Elk Grove medical school facing another lawsuit. This time for a data breach

Theresa Clift
·3 min read
3

A medical school planning to build a $1 billion Natomas hospital using a city of Sacramento financial incentive is facing another lawsuit.

California Northstate University, an Elk Grove-based for-profit medical school, is being sued by a former professor alleging that the university was at fault for a major 2023 data breach.

The lawsuit, filed April 29 in federal court, alleged that a ransomware group in February 2023 stole W-2 tax forms from former professor Erika Titus-Lay as well as from thousands of former and current employees and students. The lawsuit alleged Titus’ W-2 was published on the dark web, and that cybercriminals filed a fraudulent tax return in her name. It also alleged the university did not notify the people whose data was stolen for months.

California Northstate spokesman Doug Elmets declined comment for this story; city spokesman Tim Swanson did not immediately respond to an email seeking comment.

It’s the latest setback for the university, which has been facing a series of issues spanning several years.

In 2019, an accrediting agency gave the school provisional accreditation, a step down from full accreditation. That same year, a state agency ordered the university to cease offering two programs designed to “fast track” students into careers in medicine. In 2022, the accrediting agency placed the school on probation for undisclosed reasons. As of Wednesday, it remained on probation.

The school has also been hit with a series of lawsuits. Three students in 2021 filed a class action lawsuit alleging the university committed fraud when it promised medical school admission to students who had enrolled in an undergrad program, then denied their admission. That lawsuit is still active.

The school’s issues face a higher level of public scrutiny because the city plans to award a sizable financial incentive for the school to build the Natomas hospital. The $1 billion hospital, at the former Sleep Train Arena site, is planned to receive a so-called enhanced infrastructure financing district.

Under that mechanism, new property tax revenue that would normally go toward the coffers of the city, facing a $66 million budget deficit, is redirected toward helping the developer fund the project — paying for infrastructure such as roads, stormwater and sewer improvements. The city recently approved a financing district of up to $30 million for the UC Davis Aggie Square project in Oak Park.

The council took a step toward the financial incentive last month, a day after Titus-Lay filed her lawsuit, but it has not yet taken the vote to approve it.

In 2022, Councilwoman Katie Valenzuela and other council members grilled the university’s president Dr. Alvin Cheung on whether the hospital will become a nonprofit, whether it will accept Medi-Cal patients and whether it will allow its staff to unionize.

Valenzuela pressed Cheung again to commit to language that would make it easier for hospital workers to unionize — called card check neutrality — during the April 30 meeting.

“I know you run hospitals so I know you know what it means what it takes to work with workers and have these agreements in place so it shouldn’t be new,” Valenzuela told Cheung during the meeting. “There’s a certain baseline we should expect of everyone who gets money from the city and this is one of them.”

Cheung said, “I’m open to do discussion.”

Councilwoman Lisa Kaplan, who represents Natomas, said she didn’t want to add the union language to the April 30 motion but wants to in the future.

“That language should be in with the hospital plans but I don’t feel it is appropriate or legal to put it in with the EIFD,” Kaplan said.

The hospital — which will be 11 to 14 stories and include 250 to 500 patient beds — is expected to take about eight years to build. It will also include housing, park space and a child care center.

A data breach has hit at least one other Sacramento area hospital recently. Sutter Health announced last year over 800,000 patients had their personal information compromised from a ransomware attack.