Lawsuits Increase Against DC Health Link Because of Congress Members’ Data Breach
Online medical insurance marketplace, DC Health Link, is facing no less than two class action lawsuits over a hacking incident that affected 56,415 clients. DC Health Benefit Exchange Authority (DCHBX) operates DC Health Link, which is a public-private healthcare exchange program for Washington D.C. residents. DC Health Link has around 100,000 clients,11,000 of which are Congressional employees and Members of Congress.
DC Health Link stated on March 6, 2023 that Mandiant helped with the investigation and confirmed that 56,415 clients were impacted as the hacker accessed or stole some of their personal data. The breached data included: names, dates of birth, gender, health plan data, carrier name, plan name, premium value, employer contribution, coverage dates, employer information, enrollee information (name, phone number, address, email address, race, ethnicity, citizenship details). The types of information involved differed from one person to another.
DC Health Link offered the affected individuals credit monitoring protection for three years for free. The coverage includes their spouses, children and dependents. The monitoring services are made available to all clients, including those not belonging to the 56,415 affected individuals. The investigation is still in progress and DC Health Link did not mention any information about the nature of the occurrence of the breach.
On the date of DC Health Link’s announcement, one member of a well known hacking forum called IntelBroker claimed to have gotten the information of 170,000 persons in the attack and was selling the stolen information. Part of the stolen information was posted on the internet. AT first, it seemed that the people responsible for the attack did not know that the information of Congress Members and Congressional personnel were included in the stolen information. But another member of the hacking forum called Denfur claimed to be behind the attack and stated that the attack targeted U.S. politicians using Washington D.C. services out of loyalty to Russia. Denfur mentioned the information will be released when it is no longer needed. Initial access to the information was possible because of an open, exposed database.
The lawsuits submitted to the U.S. District Court for the District of Columbia allege that DC Health Link/DCHBX failed to protect the sensitive information of its clients. One claimed that roughly 506,000 people were potentially affected, while another claimed that 56,000 to 107,000 people were potentially affected. The two lawsuits show that the breach is more extensive than what DC Health Link reported.
Milberg Coleman Bryson Phillips Grossman PLLC filed one of the lawsuits on behalf of plaintiff Angelo Meranda against DC Health Link, Executive Director Mila Kofman of DCHBX, the Executive Board of DCHBX, and Chairperson Diane C. Lewis of the Executive Board of DCHBX. Gary E. Mason of Mason LLP filed the other lawsuit against DC Health Link as the only defendant on behalf of plaintiff Jenni Suhr. The lawsuits want monetary damages, class action status, and the order for DCHBX/DC Health Link to improve its security to avoid other data breaches.
Rise Interactive Media & Analytics Face Lawsuit Due to Edgepark Medical Supplies Data Breach
Digital marketing company, Rise Interactive Media & Analytics, is facing a lawsuit due to a cyberattack that led to the compromise of the protected health information (PHI) of around 54,500 Edgepark Medical Supplies patients.
On November 14, 2022, a hacker acquired access to the network of Rise Interactive Media & Analytics and accessed files that contain sensitive patient information, such as names, telephone numbers, email addresses, provider data, expected delivery dates, diagnoses, and medical insurance details. Rise found out that Edgepark data was exposed on December 2, 2022 and sent notifications to the affected persons concerning the attack on February 10, 2023.
The law agency Wolf Haldenstein Adler Freeman & Herz LLC filed the lawsuit in the U.S. District Court of the Northern District of Illinois Eastern Division with plaintiff Tiffany Roper and other persons with similar situations. The lawsuit alleges that Rise was responsible for the breach as it failed to enforce proper security measures to safeguard the consumer information from Edgepark.
The lawsuit additionally disputes why Edgepark had to give patient information like medical insurance data to Rise. It questions the necessity to provide the data in relation to the digital marketing services provided to Edgepark considering that permission must be acquired from patients prior to sharing PHI for marketing reasons. The lawsuit additionally disputes the three months delay in notifying the impacted patients concerning the breach and the insufficiency of details provided in the breach notification letters. The lawsuit alleges there was no explanation in the notification letters as to how the breach happened, how the data was stolen, and what did Rise do to avoid the misuse of patient information.
Immediately after the data breach, at the end of December 2022 or in the beginning of January 2023, the plaintiff alleges that her medical insurance data was employed for fraudulent filling of a prescription, which indicates the rapid trading of her data on the dark web. She additionally alleges she is facing a present and impending lifetime risk of identity theft and fraud because of the data breach.
The allegations mentioned in the lawsuit include negligence, unjust enrichment, and violation of privacy and wants a jury trial, class action status, damages, legal charges, and injunctive relief, plus 16 orders for Rise to enhance its security to avoid more cyberattacks and data breaches.