Contract Class Certified in CareFirst Data Breach Lawsuit 9 Years After Legal Action was Initiated

Posted by Steve Alder

A lawsuit against CareFirst BlueCross BlueShield that was filed in response to a 2014 data breach has had a contract class certified by a federal judge, 9 years after legal action was initiated. The lawsuit can now proceed and more than 1 million plan members are a step closer to obtaining damages. In June 2014, hackers gained access to CareFirst systems, which contained the data of around 1.1 million plan members; however, the intrusion was not detected for several months. In response to major data breaches at Anthem Inc., Premera, Excellus, and Community Health Systems, CareFirst conducted a review of its systems which reviewed there had been unauthorized access to one of its databases.

CareFirst announced the data breach in May 2015 and explained that a single database was compromised that stored data that members and other individuals enter to access CareFirst’s websites and online services. The compromised data included names, birth dates, email addresses, and subscriber ID numbers, but no highly sensitive information such as Social Security numbers, financial information, or health information.

A lawsuit – Chantal Attias, et al. vs. CareFirst  – was filed in the U.S. District Court for the District of Columbia shortly after the notification letters were mailed that alleged injuries had been suffered as a result of the breach. The lawsuit, which named seven policyholders as plaintiffs, alleged breach of contract and violations of the Consumer Protection Acts in Maryland and Virginia. The lawsuit was dismissed in 2016 due to a lack of standing, as the plaintiffs failed to allege a concrete, identifiable injury had been sustained as a result of the breach. The ruling was appealed, and the District Court’s ruling was overturned. In 2018, the Supreme Court declined a review of the case, which was referred back to the District Court, then followed several years of back-and-forth litigation. In 2022, the plaintiffs moved to certify three classes, one for each cause of action; however, in March 2023, District Court Judge Christopher Cooper denied the plaintiffs’ motion to certify two consumer classes and one contract class without prejudice, allowing the plaintiffs to file a renewed and modified motion which they did.

In late 2023, CareFirst’s motion for summary judgment was partially granted, and the claims under the consumer protection statutes in Maryland and Virginia were dismissed. The court found that the plaintiffs could not show there had been any identity theft, and under Washington D.C. law, mitigation expenses incurred to abate the risk of future fraud do not qualify as actual damages, therefore the plaintiffs would only be able to recover nominal damages.

On March 29, 2023, after careful consideration and a hearing on the matter, Judge Cooper found that certification of a contract class was warranted. “The standing issue that prevented the Court from certifying the last go around has since dissolved because, as all sides agree, each member of the proposed class has allegedly suffered a concrete injury based on CareFirst’s supposed breach of its contractual obligation to safeguard its customers’ data—regardless of whether they sustained an additional, tangible injury due to the data breach,” wrote Judge Cooper in his ruling.

The contract class consists of all individuals in the District of Columbia, Maryland, or Virginia who purchased or possessed health insurance from CareFirst, had their sensitive data exposed in the data breach, and were notified about that breach by CareFirst in May 2015.

The post Contract Class Certified in CareFirst Data Breach Lawsuit 9 Years After Legal Action was Initiated appeared first on HIPAA Journal.

Data Breach at New York Medical Billing Service Provider Affects 284K Individuals

Posted by Steve Alder

M&D Capital Premier Billing in Queens, NY, has announced a breach of the protected health information of 284,326 individuals. Data breaches have also been reported by Tri-City Healthcare District and Dental Health Services in California, and Ethos (Southwest Boston Senior Services) in Massachusetts.

M&D Capital Premier Billing

M&D Capital Premier Billing, a Queens, NY-based billing service provider, has notified 284,326 individuals about a cybersecurity incident identified on July 8, 2023. Suspicious activity was detected within its network and third-party cybersecurity specialists were engaged to investigate the nature and scope of the unauthorized activity. The forensic investigation confirmed that an unauthorized third party gained access to its network on June 20, 2023, and maintained access until July 8, 2023.

During those three weeks, protected health information provided by its covered entity clients may have been viewed or acquired. That information may have included names, addresses, dates of birth, Social Security numbers, financial information, medical billing information, insurance information, and medical information such as diagnoses, medication, and treatments. M&D Capital Premier Billing said it has reviewed its existing policies and procedures and has implemented additional administrative and technical safeguards to help prevent future attacks. The affected individuals have been offered single bureau credit monitoring/single bureau credit report/single bureau credit score services at no cost.

Ethos (Southwest Boston Senior Services)

Ethos, aka Southwest Boston Senior Services, has recently announced a cybersecurity incident that occurred on November 18, 2023, that exposed the protected health information of 14,503 individuals. On March 13, 2024, it was confirmed that protected health information had potentially been accessed or acquired in the incident. For most of the affected individuals, the exposed data included names, addresses, medical insurance information, and health and treatment information. A small group of affected individuals also had their Social Security numbers exposed.

Contact information has now been verified, which will allow individual notifications to be mailed to the affected individuals. Ethos did not state in its website notification whether credit monitoring and identity theft protection services are being offered. The notification letters will explain the steps that affected individuals can take to monitor and protect their information.

Tri-City Healthcare District

Tri-City Healthcare District in California has notified 7,847 individuals about the exposure of some of the protected health information. On November 9, 2023, unusual activity was detected in its systems, which disrupted access to those systems. The forensic investigation confirmed that an unauthorized third party gained access to its network on November 8, 2023, and may have viewed or exfiltrated files containing patient data.

The review of the affected files was completed on or around March 7, 2024, and confirmed that names and Social Security numbers had been exposed. Notification letters were sent to the affected individuals on April 4, 2024, and complimentary identity theft protection services have been offered. Tri-City Healthcare District said it has implemented additional security measures to further harden security and prevent similar incidents in the future.

Dental Health Services

Dental Health Services, a Californian provider of dental health plans to individuals in California, Oregon, and Washington, has notified certain plan members about an impermissible disclosure of some of their protected health information. On or around February 7, 2024, an error resulted in monthly invoices mistakenly being emailed to certain employer group customers that contained plan member data. While the invoices were encrypted and password protected, before the error was identified, the email recipients were sent the encryption password in a separate email, which allowed the invoices to be viewed.

The invoices contained the impacted members’ names, dates of birth, member identification numbers, eligibility dates, plan types, and premium amounts due. Dental Health Services has received assurances from all recipients of the emails that the incorrectly disclosed invoices have been deleted. Due to the nature of the disclosed information, Dental Health Services does not believe the data will be misused.

The post Data Breach at New York Medical Billing Service Provider Affects 284K Individuals appeared first on HIPAA Journal.