CarePointe and CareSource Face Lawsuits Over Data Breach

The Medicare and Medicaid plan provider, CareSource, based in Dayton, OH is facing multiple class action lawsuits associated with a cyberattack that resulted in a data breach. The Clop ransomware group took advantage of a zero-day vulnerability identified in the MOVEit Transfer file transfer solution and acquired the protected health information (PHI) of 3,180,537 persons, which included names, addresses, birth dates, Social Security Numbers, prescription drugs, health plan data, and other medical data.

On May 31, 2023, Progress Software informed CareSource about the vulnerability and patched the vulnerability on June 1, 2023; even so, the vulnerability was already exploited. CareSource affirmed the occurrence of the breach on June 27, 2023, informed the impacted persons on August 24, 2023, and offered free credit monitoring and identity theft protection services for two years to the impacted persons.

A number of lawsuits were filed against CareSource because of the data security breach. On September 13, 2023, plaintiff Channon Willis, personally and as the next friend of a young child, along with other persons in a similar situation, filed a lawsuit in the U.S. District Court for the Southern District of Ohio Western Division. Allegedly, CareSource had a legal responsibility to protect the PHI of its clients, yet didn’t do so.

The lawsuit alleges CareSource performed insufficient vendor verification and did not set up enough security measures, and that these issues breached its legal responsibilities and requirements under state legislation and HIPAA, and then unnecessarily delayed issuing breach notification letters, in spite of knowing that highly sensitive information was stolen. The lawsuit alleges injuries were encountered due to the data breach which includes violation of privacy, lost time remedying harms, loss of benefit of the bargain, costs of lost opportunity, devaluation of PHI, a rise in spam calls, text messaging, and emails, and an impending and continuing risk of identity theft and fraud. The lawsuit likewise alleges PHI continues to be unencrypted and accessible to unauthorized third parties.

The lawsuit states 5 causes of action: breach of fiduciary duty, negligence, negligence per se, unjust enrichment, and breach of third-party beneficiary contract, and wants a jury trial, class action certification, actual damages, restitution, punitive damages, disgorgement, and equitable, injunctive, and declaratory relief. Attorney Terence R. Coates of the law agency, Markovits, Stock & Demarco, LLC; Jeff Ostrow of the law firm, Kopelowitz Ostrow Ferguson Weiselberg Gilbert; and Andrew J. Shamis of Shamis & Gentile, P.A. represent the plaintiff and class. The lawsuit was recently combined with four more lawsuits: David Tzikas v. CareSource; Dwayne Cooper v. CareSource; Stevens v. CareSource; and Campo v. CareSource.

On September 21, 2023, the Cameron et al v. CareSource lawsuit was filed in the District Court for the Southern District of Ohio, for plaintiffs Amanda Cameron, Catherine Custer, and Kyle Custer that makes the same allegations concerning the insufficient safety measures and delayed sending of breach notification letters and wants payment for damages which include violation of privacy, damages to credit, fraudulent charges, time spent addressing the breach and out-of-pocket expenditures. The lawsuit claims the plaintiffs have experienced anxiety and emotional stress due to the theft and compromise of their sensitive data and face an impending and continuing threat of identity theft and fraudulence. Attorney Brian Flick of the Dann Law Agency represents the plaintiffs and class.

Plaintiff Todd Higham and his young child, filed the lawsuit Higham v. CareSource on September 22, 2023 in the U.S. District Court for the Southern District of Ohio. The plaintiff and class want over $9.9 million in damages. The lawsuit alleges insufficient cybersecurity protection as demanded by the FTC Act and HIPAA, which made it possible for the Clop group to steal sensitive information. Attorney Jesse A. Shore of Morgan & Morgan represented the plaintiffs.

CarePointe Faces Lawsuit Over 2021 Ransomware Attack

Indiana Attorney General Todd Rokita took legal action against CarePointe in association with its June 2021 ransomware attack. Files that contain the PHI of 48,742 individuals, which include 45,002 residents of Indiana, were stolen.

The investigation of CarePointe affirmed that an unauthorized third party acquired access to its system, extracted files that contained sensitive information on or about June 25, 2021, and then utilized ransomware for file encryption. The stolen information at the time of the attack included names, addresses, birth dates, health insurance data, health data, and Social Security numbers.

In its Notice of Privacy Practices, CarePointe mentioned its commitment to protecting patient data as demanded by the HIPAA Privacy Rule. Patients need to concur that they have read and comprehended its Notice of Privacy Practices. Despite this, CarePointe is accused of not putting in place proper security guidelines, performing proper risk analyses, and not quickly dealing with identified security threats in an acceptable period of time.

As per AG Rokita’s investigation, CarePointe had met with an IT vendor at the end of 2020 who flagged its remote access guidelines as a security problem that must be resolved. The IT vendor was hired to perform a security risk evaluation, and in January 2021 discovered a number of other IT security problems. The IT vendor discovered the following security problems:

  • weak password guidelines (no password expiry, passwords of 8 or fewer characters were allowed, and there were no difficulty specifications)
  • no account lockouts following a set number of unsuccessful login attempts
    not removing inactive/decommissioned computers from Active Directory
  • a lack of guidelines for terminating access to accounts no longer utilized
  • out-of-date antivirus software program
  • unrestricted access to system shares that contain PHI
  • using generic logins for systems that contain PHI
  • using public domain email accounts for carrying out CarePointe business

The IT vendor was engaged in March 2021 to handle the security problems, however, they were not resolved when the data breach happened. Although CarePointe hired the vendor to carry out a risk analysis in January 2021 and gave access to systems that contain PHI, there was no business associate agreement signed with the vendor by April 29, 2021.

The lawsuit claims HIPAA Privacy Rule and HIPAA Security Rule violations, an inability to apply and keep reasonable processes as demanded by the Indiana Disclosure of Security Breach Act (DSBA), and CarePointe purposefully committed abusive, unfair, and/or deceitful acts, violating the Indiana Deceptive Consumer Sales Act (DCSA).

The Indiana Attorney General charges $100 statutory damages per HIPAA violation per day, and at most $25,000 per year per violation, a civil monetary penalty of $5,000 each for violating the DSBA, and the DCSA, and all costs and charges from the investigation and lawsuit.

About Christine Garcia 1297 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA