Posted On September 30, 2022 Consumer Privacy & Data Breaches
On September 30, 2022, Anthem MaineHealth (“AMH Health”) filed notice of a data breach with the Office of the Maine Attorney General after the company learned that patient data was leaked related to a data security incident at Choice Health, one of AMH Health’s vendors. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, addresses, dates of birth, phone numbers, email addresses, Medicare ID numbers, Medicaid ID numbers and health plan carrier names. After confirming that consumer data was leaked, AMH Health began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the AMH Health data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Anthem MaineHealth.
The available information regarding the Anthem MaineHealth breach comes from the company’s filing with the Office of the Maine Attorney General. According to this source, AMH Health was contacted by Choice Health on August 5, 2022, regarding a data breach affecting AMH Health patients that occurred on May 7, 2022.
Evidently, on May 14, 2022, Choice Health was informed that an unauthorized party was offering data that was allegedly stolen from the Choice Health network. In response, Choice Health launched an internal investigation with the assistance of third-party cybersecurity specialists.
On May 18, 2022, the Choice Health investigation confirmed that “due to a technical security configuration issue caused by a third-party service provider, a single Choice Health database was accessible through the Internet.” The company’s investigation determined that the period of unauthorized access began on or around May 7, 2022.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Choice Health began to review the affected files to determine what information was compromised and which Anthem MaineHealth consumers were impacted. While the breached information varies depending on the individual, it may include your name, social security number, address, date of birth, phone number, email address, Medicare ID number, Medicaid ID number and health plan carrier name.
On September 30, 2022, Anthem MaineHealth sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Anthem MaineHealth is a recently formed company that combines Anthem Blue Cross and Blue Shield and MaineHealth. Previously, MaineHealth consisted of nine health systems, a behavioral healthcare network, diagnostic services, home health agencies, and 1,700 providers, collectively referred to as MaineHealth Medical Group. In 2022, MaineHealth was acquired by Anthem Blue Cross and Blue Shield. Anthem MaineHealth employs more than 22,000 people and provides care to more than 1.1 million residents in Maine and New Hampshire.
Choice Health Insurance is an insurance company based in Myrtle Beach, South Carolina. Choice Health is an independent broker, meaning the company offers insurance products through various providers. Some of the plans offered by Choice Health include those issued by Humana, WellCare Health Plans, Anthem BlueCross BlueShield, Mutual of Omaha, United Healthcare, Cigna and Aetna. Choice Health also offers plans through healthcare.gov. Choice Health Insurance currently employs more than 130 individuals and generates approximately $33 million in annual sales.
After a data breach, the company responsible for leaking a patient’s information may be liable through a data breach lawsuit. However, just because a breach occurred and information was compromised doesn’t necessarily make the company liable. It is only if victims of the breach can establish that the company’s negligence was a cause of the breach that they can recover compensation.
While all data breach lawsuits are complex, that is especially the case with third-party data breaches. The term third-party data breach is used to describe an incident where the breached company is not the same organization that was initially entrusted with the leaked information. Here, Choice Health provided services to several healthcare providers and, in this capacity, had access to sensitive information. Thus, when Choice Health’s systems were breached, it exposed the information of patients, many of which probably had no idea that a company named “Choice Health” was in possession of their information.
In a situation Like this, determining which company is liable for the data breach can be complex, and consumers whose information was leaked may not know where to look for answers.
As a general rule, any company that maintains, stores, transmits or receives consumer data has a legal obligation to the consumer, regardless of whether the company that was breached received the information directly from a consumer. In fact, for the most part, it does not matter how a company comes into possession of consumer or employee data. Instead, the question is whether the company that was hacked or otherwise leaked the information was negligent.
Turning to the Anthem MaineHealth breach, based on the available information, it would appear that, if any organization is liable, it would be Choice Health. This is because there was no indication that Anthem MaineHealth’s servers were subject to unauthorized access. However, because the investigation into the breach is still ongoing, it is too soon to tell if the breach was the result of either company’s negligence.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the AMH Health data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Anthem MaineHealth (the actual notice sent to consumers can be found here):
Dear [Redacted],
What happened?
On August 5, 2022, Anthem MaineHealth learned an unauthorized person was offering to make data available which was allegedly taken from Choice Health, a vendor who we do business with, on or around May 7, 2022.
What information was involved?
Your name, social security number, and health plan carrier name were impacted. Your address, date of birth, phone number, email address, Medicare ID number, Medicaid ID number may also have been impacted.
This information is called your personal information or protected health information (PHI). It tells others about you and is part of your identity.
What are we doing?
We looked into what caused this issue
Are taking steps to reduce the risk of this happening again
Are committed to protecting the privacy and security of your information
The vendor has enhanced their security measures and confirmed your information is no longer accessible to unauthorized parties.
Ways we’ll protect you:
Credit and identity theft monitoring and repair services
To help protect your identity, we are offering a complimentary two-year membership of Experian® IdentityWorksSM. This product provides you with superior identity detection and resolution of identity theft. To activate your membership and start monitoring your personal information, please follow the steps below:
Ensure that you enroll by: [Redacted] (Your code will not work after this date.)
Visit the Experian IdentityWorks website to enroll: [Redacted]
Provide your activation code: [Redacted]
If you have questions about the product, need assistance with identity restoration or would like an alternative to enrolling in Experian IdentityWorks online, please contact Experian’s customer care team at 877-890-9332 by [enrollment end date]. Be prepared to provide an engagement number [engagement #] as proof of eligibility for the identity restoration services by Experian.
Additional details regarding your 24-MONTH Experian IdentityWorks Membership:
A credit card is not required for enrollment in Experian IdentityWorks.
You can contact Experian immediately regarding any fraud issues, and have access to the following features once you enroll in Experian IdentityWorks:
Experian credit report at signup: See what information is associated with your credit file. Daily credit reports are available for online members only.
Credit Monitoring: Actively monitors Experian file for indicators of fraud.
Internet Surveillance: Technology searches the web, chat rooms & bulletin boards 24/7 to identify trading or selling of your personal information on the Dark Web.
Identity Restoration: Identity Restoration specialists are immediately available to help you address credit and non-credit related fraud.
Experian IdentityWorks ExtendCARETM: You receive the same high level of Identity Restoration support even after your Experian IdentityWorks membership has expired.
Up to $1 Million Identity Theft Insurance: Provides coverage for certain costs and unauthorized electronic fund transfers.
What you can do to protect yourself
We sent you this letter just to tell you what took place. You do not have to do anything. We have no reason to believe someone will use your medical information as a result of what took place. But, should you notice any changes to your medical records you did not know about, please tell us so we can take proper steps to help fix it.
