Posted On November 21, 2022 Consumer Privacy & Data Breaches
On November 15, 2022, Commonwealth Care Alliance of California (“CCA Health California”) filed notice of a data breach with the Attorney General of California after the company learned that an unauthorized party had gained access to sensitive consumer data stored on its computer system. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, dates of birth, driver’s license numbers and protected health information. After confirming that consumer data was leaked, CCA Health California began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the CCA Health California data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Commonwealth Care Alliance of California.
The available information regarding the CCA Health California breach comes from the company’s filing with the Attorney General of California. According to this source, on September 16, 2022, CCA Health California first learned of a possible cybersecurity incident when portions of the company’s IT system were disrupted. In response, CCA Health California secured its systems, contacted law enforcement, and then began working with a third-party data security firm to investigate the incident. Through this investigation, CCA Health California hoped to learn more about the nature and scope of the incident, as well as whether any consumer data was leaked as a result.
The CCA Health California investigation confirmed that an unauthorized party was able to access part of the company’s computer network between May 4, 2022, and September 16, 2022. Further, the investigation revealed that the unauthorized party removed certain files containing sensitive information belonging to consumers.
Upon discovering that sensitive consumer data was made available to an unauthorized party, CCA Health California began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, contact information, demographic information, date of birth, Social Security number, passport number, government issued identification number, diagnosis and treatment information, prescription information, Medical Record Number, laboratory test results, provider name(s), date(s) of service, and/or health insurance and plan member information, including member ID number.
On November 15, 2022, CCA Health California sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 2003, Commonwealth Care Alliance is a not-for-profit, health care system based in Boston, MA. CCA operates four smaller organizations in several states, including CCA Massachusetts, CCA Rhode Island, CCA Health Michigan, and CCA Health California. Commonwealth Care Alliance employs more than 4,100 people and generates approximately $2 billion in annual revenue.
Protected health information, or “PHI,” refers to certain information doctors and other healthcare providers collect when treating a patient. More specifically, PHI consists of identifying patient information, such as demographic information, test and laboratory results, mental health information, medical history information, and insurance information.
The collection and use of protected health information are controlled by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Not all patient information in a healthcare provider’s possession is considered “protected health information.” For health information to be “protected,” it must contain an identifier that enables someone to link the data to a specific patient. Under HIPAA, there are 18 different identifiers, the most common of which are:
While any data breach is cause for concern, healthcare data breaches are especially worrisome because your protected health information is very personal. However, putting aside the fact that your personal information is in the hands of a total stranger, there are also risks of financial—and even physical—harm.
Hackers who steal protected health information often sell the information to another person, who then uses the stolen data to obtain healthcare services in the patient’s name. This not only leaves the victim responsible for the bill but can also lead to incorrect information being included in their medical records. For example, a fake patient may provide their current list of medications, medical history, or allergy information to a provider to ensure they receive the appropriate treatment. As a result, the next time the real patient goes to the doctor for treatment, there may be inaccurate information in their medical record, putting their physical health at risk.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the CCA Health California data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Commonwealth Care Alliance of California (the actual notice sent to consumers can be found here):
CCA Health California, formerly known as Vitality Health Plan of California (“CCA Health CA”), is committed to protecting the security and privacy of our member information. We are writing to notify you about an incident that may have involved some of your information. This notice explains the incident, measures we have taken in response, and additional steps you can take to help protect your information.
On September 16, 2022, we learned of an incident that disrupted the operations of some of our IT systems. Immediately, we took steps to secure our IT systems, notified law enforcement, and initiated an investigation with the assistance of a third-party forensic investigator. The investigation determined that an unauthorized party accessed some of our systems between May 4, 2022, and September 16, 2022, and removed some files. All of the specific files that may have been accessed or removed could not be determined, so we could not rule out the possibility that some CCA Health CA files containing your information may have been involved. That information may have included some or all of the following: your name, contact information, demographic information, date of birth, Social Security number, passport number and/ or other government issued identification number, diagnosis and treatment information, prescription information, Medical Record Number, laboratory test results, provider name(s), date(s) of service, and/or health insurance and plan member information, including member ID number.
Out of an abundance of caution, we are offering you a free 12-month membership to Experian® IdentityWorksSM. This product helps detect possible misuse of your information and provides you with identity protection support focused on immediate identification and resolution of identity theft. IdentityWorks is completely free and enrolling in this program will not hurt your credit score. For more information on IdentityWorks, including instructions on how to activate your free membership, as well as some additional steps you can take in response to the incident, please see the pages that follow this letter. We also recommend that you regularly review the statements related to your health plan to ensure they reflect the services that you received.
We sincerely regret any concern this incident may cause you. To help prevent something like this from happening again, CCA Health CA has enhanced our existing security safeguards, monitoring capabilities, and technical measures to further protect and monitor our systems. Should you have questions, please contact (855) 532-0212, Monday through Friday, between 6:00 a.m. and 3:30 p.m. Pacific Time, excluding major U.S. holidays.