A Pennsylvania resident (“Plaintiff”) has filed a class action complaint (the “Complaint”) in the United States District Court for the Central District of California against Sunshine Behavioral Health Group LLC (“Sunshine Behavioral”), which operates drug and alcohol addiction rehabilitation centers. The Complaint alleges, among other things, violations of the California Consumer Protection Act (Cal. Civ. Code § 1798.100, et seq.) (“CCPA”) in connection with a September 2019 data breach. The complaint alleges that Sunshine Behavioral violated the CCPA by exposing class members’ personal and health information because of a failure to “implement and maintain reasonable security procedures and practices appropriate to the nature and protection of that information.” Plaintiff seeks injunctive relief enjoining further violation of the CCPA, as well as potential “actual, punitive, and statutory damages[.]” The Complaint further alleges that, although Sunshine Behavioral was made aware of the data breach in September 2019, it failed to provide affected individuals and the California Attorney General notice of the breach until January 21, 2020.
The CCPA offers a limited private right of action to consumers “whose nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure” resulting from a failure to implement reasonable security measures. Except for specific pecuniary damages, however, plaintiffs may only seek damages after notifying defendant of the purported violation and allowing 30 days to cure the violation.