Nov 20, 2024

CareSource Faces Multiple Lawsuits After Cybersecurity Data Breach

by Nadia El-Yaouti | Oct 09, 2023
Hands typing on a backlit keyboard, representing cybersecurity and potential data breach scenarios. Photo Source: Adobe Stock Image

A data breach that targeted an Ohio-based insurance company has prompted multiple lawsuits including a class action lawsuit filed by victims who lost sensitive personal information following the data breach. One class action suit is seeking more than $9.9 million in damages.

CareSource, the administrator of one of the nation’s largest Medicaid-managed care plans, employs about 3,000 Dayton, OH, area residents with about 4,500 employees nationwide. As one of the largest players in the game, the company fell victim to a data breach that compromised the sensitive personal data of millions of patients.

The breach took place toward the end of May 2023 and specifically targeted a file transfer program known as MOVEit. This file transfer program is popularly used across the globe by other companies, schools, and even government agencies.

During the breach, critical information including protected health information of over three million individuals was stolen. The data included names, addresses, social security numbers, dates of birth, information pertaining to health plans, medications patients use, and other critical health-related data.

CareSource was notified about the vulnerability on May 31st, 2023, and on June 1st, 2023, the company patched the vulnerability. However, the damage had already been done with the personal information of millions being compromised.

Nearly three months later on August 24th, CareSource notified individuals who were impacted by the data breach and offered two years of complimentary credit monitoring as well as identity theft protection services.

After detecting and addressing the breach, CareSource issued a public statement that read in part, “Upon learning CareSource members were impacted by a global cybersecurity event that exploited the MOVEit platform, CareSource launched a prompt and thorough response.” However, according to the plaintiffs, this vulnerability coupled with the delayed notification to the public is enough to hold the company responsible for negligence.

A number of plaintiffs have come forward with lawsuits against the insurance company. On September 13, 2023, plaintiff Channon Willis filed a lawsuit in the U.S. District Court for the Southern District of Ohio Western Division accusing CareSource of negligence by failing in its legal duty to safeguard the protected health information of its customers.

According to the lawsuit, CareSource inadequately screened its vendors and had insufficient cybersecurity measures in place. As such, the company failed its legal duty and obligation under state and HIPAA laws. The lawsuit goes on to accuse the insurance company of unnecessarily delaying the distribution of notification letters even though they knew highly sensitive information was stolen.

Plaintiffs Amanda Cameron, Kyle Custer, and Catherine Custer have also filed a similar lawsuit in the District Court for the Southern District of Ohio on September 21. Their lawsuit alleges similar claims including weak cybersecurity safeguards and a delay in notifying impacted victims.

A third lawsuit was filed on behalf of plaintiff Todd Higham and his minor child in the U.S. District Court for the Southern District of Ohio on September 22 as well. Their lawsuit seeks $9.9 million in damages for the plaintiff and class. Among the claims made in this lawsuit is the company’s failure to comply with regulatory, ethical, and industry standards to ensure the security and confidentiality of sensitive information.

While cyber security vulnerabilities are an emerging threat impacting industries of all kinds, legislation has not been as comprehensive and up-to-date as it should be. The Federal Trade Commission Act is the primary law governing cybersecurity issues. However, different regulations exist for different industries with each having its own guidelines to follow.

Under HIPAA, the federal law CareSource is accused of violating, the patient health information of individuals is required to be protected and all systems must adhere to HIPAA regulations. The plaintiffs say that in light of this data breach, state and HIPAA laws were not followed.

In addition to violating such laws, the lawsuits maintain that the data breach subjected plaintiffs to undo emotional distress, pain and suffering, and other non-economic damages.

Share This Article

If you found this article insightful, consider sharing it with your network.

Nadia El-Yaouti
Nadia El-Yaouti
Nadia El-Yaouti is a postgraduate from James Madison University, where she studied English and Education. Residing in Central Virginia with her husband and two young daughters, she balances her workaholic tendencies with a passion for travel, exploring the world with her family.

Related Articles

A dermatologist examining a patient's hand with a medical light.
Forefront Dermatology to Pay Nearly $4 Million Following 2021 Data Breach

Wisconsin-based healthcare operator Forefront Dermatology has agreed to a $3.75 million settlement to end a class action lawsuit over a 2021 data breach. The organization operates a number of dermatology offices across the U.S. In 2021 a known ransomware group was able to exploit vulnerabilities within Forefront Dermatology’s network and... Read More »

A close-up of hands typing on a laptop keyboard with green code displayed on the screen, illustrating themes of cybersecurity and data breaches.
Massachusetts-Based Company Faces Multiple Lawsuits After Data Breach

A Massachusetts-based company that specializes in background checks is at the center of four lawsuits. The lawsuit accused the company, Creative Services, Inc., of negligently failing to protect the private information of its clients. The company, which is located in Mansfield, Massachusetts, offered services to employers, universities, and government agencies... Read More »