A security breach by a private company that contracted with California鈥檚 public health department inadvertently allowed unauthorized access to the HIV status of 93 people, according to a lawsuit filed this week in San Francisco County Superior Court.
New York-based nonprofit filed the against the contractor, , on behalf of the people whose confidential medical information was compromised.
鈥淧eople have a right to choose when and to whom to disclose their HIV status,鈥 said Jamie Gliksberg, a staff attorney for Lambda Legal, which supports LGBT rights. 鈥淭heir right was taken away from them with this breach.鈥
The plaintiffs were all beneficiaries of the state鈥檚 version of the federally funded (ADAP), which low-income Californians with HIV and AIDS pay for their medications and insurance premiums. The California Department of Public Health hired A.J. Boggs in 2016 to handle enrollment for the program but terminated the contract last year.
The lawsuit alleges that A.J. Boggs violated a California state law that bars the release of public health records related to HIV and AIDS.
A.J. Boggs鈥 CEO, J. Clarke Anderson, declined to comment on the case, saying his company had not yet received the official complaint.
The California lawsuit is not the only one involving an inadvertent release of people鈥檚 HIV status. In January, health insurance giant for $17 million after some of the letters it sent to 12,000 patients in 2017 鈥 ironically, regarding a previous violation of privacy 鈥 revealed through the envelope windows that they were taking HIV medications.
CVS Health faces a legal challenge in Ohio over allegations that it exposed the HIV statuses of 6,000 patients last year in the same way.
鈥淭here has not been enough care given to people鈥檚 private medical information, specifically HIV patients,鈥 Gliksberg said. 鈥淧eople living with HIV 鈥 need to know that health organizations are protecting the privacy and confidentiality of their status.鈥
This week, reported that Grindr, a聽dating app for the LGBTQ community, had provided the HIV statuses of its users to other companies. Grindr and said it would stop, though it noted it was a public forum and its users had the option not to post such personal details.
The California lawsuit alleges that the enrollment portal for the state鈥檚 AIDS drug program was 鈥渓eft vulnerable to unauthorized third-party access鈥 in August 2016 and that the contractor didn鈥檛 notice it for three months. During that time, enrollees鈥 medical information was improperly viewed, according to the suit. It said that the company had 鈥渧iolated the trust鈥 placed in it to safeguard patient privacy.
The state鈥檚 public health department sent patients a letter about the security breach in April 2017. It said the department had determined that its contractor did not adequately protect patients鈥 personal information, and that the information may have been available to unauthorized third parties from Aug. 16, 2016, to Dec. 7, 2016.
One plaintiff, who declined to be named in the lawsuit or to talk to a reporter, said in a statement that the notification hit him 鈥渓ike a ton of bricks.鈥
鈥淚 need these medications to live, and I could only afford them through ADAP,鈥 he said. 鈥淭hat doesn鈥檛 mean, however, that I want everyone to know my HIV status.鈥
Lambda Legal is basing the suit on that plaintiff鈥檚 experience, but is seeking class-action status. The goal of the lawsuit is to prevent future breaches, Gliksberg said.
The state hired A.J. Boggs despite the concerns of AIDS service organizations and the Los Angeles County Department of Public Health, which said the company had not adequately prepared for the task and that the transition was too hasty.
Kaiser Health News reported in January 2017 that after A.J. Boggs took over enrollment, some patients were unable to get their drugs or timely medical care. AIDS service providers and advocates said patients were turned away from pharmacies and others were dropped from the program for no reason.
After the state public health department discovered the security breach, it closed down the online enrollment portal. In March 2017, it fired A.J. Boggs, saying the company鈥檚 performance threatened patients鈥 access to lifesaving medications. The department decided to determine eligibility and enroll patients in-house rather than hire a new contractor.
Since then, there have not been any new security problems, said Courtney Mulhern-Pearson, senior director of policy and strategy for the San Francisco AIDS Foundation. 鈥淲e are glad that the concerns were addressed and now we are working to get things back on track,鈥 she said.
黑料吃瓜网 News鈥 coverage in California is supported in part by .