Case Background
This civil litigation originated in the Superior Court of Los Angeles County, where Plaintiff Carli Rodriguez filed a class action lawsuit against the City of Hope. The central legal dispute revolved around a significant data security incident that occurred between September and October 2023, in which cybercriminals infiltrated the medical center's network. The Plaintiff sought to hold the organization accountable for its alleged failure to safeguard the sensitive personal and health information of over 800,000 individuals and for waiting nearly six months to notify the victims of the breach.
Cause
The legal conflict stemmed from a significant cybersecurity incident that targeted the City of Hope, a prominent medical treatment and research organization. Between September 19, 2023, and October 12, 2023, unauthorized third parties infiltrated the medical center's computer systems. The lawsuit alleged that cybercriminals had accessed and copied sensitive files containing the personal and medical information of numerous patients and employees. Although the City of Hope discovered the suspicious activity on October 13, 2023, the organization did not begin notifying affected individuals until April 2, 2024, nearly six months later. Carli Rodriguez, the representative Plaintiff, initiated the class action, asserting that the organization had failed to implement adequate security measures to prevent such an intrusion.
Injury
The breach exposed highly sensitive data belonging to Rodriguez and approximately 800,000 other individuals. The compromised information included names, email addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, and financial details such as bank account and credit card information. Furthermore, the hackers accessed private medical records, health insurance information, and medical history. Rodriguez claimed that this exposure caused her and the class members to suffer from a loss of privacy and a diminution in the value of their personal data. She also reported an increase in spam emails and significant anxiety regarding the potential for identity theft. The victims were forced to spend valuable time verifying the breach's impact, exploring credit monitoring options, and mitigating the risk of future fraud.
Damages Sought
The Plaintiff sought a variety of financial and equitable remedies to address the harm caused by the data breach. Rodriguez requested actual damages to compensate for the theft of personal information and the time lost dealing with the aftermath. She also pursued statutory damages under the Confidentiality of Medical Information Act and punitive damages to punish the Defendant for its alleged recklessness. Beyond monetary compensation, the lawsuit demanded restitution for any unjust enrichment the Defendant had gained by failing to spend appropriate funds on data security. Additionally, the Plaintiff sought injunctive relief, asking the Court to order the City of Hope to implement a comprehensive information security program, engage third-party auditors, and encrypt all collected data to prevent future occurrences.
Key Arguments and Proceedings
Legal Representation
Plaintiff(s): Carli Rodriguez, individually and on behalf of all others similarly situated
Counsel for Plaintiff(s): Daniel Srourian | Jason Wucetich | Dimitros V. Korovilas | Jeff S. Westerman | Samuel M. Ward | Andrew Gunem | Raina C. Borrelli | Berry Michael Anderson | Stephen R. Basser
Defendant(s): City of Hope, a California Corporation, and Does 1 through 100
Counsel for Defendant(s): Jeffrey A. Levee | Vogt John Alexander
Key Arguments or Remarks by Counsel
Claims
The legal team for Carli Rodriguez constructed a multi-faceted argument centered on the assertion that the City of Hope had neglected its fundamental duty to protect patient data. They presented seven specific causes of action to support their demand for accountability.
Negligence and Duty of Care Counsel argued that the City of Hope owed a duty of care to its patients and employees to safeguard their personal and medical information using commercially reasonable methods. They contended that the Defendant knew, or should have known, that its data systems were vulnerable to attack, especially given the prevalence of high-profile cyberattacks in the healthcare industry. The Plaintiff asserted that the organization had breached this duty by failing to maintain adequate computer systems, failing to encrypt data properly, and failing to detect the breach quickly.
Breach of Contract The lawsuit alleged that an implied contract existed between the patients and the medical center. By requiring patients to provide sensitive information as a condition of receiving care, the City of Hope had implicitly agreed to keep that information secure. The Plaintiff’s attorneys argued that the organization breached this contract when it failed to protect the data and subsequently failed to provide timely notice of the breach. For employees, the complaint asserted a similar breach of express contract related to their employment agreements.
Privacy Violations A significant portion of the argument focused on the violation of privacy rights. The legal team claimed that the City of Hope violated the Confidentiality of Medical Information Act (CMIA) by allowing unauthorized persons to view medical information without consent. They further argued that the Defendant had intruded upon the seclusion of the class members by maintaining a system so vulnerable that it effectively invited public exposure of private lives. This exposure was described as highly offensive to a reasonable person and a violation of social norms.
Unfair Business Practices Counsel contended that the Defendant’s failure to implement robust security measures constituted an unfair business practice under California law. They argued that by not spending the necessary funds on data security, the City of Hope gained an unfair competitive advantage over other institutions that did comply with the law. The Plaintiff claimed that the organization deceived consumers by concealing the inadequacies of its security systems.
Defense
While the specific defense filing was not included in the review, the context of such litigation typically involves a vigorous denial of liability. In similar proceedings, Defendants often argue that they implemented reasonable security measures and that the criminal acts of sophisticated cyber-hackers were the sole cause of the breach. The City of Hope likely contended that it had no intention of allowing the data theft and that it acted diligently once the breach was discovered. The notice letter sent to patients indicated that upon discovery, the organization immediately instituted mitigation measures, enlisted a leading cybersecurity firm, and reported the incident to law enforcement. They would have likely argued that these actions demonstrated a responsible reaction to a criminal event rather than negligence.
Settlement
The Court approved the class action settlement between the Plaintiffs and City of Hope and entered final judgment on February 20, 2026. It found that the settlement class was properly certified for settlement purposes, that the notice program met legal requirements, and that the settlement was fair, reasonable, and adequate under California law.
The Court said the case settled after arm’s-length negotiations overseen by mediator Hon. Jay C. Gandhi (Ret.), and it noted that City of Hope denied any wrongdoing or liability. It also found that no class members objected to the settlement, while 97 class members requested exclusion.
The order approved $4,000 service awards for each representative Plaintiff, $2,833,333 in attorneys’ fees, $45,552.29 in litigation expenses, and administration expenses currently listed at $641,885.84 plus an additional estimated $125,934.56, for an approximate total of $767,820.40 to Kroll from the settlement fund. It also said that, on the effective date, the Plaintiff and settlement class members released City of Hope and the released persons from the released claims, and they were barred from bringing those claims again.
The Court defined the released claims broadly as claims arising from or related to the data security incident, but it said the release did not extend to medical malpractice claims or claims related to the provision of medical care by City of Hope. It also kept jurisdiction over settlement-related matters and said the order was intended to be a final and immediately appealable disposition of the case.
Court documents are available upon request at [email protected]
