https://www.jdsupra.com/legalnews/oversight-leads-to-data-breach-at-3910791/
Recently, Choice Health Insurance reported a data breach after the company discovered that an unauthorized party was offering data obtained from the Choice Health systems for sale on a popular hackers’ website. According to Choice Health, the breach resulted in the full names, Social Security numbers, Medicare information and health insurance information of certain individuals being compromised. On June 8, 2022, Choice Health filed official notice of the breach and sent out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Choice Health Insurance data breach, please see our recent piece on the topic here.
More Details About the Cause and Impact of the Choice Health Data Breach
According to official notice filed by the company, on May 14, 2022, Choice Health learned that an unauthorized party was offering to sell data allegedly obtained from the company’s system. In response, Choice Health Insurance launched an investigation into the incident, and, on May 18, 2022, the company learned that “due to a technical security configuration issue caused by a third-party service provider, a single Choice Health database was accessible through the Internet.” Based on the company’s investigation, the Choice Health files were accessible on or about May 7, 2022.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Choice Health Insurance reviewed the affected files to determine exactly what information was compromised and to whom it belonged. While the breached information varies depending on the individual, it may include your first and last name, Social Security number; Medicare beneficiary identification number; date of birth; address and contact information; and health insurance information.
On June 8, 2022, Choice Health Insurance sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Choice Health Insurance
Choice Health Insurance is an insurance company based in Myrtle Beach, South Carolina. Choice Health is an independent broker, meaning the company offers insurance products through various providers. Some of the plans offered by Choice Health include those issued by Humana, WellCare Healthplans, Anthem BlueCross BlueShield, Mutual of Omaha, United Healthcare, Cigna and Aetna. Choice Health also offers plans through healthcare.gov. Choice Health Insurance currently employs more than 130 individuals and generates approximately $33 million in annual sales.
Who Is Responsible for a Data Breach?
Choice Health noted in its letter to patients affected by the breach that it stemmed from a “technical security configuration issue” at a third-party service provider. Based on this statement, it would appear that the unauthorized access did not involve the Choice Health IT system but the system of another company that Choice Health trusted with its customers’ information. Following a data breach, especially one involving multiple companies, victims wonder who can be held accountable for the leaking of their information.
Under data breach and consumer protection laws, any organization in possession of consumer data has an obligation to safeguard the information in its possession. Of course, this includes those organizations that receive consumers’ information directly from the consumer. However, it also applies to third-party companies, vendors, service providers and contractors that receive the data through the company that was initially responsible for storing consumer data.
In the case of the Choice Health data breach, there is no indication that Choice Health was negligent in maintaining its own data security systems. However, depending on how the investigation turns out, it is possible that Choice Health negligently entrusted consumer data to the third-party service provider. For example, this may be the case if Choice Health knew or had reason to believe that the service provider had a history of mishandling consumer data.
Of course, the unnamed service provider could also potentially be independently liable for the breach. Organizations and their data security systems are the first line of defense against cyberattacks, and those businesses that choose not to maintain adequate data security systems put consumers’ information at risk.
The bottom line is that data breach laws provide a mechanism for the victims of a data breach to pursue a claim for compensation against the company accountable for the breach. However, determining which company bears responsibility requires an in-depth knowledge of complex data breach laws. Those looking for answers in the wake of the Choice Health Insurance data breach should consult with an experienced data breach lawyer to learn more about their rights.