California HIV Patient PHI Breach Lawsuit Moves Onward


Lambda Legal filed a lawsuit on behalf of 93 data breach victims who are lower-income HIV positive persons whose highly sensitive protected health information (PHI) were stolen from the California AIDS Drug Assistance Program (ADAP) by unauthorized people. The previous administrator of ADAP, A.J. Boggs & Company, filed a motion to dismiss at the Superior Court of California in San Francisco, but it was denied.

Lambda Legal claims in the lawsuit that J. Boggs & Company violated the California Confidentiality of Medical Information Act, the California AIDS Public Health Records Confidentiality Act, and other state medical privacy laws. The company failed to make sure that the online system was safe and secure before using the system and letting the patients encode sensitive information.

The new online enrollment system was launched by A.J. Boggs & Company on July 1, 2016, despite the fact that nonprofits and the LA County Department of Health had already given several warnings that the system lacks testing for vulnerabilities.

Because it wasn’t 100% sure that the system was secure, it meant that the information that patients inputted in the portal were at risk of being exposed and could possibly be accessed by unauthorized people. In November 2016, after four months of using the system, the system was taken off the net to fix the problems.

The California Department of Health discovered in February 2017 that unauthorized individuals exploited the system flaws and accessed the system. As a result, the personal and highly sensitive data of 93 HIV patients were downloaded. Soon after the discovery of the breach, ADAP terminated the contract with the company and adopted a new system operated by the state.