DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Former California State Contractor Sued Over Breach Of HIV Patient Privacy

Posted on April 7, 2018 by Dissent

Anna Gorman reports:

A security breach by a private company that contracted with California’s public health department inadvertently allowed unauthorized access to the HIV status of 93 people, according to a lawsuit filed this week in San Francisco County Superior Court.

New York-based nonprofit Lambda Legal filed the lawsuit against the contractor, A.J. Boggs & Company, on behalf of the people whose confidential medical information was compromised.

“People have a right to choose when and to whom to disclose their HIV status,” said Jamie Gliksberg, a staff attorney for Lambda Legal, which supports LGBT rights. “Their right was taken away from them with this breach.”

The plaintiffs were all beneficiaries of the state’s version of the federally funded AIDS Drug Assistance Program (ADAP), which helps more than 30,000 low-income Californians with HIV and AIDS pay for their medications and insurance premiums. The California Department of Public Health hired A.J. Boggs in 2016 to handle enrollment for the program but terminated the contract last year.

The lawsuit alleges that A.J. Boggs violated a California state law that bars the release of public health records related to HIV and AIDS.

A.J. Boggs’ CEO, J. Clarke Anderson, declined to comment on the case, saying his company had not yet received the official complaint.

The California lawsuit is not the only one involving an inadvertent release of people’s HIV status. In January, health insurance giant Aetna settled a suit for $17 million after some of the letters it sent to 12,000 patients in 2017 — ironically, regarding a previous violation of privacy — revealed through the envelope windows that they were taking HIV medications.

CVS Health faces a legal challenge in Ohio over allegations that it exposed the HIV statuses of 6,000 patients last year in the same way.

“There has not been enough care given to people’s private medical information, specifically HIV patients,” Gliksberg said. “People living with HIV … need to know that health organizations are protecting the privacy and confidentiality of their status.”

This week, BuzzFeed News reported that Grindr, a dating app for the LGBTQ community, had provided the HIV statuses of its users to other companies. Grindr admitted doing so and said it would stop, though it noted it was a public forum and its users had the option not to post such personal details.

The California lawsuit alleges that the enrollment portal for the state’s AIDS drug program was “left vulnerable to unauthorized third-party access” in August 2016 and that the contractor didn’t notice it for three months. During that time, enrollees’ medical information was improperly viewed, according to the suit. It said that the company had “violated the trust” placed in it to safeguard patient privacy.

The state’s public health department sent patients a letter about the security breach in April 2017. It said the department had determined that its contractor did not adequately protect patients’ personal information, and that the information may have been available to unauthorized third parties from Aug. 16, 2016, to Dec. 7, 2016.

One plaintiff, who declined to be named in the lawsuit or to talk to a reporter, said in a statement that the notification hit him “like a ton of bricks.”

“I need these medications to live, and I could only afford them through ADAP,” he said. “That doesn’t mean, however, that I want everyone to know my HIV status.”

Lambda Legal is basing the suit on that plaintiff’s experience, but is seeking class-action status. The goal of the lawsuit is to prevent future breaches, Gliksberg said.

The state hired A.J. Boggs despite the concerns of AIDS service organizations and the Los Angeles County Department of Public Health, which said the company had not adequately prepared for the task and that the transition was too hasty.

Kaiser Health News reported in January 2017 that after A.J. Boggs took over enrollment, some patients were unable to get their drugs or timely medical care. AIDS service providers and advocates said patients were turned away from pharmacies and others were dropped from the program for no reason.

After the state public health department discovered the security breach, it closed down the online enrollment portal. In March 2017, it fired A.J. Boggs, saying the company’s performance threatened patients’ access to lifesaving medications. The department decided to determine eligibility and enroll patients in-house rather than hire a new contractor.

Since then, there have not been any new security problems, said Courtney Mulhern-Pearson, senior director of policy and strategy for the San Francisco AIDS Foundation. “We are glad that the concerns were addressed and now we are working to get things back on track,” she said.

Source: California Health Care Foundation.

No related posts.

Category: ExposureHealth Data

Post navigation

← ID theft suspect had medical records, personal information of 100+ people, police say
Data breach at military resort in Germany leaves soldiers open to identity theft →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.