DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Former California State Contractor Sued Over Breach Of HIV Patient Privacy

Posted on April 7, 2018 by Dissent

Anna Gorman reports:

A security breach by a private company that contracted with California’s public health department inadvertently allowed unauthorized access to the HIV status of 93 people, according to a lawsuit filed this week in San Francisco County Superior Court.

New York-based nonprofit Lambda Legal filed the lawsuit against the contractor, A.J. Boggs & Company, on behalf of the people whose confidential medical information was compromised.

“People have a right to choose when and to whom to disclose their HIV status,” said Jamie Gliksberg, a staff attorney for Lambda Legal, which supports LGBT rights. “Their right was taken away from them with this breach.”

The plaintiffs were all beneficiaries of the state’s version of the federally funded AIDS Drug Assistance Program (ADAP), which helps more than 30,000 low-income Californians with HIV and AIDS pay for their medications and insurance premiums. The California Department of Public Health hired A.J. Boggs in 2016 to handle enrollment for the program but terminated the contract last year.

The lawsuit alleges that A.J. Boggs violated a California state law that bars the release of public health records related to HIV and AIDS.

A.J. Boggs’ CEO, J. Clarke Anderson, declined to comment on the case, saying his company had not yet received the official complaint.

The California lawsuit is not the only one involving an inadvertent release of people’s HIV status. In January, health insurance giant Aetna settled a suit for $17 million after some of the letters it sent to 12,000 patients in 2017 — ironically, regarding a previous violation of privacy — revealed through the envelope windows that they were taking HIV medications.

CVS Health faces a legal challenge in Ohio over allegations that it exposed the HIV statuses of 6,000 patients last year in the same way.

“There has not been enough care given to people’s private medical information, specifically HIV patients,” Gliksberg said. “People living with HIV … need to know that health organizations are protecting the privacy and confidentiality of their status.”

This week, BuzzFeed News reported that Grindr, a dating app for the LGBTQ community, had provided the HIV statuses of its users to other companies. Grindr admitted doing so and said it would stop, though it noted it was a public forum and its users had the option not to post such personal details.

The California lawsuit alleges that the enrollment portal for the state’s AIDS drug program was “left vulnerable to unauthorized third-party access” in August 2016 and that the contractor didn’t notice it for three months. During that time, enrollees’ medical information was improperly viewed, according to the suit. It said that the company had “violated the trust” placed in it to safeguard patient privacy.

The state’s public health department sent patients a letter about the security breach in April 2017. It said the department had determined that its contractor did not adequately protect patients’ personal information, and that the information may have been available to unauthorized third parties from Aug. 16, 2016, to Dec. 7, 2016.

One plaintiff, who declined to be named in the lawsuit or to talk to a reporter, said in a statement that the notification hit him “like a ton of bricks.”

“I need these medications to live, and I could only afford them through ADAP,” he said. “That doesn’t mean, however, that I want everyone to know my HIV status.”

Lambda Legal is basing the suit on that plaintiff’s experience, but is seeking class-action status. The goal of the lawsuit is to prevent future breaches, Gliksberg said.

The state hired A.J. Boggs despite the concerns of AIDS service organizations and the Los Angeles County Department of Public Health, which said the company had not adequately prepared for the task and that the transition was too hasty.

Kaiser Health News reported in January 2017 that after A.J. Boggs took over enrollment, some patients were unable to get their drugs or timely medical care. AIDS service providers and advocates said patients were turned away from pharmacies and others were dropped from the program for no reason.

After the state public health department discovered the security breach, it closed down the online enrollment portal. In March 2017, it fired A.J. Boggs, saying the company’s performance threatened patients’ access to lifesaving medications. The department decided to determine eligibility and enroll patients in-house rather than hire a new contractor.

Since then, there have not been any new security problems, said Courtney Mulhern-Pearson, senior director of policy and strategy for the San Francisco AIDS Foundation. “We are glad that the concerns were addressed and now we are working to get things back on track,” she said.

Source: California Health Care Foundation.

Related posts:

  • California State Agency Released Confidential HIV Information: ACLU and Lambda Legal Demand Explanation
  • Aetna, still looking for scapegoat in HIV disclosure fiasco, sues plaintiffs firms
  • California court allows lawsuit over breach of HIV patients’ information to move forward
  • Small-Scale Violations of Medical Privacy Often Cause the Most Harm
Category: ExposureHealth Data

Post navigation

← ID theft suspect had medical records, personal information of 100+ people, police say
Data breach at military resort in Germany leaves soldiers open to identity theft →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.