Three former Magellan Health, Inc. employees have filed a proposed class action lawsuit in the wake of an April 2020 data breach that potentially affected over 163,000 individuals.
According to the case, the for-profit managed healthcare company discovered on April 11 that an unauthorized third party had gained access via ransomware to private and personal data stored on its computer systems. An investigation revealed that a Magellan employee had “inappropriately” responded to a spear phishing email sent on April 6, allowing unauthorized actors to gain access to employee email accounts, the lawsuit states.
Information compromised in the breach included names, contact information, employee ID numbers, W-2 or 1099 information (such as Social Security numbers or taxpayer ID numbers), treatment information, health insurance account information, member IDs, email addresses, phone numbers, physical addresses, and other health-related details, per the complaint.
The lawsuit alleges the data breach occurred in part because Magellan maintained the protected and sensitive information “in a reckless manner,” storing the data on a computer network “in a condition vulnerable to cyberattacks.” Stressed in the case is that Magellan should have been aware of the risk that proposed class members’ information may be improperly disclosed given the healthcare company was the hit by a prior data breach stemming from a phishing attack less than a year ago.
“[T]hus Defendant was on notice that failing to take steps necessary to secure the PII [personally identifiable information] and PHI [protected health information] from those risks left that property in a dangerous condition,” the complaint says.
The case goes on to allege that Magellan and its employees failed to properly monitor its computer systems, arguing that had it done so, the data breach would have been discovered sooner.
With regard to Magellan’s alleged response to the breach, the lawsuit argues the company failed to provide timely notice to affected individuals. According to the suit, Magellan sent notice of the security incident to approximately 50,410 affected persons on May 12, 2020. On June 12, a second notice was issued to roughly 109,276 plan participants of Complete Care of Florida and Magellan Rx Pharmacy of Maryland, per the complaint. According to the case, the second notice provided “far less information” about the facts of the cyberattack, failed to mention the exfiltration of data and neglected to offer any credit monitoring option as included in the first notice.
A third notice identical to the second was issued on June 15 to plan participants of Magellan subsidiary Magellan Complete Care of Virginia, LLC, the suit adds.
To date, the defendant has offered free identity theft and credit monitoring services for only 36 months “to the first tranche of persons notified of the breach,” while those notified in June were offered no remedy, according to the suit. The lawsuit argues that even if credit monitoring were offered to all affected individuals, the service is still “wholly inadequate” given it fails to account for the fact that data breach victims often face “multiple years of ongoing identity theft” risks and offers no compensation for the unauthorized release of proposed class members’ protected information.
According to the suit, Magellan failed to comply with Federal Trade Commission guidelines and minimum industry standards, as well as uphold its obligation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to protect patient information.
The lawsuit looks to represent anyone whose personally identifiable information and protected health information was compromised as a result of the ransomware attack discovered by Magellan on April 11, 2020.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.