Legislation & Litigation
Standards, Regulations & Compliance
Fallout Grows in Aftermath of Incident Involving Stolen Data Posted on the Dark Web
The online health insurance marketplace servicing residents of Washington, D.C., and staffers and members of the U.S. Congress is facing two proposed class action lawsuits in the aftermath of a hacking incident that affected at least 56,400 individuals.
See Also: 7 Steps to Incorporate Monitoring in Your Compliance Program
Some of the data stolen in the incident was posted for sale on the dark web earlier this month (see: Hackers Sell U.S. Lawmaker Data Stolen From Insurance Market).
Both of the lawsuits were filed last week in the U.S. District Court for the District of Columbia, and each makes similar allegations against the DC Health Benefit Exchange Authority, including that the entity was negligent in failing to secure sensitive information of the plaintiffs and class members.
One of the lawsuits, filed by plaintiff Angelo Meranda, names as co-defendants two DC Health Benefit Exchange Authority leaders: Mila Kofman, the authority’s executive director, and Diane C. Lewis, chairperson of its executive board.
That lawsuit alleges that up to 506,000 individuals actually might have been affected by the incident.
The other complaint, filed by Jenni Suhr, estimates that between 56,000 and 107,000 individuals were affected.
Both lawsuits seek monetary damages and improvements to the health insurance marketplace’s data security.
The DC Health Benefit Exchange Authority responded to an inquiry with a statement that the vulnerability exploited by hackers has been fixed. “Our focus throughout our response to this incident has been transparency and providing our customers with information as quickly as possible,” said spokesman Adam Hudson.
CBS News reported on Tuesday that so far at least 17 current and former members of Congress are among the tens of thousands of individuals affected by the attack.
DC Health Link will face serious fallout from the breach, some experts predict.
“This incident is likely to get increased scrutiny from the Department of Health and Human Services’ Office for Civil Rights, which may lead to a higher risk of a financial enforcement action, depending on the underlying facts,” said privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
“It would not be surprising if affected members of Congress referred this matter to HHS,” he said.
In the meantime, DC Health Link is working with forensics firm Mandiant “to do a comprehensive review of our security measures and controls, and we will be implementing new protocols going forward,” the exchange said in its breach notice.