UCLA Health System is facing a class action lawsuit in federal court after 4.5 million patients’ records were jeopardized in a recent cyber-attack.

The information affected included names, addresses, birthdates, Social Security numbers, insurance information, and personal data related to patients’ illnesses, medications and treatment.

The complaint, filed by plaintiff Michael Allen in the Central District of California, alleges that the hospital network failed to take the “basic steps” necessary to safeguard patient information, and claims that UCLA violated its contracts by allowing the attack to occur.

“Due to [UCLA’s] failure to take the basic steps of encrypting patients’ data,” it argues, “it was much easier for cyber thieves to interpret the information, use it to steal the identities of defendants’ patients, or sell to others who would use defendants’ patients’ personal and health information.”

The complaint also denounces UCLA Health for failing to notify affected patients quickly or deal with the breach expeditiously.

To learn more about protection from the cyberattack on UCLA Health: http://t.co/AbsJefh9VI

— UCLA Health (@UCLAHealth) July 17, 2015

Although the breach apparently occurred sometime around September 2014, suspicious activity was not discovered or investigated until October, and the breach was not firmly identified until May 5, 2015.

Although UCLA has said they are “sending letters to affected individuals with details on how to access the identity theft and restoration services,” most individual patients have still not been notified as to whether their personal information was stolen.

Mr. Allen claims that he was personally affected by the breach after making several visits to a UCLA Health facility sometime in early 2013. As such, he is part of the group of patients whose information would have been exposed by the hack.

His complaint alleges nine total causes of action, including negligence, breach of contract, invasion of privacy, violations of the Confidentiality of Medical Information Act (“CMIA”), and several statutory violations, among others.

Patient confidentiality is key to care at UCLA Health and we regret any impact the cyberattack may have caused: http://t.co/AbsJefh9VI

— UCLA Health (@UCLAHealth) July 18, 2015

Although UCLA Health has said that there “is no evidence that the attacker actually accessed or acquired the personal or medical information maintained on the impacted parts of the UCLA Health network,” that was not enough to stop Mr. Allen from filing suit.

Nor was Mr. Allen placated by UCLA’s offer to give “all potentially affected individuals 12 months of identity theft recovery and restoration services as well as additional health care identity protection tools.”

Beware scams: ID Experts is the ONLY firm authorized by UCLA Health to provide identity protection: http://t.co/3kjjI549he

— UCLA Health (@UCLAHealth) July 20, 2015

Instead, he’s asking for monetary damages, a declaration that UCLA violated the law, and injunctive relief that would force UCLA Health to change its record keeping practices.

If successful, UCLA Health could be facing a hefty judgment.

“We have a lot of one‐on-one with patients,” says Cynthia Ahl, a radiologic technologist at Ronald Reagan UCLA Medical Center. “We will rotate between outpatient and surgery centers to take diagnostic X-­rays. Basically, we look inside to see what’s going on before and after surgeries. When a patient who’s in pain comes here and they realize we’re here to help them, it makes all the difference. You see that transition from upset or confused to ‘Okay, I’m in the right place and in the right hands.’ For me, that shows that we’re really doing something right.”

A photo posted by UCLA Health (@uclahealth) on Jul 6, 2015 at 6:39pm PDT

Every violation of the CMIA entitles each class member to $1,000 in statutory damages, plus an additional $3,000 in punitive damages, while violations of the California’s Business & Professions Code—which were also alleged—may entitle class members as much as $1,000 per violation.

Because of the money at stake, and because it’s still not clear what data hackers actually gained access to, expect UCLA to fight this lawsuit vigorously.

In the meantime, UCLA has said that, in response to the attack, it has “engaged the services of leading cyber-surveillance and security firms, which are actively monitoring and protecting our network” and that is has “also expanded [its] internal security team.”