Choice Health Insurance faces a proposed class action over its alleged failure to properly secure and safeguard consumers’ sensitive information from a “foreseeable” May 2022 data breach.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
The 62-page lawsuit states that Choice Health Insurance, an independent broker who sells Medicare products on behalf of Humana Insurance, Anthem BlueCross BlueShield, Mutual of Omaha, UnitedHealthCare, Cigna, Aetna and HealthCare.gov, learned on May 14 of this year that an unauthorized person was offering to make available data that was apparently stolen from the company’s database. Further investigation revealed that Choice Health Insurance’s database was accessible through the internet due to a “security misconfiguration” caused by a third-party site provider, allowing the unauthorized party to access consumers’ files on May 7, the case relays.
Per the complaint, the cybercriminals responsible for the incident held consumers’ private information in exchange for payment from Choice Health Insurance, a situation also known as a ransomware attack. According to a report from HealthITSecurity.com, Humana disclosed to the Maine attorney general that 22,767 individuals were affected by a data breach originating from Choice Health Insurance.
The filing alleges Choice Health Insurance maintained consumers’ private information—including names, Social Security and Medicare beneficiary ID numbers, dates of birth, address and contact details and health insurance specifics—in a “reckless and negligent manner,” in particular on a computer system and network “in a condition vulnerable to cyberattack.”
In its October 7 notice to data breach victims, Choice Health Insurance admitted that their private information was unlawfully accessed and exfiltrated, the suit says. Sometime after the theft, the heisted information was made available online, meaning it “has or likely will be used by cybercriminals for unlawful purposes,” according to the complaint. As a result of the defendants’ roughly four-month delay in notifying victims, proposed class members had no idea their information had been compromised, and that they were, and continue to be, at significant risk of identity theft and fraud, the case says.
Choice Health Insurance data breach victims have suffered losses in the form of out-of-pocket expenses dealing with the incident and the loss of the value of their time to remedy or mitigate the impact of the data breach in the face of an imminent risk of identity theft, the lawsuit stresses.
The lawsuit alleges Choice Health Insurance failed to comply with Federal Trade Commission guidelines and industry best practices in maintaining consumers’ information. Further, the unauthorized disclosure of the data amounts to a violation of Health Insurance Portability and Accountability Act (HIPAA) rules, the suit says.
The lawsuit looks to cover all consumers whose private information was actually or potentially accessed or acquired during the May 2022 Choice Health Insurance data breach at the center of the notice of data breach the company published to victims.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Camp Lejeune residents now have the opportunity to claim compensation for harm suffered from contaminated water.