California Physicians’ Service, which does business as Blue Shield of California, faces a proposed class action over a May 2023 data breach that exposed health plan members’ and beneficiaries’ private information to hackers.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
The 28-page lawsuit says the incident occurred on May 28 and May 31, 2023, when a ransomware gang gained unauthorized access to files held by co-defendant MESVision, a company that manages vision benefits for many Blue Shield members and beneficiaries. According to the case, these files were compromised during a widespread attack against MOVEit, a popular file transfer platform used by MESVision.
The complaint claims the cyberattack has affected more than 600,000 individuals, exposing private data such as their names, dates of birth, addresses, Social Security numbers, group ID numbers, subscriber ID numbers and patient ID numbers. The suit adds that the compromised information also includes vision providers’ names, vision claims numbers, vision-related treatment and diagnosis data, and treatment cost details.
The data breach lawsuit attributes the incident to the defendants’ alleged failure to implement and maintain reasonable cybersecurity measures. In particular, Blue Shield could have prevented the cyberattack had it properly audited its vendors’ security practices or monitored their systems for unusual activity, the suit contends.
Per the filing, the defendants’ failure to safeguard patients’ private information has exposed them to a “heightened” risk of identity theft and fraud that will likely persist for years.
“[The defendants] knew or should have known that plaintiff [sic] and class members’ personal information was an attractive target for cyber thieves, particularly in light of data breaches experienced by themselves and their vendors, as well as other entities around the United States,” the complaint says. To add insult to injury, Blue Shield has fallen victim to at least 11 additional data breaches in the past decade, the case points out.
Although MESVision claims to have discovered the breach on August 23, 2023, it waited 11 weeks to notify potentially impacted members and beneficiaries on November 14, the suit says. Blue Shield also kept victims in the dark until mid-November, despite admitting in an online notice that it learned of the attack on September 1, 2023, the case shares.
The complaint alleges that compared to other companies affected by the MOVEit cyberattack, both defendants took far longer to detect and remediate the security vulnerability in MESVision’s file transfer software.
“[O]ther entities impacted by the vulnerability detected unusual activity and took action as early as May. And many other entities began investigating whether their customers' data had been impacted immediately following the announcement of the Vulnerability as early as May 31. Defendants' failure to timely detect and remediate the Data Breach demonstrates both companies lacked adequate security measures and cybersecurity infrastructure.”
The lawsuit looks to represent Blue Shield members and beneficiaries in California whose personal information was in MESVision's electronic information systems and was compromised as a result of the data breach.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.