Lambda Legal filed a legal case for a data breach victim who, together with 92 lower-income HIV positive individuals, had their highly sensitive protected health information (PHI) stolen by unauthorized people from the California AIDS Drug Assistance Program (ADAP). The preceding ADAP administrator, A.J. Boggs & Company, submitted a motion to dismiss the case at the Superior Court of California in San Francisco, however it was rejected.
Lambda Legal alleges in the lawsuit that J. Boggs & Company committed a violation of the California AIDS Public Health Records Confidentiality Act, California Confidentiality of Medical Information Act, and state medical privacy laws. The firm failed to ensure the safety and security of the ADAP online system prior to using it and allowing the patients to input their sensitive data.
A.J. Boggs & Company launched the new web-based enrollment system on July 1, 2016, in spite of the several warnings given by nonprofits and the LA County Department of Health that the system is short of clearance for vulnerabilities.
Considering that the system wasn’t 100% secure, it meant that the patient information encoded into the system were vulnerable to exposure and could likely be viewed by unauthorized persons. In November 2016, four months after the system was activated, it was taken offline because of problems.
In February 2017, the California Department of Health found out that unauthorized persons were able to access the system by exploiting the system flaws. The private and highly sensitive information of 93 HIV patients were accessed. Shortly after the discovering the breach, ADAP ended the contract with A.J. Boggs & Company and adopted a new state-operated system.
The ADAP program assists states with government funds give monetary aid to low-income patients with HIV or AIDS by making their prescribed drugs more reasonably priced, extending the access to Medicaid any time patients earned too much revenue. The disclosure of healthcare information is a serious issue, but the exposure of an individual’s HIV status is all the more serious given that HIV is still a highly stigmatized illness. Undermining an individual’s trust in the ADAP doesn’t simply constitute a security breach, but also presents a hurdle to health care.
Lambda Legal is attempting to get for its clients statutory and compensatory damages and would like a class action status ın order that the 92 breach victims could be involved in the lawsuit.