The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

CareSource Facing Multiple Class Action Lawsuits Over MOVEit Data Breach

Posted By on Sep 27, 2023

The Dayton, OH-based Medicaid and Medicare plan provider, CareSource, is facing multiple class action lawsuits over a recent cyberattack and data breach. The Clop threat group exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution and obtained the protected health information of 3,180,537 individuals, including names, addresses, date of birth, Social Security Numbers, health plan information, medications, and other health information.

CareSource was notified by Progress Software about the vulnerability on May 31, 2023, and patched the flaw on June 1, 2023; however, the vulnerability had already been exploited. CareSource confirmed the breach on June 27, 2023, and notified the affected individuals on August 24, 2023. 2 years of complimentary credit monitoring and identity theft protection services were offered to the affected individuals.

Several lawsuits have now been filed against CareSource in response to the data breach. On September 13, 2023, a lawsuit was filed in the U.S. District Court for the Southern District of Ohio Western Division on behalf of plaintiff Channon Willis, individually and as the next friend of a minor child, and other similarly situated individuals and alleges CareSource had a legal duty to safeguard the protected health information of its customers, yet failed to do so.

The lawsuit claims CareSource conducted inadequate vendor screening and had insufficient security measures in place, and that these failures breached its legal duties and obligations under state laws and HIPAA, and then unnecessarily delayed sending notification letters, despite being aware that highly sensitive data had been stolen. The lawsuit claims injuries have been suffered as a result of the data breach including invasion of privacy, loss of benefit of the bargain, lost time remedying harms, lost opportunity costs, diminution of value of PHI, an increase in spam calls, texts, and emails, and an imminent and ongoing threat of identity theft and fraud. The lawsuit also claims PHI remains unencrypted and available for unauthorized third parties to access and abuse.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit states 5 causes of action: negligence, negligence per se, breach of fiduciary duty, breach of third-party beneficiary contract, & unjust enrichment, and seeks class action certification, a jury trial, actual damages, punitive damages, restitution, and disgorgement, and equitable, injunctive, and declaratory relief. The plaintiff and class are represented by Attorney Terence R. Coates of the law firm, Markovits, Stock & Demarco, LLC; Andrew J. Shamis of Shamis & Gentile, P.A., and Jeff Ostrow of the law firm, Kopelowitz Ostrow Ferguson Weiselberg Gilbert. The lawsuit was recently consolidated with four other lawsuits: Dwayne Cooper v. CareSource; David Tzikas v. CareSource; Campo v. CareSource; and Stevens v. CareSource.

Another lawsuit (Cameron et al v. CareSource) was filed in the District Court for the Southern District of Ohio on September 21, 2023, on behalf of plaintiffs Amanda Cameron, Kyle Custer, and Catherine Custer that makes similar allegations about the lack of safeguards and delay in breach notifications and seeks compensation for damages including loss of privacy, fraudulent charges, damages to credit, time lost responding to the breach and out-of-pocket expenses. The lawsuit alleges the plaintiffs have suffered anxiety and emotional distress as a result of the theft and release of their sensitive information and face an imminent and ongoing risk of identity theft and fraud. The plaintiffs and class are represented by attorney Brian Flick of the Dann Law Firm.

Higham v. CareSource was filed on September 22, 2023, in the U.S. District Court for the Southern District of Ohio on behalf of plaintiff Todd Higham and his minor child and seeks more than $9.9 million in damages for the plaintiff and class. The lawsuit makes similar claims and alleges inadequate cybersecurity measures were in place, as required by the FTC Act and HIPAA, which allowed the Clop group to steal sensitive data. The plaintiffs are represented by attorney Jesse A. Shore of Morgan & Morgan.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist