A data breach, that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals, will go to trial after a lawsuit submitted by Lambda Legal on behalf of a victim survived a motion to dismiss.
A motion to dismiss was submitted by the former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, however it was rejected by the Superior Court of California in San Francisco.
In the legal action, Lambda Legal claims A.J. Boggs & Company breached the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy legisation by failing to ensure an online system was safeguarded prior to introducing that system and allowing patients to submit sensitive information.
A.J. Boggs & Company went live with its new online enrollment on July 1, 2016, despite having previously receiving several warnings from nonprofits and the LA County Department of Health that the system had not been adequately tested for weaknesses.
It was claimed that the failure to make sure its system was safe meant that any data recorded on the portal by patients was in danger of exposure and could possibly be obtained by unauthorized parties. In November 2016, four months following the implementation of the system, A.J. Boggs & Company took the system offline to address the vulnerabilities.
However, in February 2017, the California Department of Health noticed that the flaws in its portal had been taken advantage of and unauthorized people had obtained access to the system and had downloaded the private and highly sensitive data of 93 patients with HIV or AIDS. After this discovery, the contract with the firm was cancelled and a new state-run system was implemented.
The ADAP program supplies states with federal funding to provide financial assistance to low-income people with HIV or AIDS to make HIV medications more affordable, widening access to Medicaid when patients incomes were too high.
Scott Schoettes, HIV Project Director at Lambda Legal said: “HIV is still a highly stigmatized medical condition. When members of already vulnerable communities — transgender people, women, people of color, undocumented people, individuals with low incomes — already face challenges in accessing health care, undermining the trust they have in the ADAP is not just a breach of security; it creates a barrier to care.”
Lambda Legal is requesting statutory and compensatory compensation for the patient and is looking for class action status to permit the other 92 breach victims to be incorporated in the legal action.