Class action litigation has been pending for nearly a year against Berkshire Hathaway Homestate Insurance Company, its wholly owned subsidiary Cypress Insurance Company, Zenith Insurance Company, the defense lawfirm of Knox Ricksen, LLP, and others.alleging that the defendants illegally “hacked” confidential information about workers’ compensation claimants to use to defend claims pending before the WCAB. This month a second class action has been filed in federal court against essentially the same parties. The new case has received some media attention. However, it does not seem that the second case adds anything new to the factual basis for the first alleged case.
The first federal case was filed by Hector Casillas in June 2015. His second amended complaint was filed in March 2016. He files this as a class action pursuant Federal Rule of Civil Procedure 23. He alleges he was a client of the law firm of Reyes & Barsoum LLP to litigate a worker’s compensation claim.
One of the defendants, Palmdale based HQSU Sign Up Services, Inc. is the centerpiece of the compromised data. HQSU is allegedly paid a pre-negotiated flat fee to provide “administrative services” for clients unable to come to an attorney’s office due to physical, financial, or transportation limitations, and to.assist attorneys signing a retainer agreement and filling out an In-Take Packet with personal information. HQSU then uploads the documents to its allegedly username and password-protected website. Attorneys using this service upload and download other documents to HQSU servers. Casillas alleges that HQSU failed to provide adequate or responsible protections against unlawful access and failed to report the hacking activity so it is sued in the class action along with the carriers.
The alleged “hacking” of the HQSU files was first suspected during an in-chambers hearing in a worker’s compensation case before Presiding Judge Paige Levy. The case was being defended by Knox Ricksen. Knox Ricksen’s attorneys allegedly revealed they had Mr. Casillas’ attorney-privileged In-Take Packet. The attorney first allegedly responded to questions by Judge Levy that it was obtained from the HQSU “website” but later said he did “not know” where it came from. Levy ruled it was attorney client privileged and ordered it to be returned.
Allegedly the downloading of documents from HQ Sign Up compromised approximately 32,500 intake sheets, in addition to the Casillas documents. Plaintiff’s experts have allegedly discovered that the documents were obtained by a “directory traversal attack.” Directory traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server’s root directory. On the other hand, Zenith has argued HQSU intake packet materials were obtained using a Google search of the claimant’s name and thus “were found in the public domain.”
In a motion by Zenith to be dismissed, it’s attorneys claim that the case was before Judge Levy because “Knox petitioned the WCAB for an order allowing certain discovery that Knox asserted may show that a “runner” or “capper” had procured Casillas as a Reyes client and Casillas had fabricated or exaggerated his claimed injuries. Reyes opposed, arguing that the discovery was derived from attorney-client privileged information contained in Reyes’s “In-Take Packet” for Casillas. (One would assume from this motion that Zenith believed HQSU Sign Up Services was suspected of running and capping injury cases for lawyers). In any event Zenith was not involved in the Casillas workers’ compensation case and asks to be dismissed.
Another motion recently filed by defendants seeks to strike the class action allegations claiming Casillas violated Central District local rule 23-3 which requires a motion for class certification to be filed “[w]ithin 90 days after service of a pleading purporting to commence a class action” which expired last October. Casillias replied that the local rule is discretionary, and asks for more time.
An now a second federal complaint has been filed by Adela Gonzalez seeking class action status against the same carriers and others. Gonzalez was also a client of Reyes & Barsoum LLP in connection with a workers’ compensation claim. The facts of the second case are essentially similar to the Casillas second amended complaint. Nothing new is alleged what was not previously claimed. The second case is in its infancy, and no responsive documents have yet been filed by any defendants. Gonzalez does not specifically allege how her case was compromised other than as part of the entire scheme.
At the moment, the controversy seems to essentially be a claim by a client of an applicant lawfirm that approximately 33,000 “In-Take Packets” completed by HQSU Sign Up Services, Inc. were “hacked” by a conspiracy of insurance carriers using a “a directory traversal attack” to download these confidential records that were protected by attorney client privilege from HQSU in violation of law.
On the other hand, the defendants suspect and claim that HQSU was really a runner or capper organization soliciting injury claimants for lawfirms, and that they had approximately 33,000 records of litigants on an insecure website that Google regularly indexed. A Google search of any of the claimants by name in these records would lead to file on the HQSU website that could be downloaded by anyone without hacking anything and thus were in the “public domain.” Since HQSU is a party to this case, no doubt discovery will prove or disprove its status as a runner or capper organization.