HIPAA/HITECH , Legislation & Litigation , Standards, Regulations & Compliance

DC Health Link Facing Lawsuits in Hack Affecting Congress

Fallout Grows in Aftermath of Incident Involving Stolen Data Posted on the Dark Web
DC Health Link Facing Lawsuits in Hack Affecting Congress
Image: DC Health Benefit Exchange Authority

The online health insurance marketplace servicing residents of Washington, D.C., and staffers and members of the U.S. Congress is facing two proposed class action lawsuits in the aftermath of a hacking incident that affected at least 56,400 individuals.

See Also: Demonstrating HIPAA Compliance

Some of the data stolen in the incident was posted for sale on the dark web earlier this month (see: Hackers Sell U.S. Lawmaker Data Stolen From Insurance Market).

Both of the lawsuits were filed last week in the U.S. District Court for the District of Columbia, and each makes similar allegations against the DC Health Benefit Exchange Authority, including that the entity was negligent in failing to secure sensitive information of the plaintiffs and class members.

One of the lawsuits, filed by plaintiff Angelo Meranda, names as co-defendants two DC Health Benefit Exchange Authority leaders: Mila Kofman, the authority's executive director, and Diane C. Lewis, chairperson of its executive board.

That lawsuit alleges that up to 506,000 individuals actually might have been affected by the incident.

The other complaint, filed by Jenni Suhr, estimates that between 56,000 and 107,000 individuals were affected.

Both lawsuits seek monetary damages and improvements to the health insurance marketplace's data security.

The DC Health Benefit Exchange Authority responded to an inquiry with a statement that the vulnerability exploited by hackers has been fixed. "Our focus throughout our response to this incident has been transparency and providing our customers with information as quickly as possible," said spokesman Adam Hudson.

CBS News reported on Tuesday that so far at least 17 current and former members of Congress are among the tens of thousands of individuals affected by the attack.

DC Health Link will face serious fallout from the breach, some experts predict.

"This incident is likely to get increased scrutiny from the Department of Health and Human Services' Office for Civil Rights, which may lead to a higher risk of a financial enforcement action, depending on the underlying facts," said privacy attorney Adam Greene of the law firm Davis Wright Tremaine.

"It would not be surprising if affected members of Congress referred this matter to HHS," he said.

In the meantime, DC Health Link is working with forensics firm Mandiant "to do a comprehensive review of our security measures and controls, and we will be implementing new protocols going forward," the exchange said in its breach notice.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.