Three state residents who have filed a lawsuit against insurance firm True Health New Mexico over what they call a “targeted cyberattack” are seeking to have their complaint declared a class action, representing about 63,000 patients whose personal information might have been stolen.
The plaintiffs, from Santa Fe, Bernalillo and Valencia counties, allege in their state District Court complaint the company failed to protect their information from the October data breach even though such an incident was foreseeable, due to the high value of medical records on the “dark web,” where they sell for as much as $50.
A Social Security number, in comparison, might be worth as little as $1, the lawsuit says.
Thieves can use patients’ personal information to create false identities, open lines of credit or file fraudulent tax returns, the suit notes.
The result of the True Health breach, it adds, is that people with compromised information are forced to go through the expense and hassle of canceling accounts and documents, obtaining new ones and carefully monitoring their online profiles for years.
Meanwhile, the suit says, victims must live with anxiety, fearing their private information, including details of mental and physical ailments, could be publicly disclosed.
True Health did not use best practices to safeguard against a cyberattack, according to the lawsuit, and after it learned members’ data had been compromised, it delayed notifying them.
The company learned of the data breach Oct. 5, the suit says, but “True Health did not notify the public or the U.S. Department of Health and Human Services or send direct notice to effected individuals” until mid-November.
The company did not respond to an email and phone call seeking comment.
True Health posted a notice on its website in the fall about the “data security incident” and said it had no evidence any personal information had been misused. The company said it had “shut down certain systems where necessary, took other preventative measures, and supplemented our existing security monitoring, scanning, and protective measures.”
“We are working with law enforcement officials on their ongoing criminal investigation of this matter,” the company wrote on its website. “True Health also has notified appropriate governmental authorities and continues to monitor global networks for any signs of data misuse.”
Santa Fe attorney Kristina Martinez filed the complaint Jan. 25 in the First Judicial District Court on behalf of Jason Clement of Santa Fe County, Stephenie Wade of Bernalillo County and Karen Siegman of Valencia County.
It accuses the company of negligence, invasion of privacy, breach of contract, breach of fiduciary duty, violation of the New Mexico Unfair Practices Act and unjust enrichment.
The plaintiffs are asking the court to declare the lawsuit a class action, order the health insurer to prevent any future disclosures of information, provide specific information about what data was compromised and award class members an unspecified amount of actual and punitive damages.
They also want the company to pay for the cost of bringing the lawsuit and for five years worth of credit monitoring. The company had offered to provide two years of credit monitoring.