“CareSource inadequately maintained its network, platform, software, and technology partners—rendering these easy prey for cybercriminals,” the complaint signed by Shore says.
One of CareSource’s software vendors MOVEit was hacked on May 31 of this year, and CareSource was named as one of the victims of that breach on June 27, according to the complaint signed by Shore, which also says the public was notified on or about July 27. Information that was stolen included private identification and health information.
“Upon learning CareSource members were impacted by a global cybersecurity event that exploited the MOVEit platform, CareSource launched a prompt and thorough response,” CareSource said in a statement provided to media outlets. “We have notified potentially impacted members, offering two years of complimentary credit and identity monitoring. Right now, we are focused on responding to member inquiries and assisting them with resources to help safeguard their data.”
Other plaintiffs in another lawsuit provided letters dated Sept. 14 notifying them of the data breach, according to another complaint signed by attorney Brian Flick filed on behalf of plaintiffs Amanda Cameron, Kyle Custer, and Catherine Custer. This complaint was filed Sept. 21 in the Ohio Southern District Court.
Data that may have been stolen could include names, addresses, dates of birth, gender, social security numbers, member identifications, plan name, health conditions, medications, allergies, and diagnoses, according to the letter from CareSource provided by the plaintiffs. The letter says it came from Anne Fogler, AVP, of CareSource.
Consumers must be notified of any security breach to stored personal information that may reasonably cause a material risk of identity theft or other fraud, under the Security Breach Notification Act, according to the Ohio Attorney General’s office.
“Consumers must be notified in the quickest way possible, but not later than 45 days after the breach is discovered,” the attorney general’s office says.
The monitoring program CareSource provided required the victims of the data breach to do the work of signing up by a deadline of Nov. 23, the plaintiffs said. They may face additional years of impact beyond the 24 months, the plaintiffs said, adding they dealt with anxiety, emotional distress, and loss of privacy as a result of this data breach.
Additional complaints from plaintiffs Dwayne Cooper, David Tzikas, Thomas Campo, Tiffany Stevens, Channon Willis, and a minor child being represented by Willis were consolidated this month, also seeking damages in relation to the data breach. Other lawsuits are also pending from Rachel Embert, on behalf of herself, her minor child, and others. The complaint from Embert says CareSource did not begin to notify consumers and class members of the data breach until Aug. 24.
CareSource has not yet filed a response in the federal court responding to these claims.
CareSource covers 2.3 million people in multiple states, including in Georgia, Indiana, Kentucky, Ohio, and West Virginia. It is also part of a team offering services in Arkansas for people with developmental disabilities. CareSource also serves Marketplace clients in North Carolina. They will start adding members from Michigan in October.
CareSource, which administers one of the nation’s largest Medicaid managed care plans, is one of the largest employers in the Dayton area, with about 3,000 employees here and about 4,500 total.