.S. Department of Health and Human Services that data on more than 114,000 individuals was affected, according to the HHS website. 

A Solara official said, however, the perpetrator’s intent was to obtain the company’s banking funds, which was successful.

Solara said in a Nov. 13 press release that it learned on June 28, 2019, that as a result of a phishing email campaign, personal information including Social Security and credit card numbers may have been accessed between April 2, 2019, and June 20, 2019.

The lawsuit in the case, Juan Maldonado v. Solara Medical Supplies LLC, which was filed in U.S. District Court in Los Angeles last week, states that “despite knowing many patients were in danger, defendant did nothing to warn Breach Victims until over four months later. During this time, the cyber criminals had free reign to defraud their unsuspecting victims.

“Solara apparently chose to complete its internal investigation and develop its excuses and speaking points before giving class members the information they needed to protect themselves against fraud and identity theft,” said the complaint.

It said breach victims have had fraudulent charges on various financial accounts.

The lawsuit charges also that Solara failed to adequately safeguard its customers’ personal and medical information and to spend sufficient resources on monitoring external incoming emails and training its employees to identify and defend against email threats.

The lawsuit, which seeks “appropriate monetary relief” states that “Since the Data Breach, defendant has announced few if any changes to their data security infrastructure, processes or procedures to fix the vulnerabilities in their computer systems and/or security practices which permitted the Data Breach to occur and go undetected for  months, and thereby, prevent further attacks.”

Marty Hoffman, Solara’s vice president of compliance and legal, said in a statement, “The cybersecurity incident was a sophisticated financial crime perpetrated against Solara with the specific intent to steal Solara’s banking funds. In an abundance of caution, we notified individuals whose information could also have been at risk during the attack.”

In response to emails, he said, the attempt was successful, but did not provide additional details. “This is an ongoing federal law enforcement investigation that should not be jeopardized,” he said, in a follow-up statement.

Plaintiff attorney William B. Federman, of Federman & Sherwood in Oklahoma City, said, “Our clients have suffered damages which we believe ties directly” to Solara’s negligence.

He said, “If the company’s accurate in what they believe is an extremely limited scope intrusion on their system, it still doesn’t forgive the fact that there was an intrusion into their system” and he would like it to disclose the results of its internal investigation of the matter.

A federal district court has refused to approve an agreed-upon class action settlement of $60,000 in a cyber case where personal information was inadvertently released because there was no evidence of injury.