SAG-AFTRA Members Take Legal Action Against Health Plan Due to Email Breach

by | Dec 19, 2024

Members of the Screen Actors Guild – American Federation of Television and Radio Artists (SAG-AFTRA) health plan filed a class action lawsuit because of an email phishing attack that compromised their protected health information (PHI). An unauthorized third party accessed an employee’s email account from September 17 to September 18, 2024. The employee fell victim to a phishing email allowing the threat actor to access his account. Data such as names, Social Security numbers, medical insurance details, and claims data may have been stolen. The breach report submitted to the HHS Office for Civil Rights indicated that 35,592 people were affected. SAG-AFTRA mailed individual notifications on December 2, 2024.

Three days after mailing the notification letters, Clarkson Law Firm P.C. filed a lawsuit in the U.S. District Court in Los Angeles naming SAG-AFTRA members Kristy Munden and Matthew Rouillard as plaintiffs. According to the lawsuit, SAG-AFTRA did not apply the appropriate cybersecurity procedures to keep members’ sensitive information from unauthorized access. During the attack, members’ sensitive data were exfiltrated. SAG-AFTRA also failed to sufficiently keep track of its system and computer programs and did not issue prompt breach notifications. Notification letters were sent to affected individuals over 2 months after discovering the email account breach.

The lawsuit claims that the plaintiffs and class members sustained injuries, including out-of-pocket expenditures related to stopping, finding, and remediating identity theft, fraud, and social engineering; lost time; lost opportunity costs when trying to minimize the effects of the data security breach; a violation of privacy; a reduction in the value of their personal data; and a greater threat of identity theft and fraud. All of this could have been avoided with proper HIPAA training.

The lawsuit states that members overpaid for their health plans considering the insufficient cybersecurity protections and the resulting data breach. The lawsuit claims breach of express warranty, unjust enrichment, violation of privacy, negligence, and violations of the California Unfair Competition Law (Business & Professions Code), California Civil Code (Deceit by concealment), and the California Confidentiality of Medical Information Act.

What the lawsuit hopes to achieve is class-action status, a jury trial, monetary compensation, restitution, and a court order requiring SAG-AFTRA to implement sufficient security methodologies, provide appropriate notice to the impacted persons, and forbidding the health plan from getting involved in more wrongful behaviors.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy