A data breach that targeted an Ohio-based insurance company has prompted multiple lawsuits including a class action lawsuit filed by victims who lost sensitive personal information following the data breach. One class action suit is seeking more than $9.9 million in damages.

CareSource, the administrator of one of the nation’s largest Medicaid-managed care plans, employs about 3,000 Dayton, OH, area residents with about 4,500 employees nationwide. As one of the largest players in the game, the company fell victim to a data breach that compromised the sensitive personal data of millions of patients.

The breach took place toward the end of May 2023 and specifically targeted a file transfer program known as MOVEit. This file transfer program is popularly used across the globe by other companies, schools, and even government agencies.

During the breach, critical information including protected health information of over three million individuals was stolen. The data included names, addresses, social security numbers, dates of birth, information pertaining to health plans, medications patients use, and other critical health-related data.

CareSource was notified about the vulnerability on May 31st, 2023, and on June 1st, 2023, the company patched the vulnerability. However, the damage had already been done with the personal information of millions being compromised.

Nearly three months later on August 24th, CareSource notified individuals who were impacted by the data breach and offered two years of complimentary credit monitoring as well as identity theft protection services.

After detecting and addressing the breach, CareSource issued a public statement that read in part, “Upon learning CareSource members were impacted by a global cybersecurity event that exploited the MOVEit platform, CareSource launched a prompt and thorough response.” However, according to the plaintiffs, this vulnerability coupled with the delayed notification to the public is enough to hold the company responsible for negligence.

A number of plaintiffs have come forward with lawsuits against the insurance company. On September 13, 2023, plaintiff Channon Willis filed a lawsuit in the U.S. District Court for the Southern District of Ohio Western Division accusing CareSource of negligence by failing in its legal duty to safeguard the protected health information of its customers.

According to the lawsuit, CareSource inadequately screened its vendors and had insufficient cybersecurity measures in place. As such, the company failed its legal duty and obligation under state and HIPAA laws. The lawsuit goes on to accuse the insurance company of unnecessarily delaying the distribution of notification letters even though they knew highly sensitive information was stolen.

Plaintiffs Amanda Cameron, Kyle Custer, and Catherine Custer have also filed a similar lawsuit in the District Court for the Southern District of Ohio on September 21. Their lawsuit alleges similar claims including weak cybersecurity safeguards and a delay in notifying impacted victims.

A third lawsuit was filed on behalf of plaintiff Todd Higham and his minor child in the U.S. District Court for the Southern District of Ohio on September 22 as well. Their lawsuit seeks $9.9 million in damages for the plaintiff and class. Among the claims made in this lawsuit is the company’s failure to comply with regulatory, ethical, and industry standards to ensure the security and confidentiality of sensitive information.

While cyber security vulnerabilities are an emerging threat impacting industries of all kinds, legislation has not been as comprehensive and up-to-date as it should be. The Federal Trade Commission Act is the primary law governing cybersecurity issues. However, different regulations exist for different industries with each having its own guidelines to follow.

Under HIPAA, the federal law CareSource is accused of violating, the patient health information of individuals is required to be protected and all systems must adhere to HIPAA regulations. The plaintiffs say that in light of this data breach, state and HIPAA laws were not followed.

In addition to violating such laws, the lawsuits maintain that the data breach subjected plaintiffs to undo emotional distress, pain and suffering, and other non-economic damages.