Three state residents who filed a lawsuit against insurance company True Health New Mexico over what they call a “targeted cyberattack” are seeking to have their lawsuit filed as a class action lawsuit, representing approximately 63,000 patients including personal information may have been stolen.
The plaintiffs, from Santa Fe, Bernalillo and Valencia counties, allege in their complaint to state district court that the company failed to protect their information from the October data breach, even though such an incident was predictable, due to the high value of medical records on the “dark web”, where they sell for up to $50.
A Social Security number, by comparison, could be worth as little as $1, according to the lawsuit.
Thieves can use patients’ personal information to create false identities, open lines of credit or file fraudulent tax returns, the suit notes.
The result of the True Health breach, he adds, is that people with compromised information are forced to bear the expense and hassle of canceling accounts and documents, obtaining new ones, and carefully monitor their online profiles for years.
Meanwhile, according to the lawsuit, the victims must live with anxiety, fearing that their private information, including details of mental and physical ailments, will be publicly disclosed.
True Health failed to use best practices to protect against a cyberattack, the lawsuit alleges, and after learning members’ data had been compromised, it delayed notifying them.
The company learned of the data breach on Oct. 5, according to the lawsuit, but “True Health has not notified the public or the U.S. Department of Health and Human Services or sent direct notices to affected individuals” until in mid-November.
The company did not respond to an email and phone call seeking comment.
True Health posted a notice on its website in the fall regarding the “data security incident” and said it had no evidence that any personal information had been misused. The company said it had “closed certain systems if necessary, taken other preventive measures and supplemented our existing security monitoring, analysis and protection measures”.
“We are working with law enforcement officials on their ongoing criminal investigation into this matter,” the company wrote on its website. “True Health has also notified the relevant government authorities and continues to monitor global networks for any signs of data misuse.”
Santa Fe Attorney Kristina Martinez filed the lawsuit Jan. 25 in the First Judicial District Court on behalf of Jason Clement of Santa Fe County, Stephenie Wade of Bernalillo County and Karen Siegman of Valencia County.
He accuses the company of negligence, invasion of privacy, breach of contract, breach of fiduciary duty, violation of New Mexico’s unfair practices law and unjust enrichment.
Plaintiffs ask the court to declare the class action, order the health insurer to prevent future disclosure of information, provide specific information about the compromised data, and award class members an undetermined amount of actual and punitive damages.
They also want the company to pay the cost of the lawsuit and for five years of credit monitoring. The company had offered to provide two years of credit monitoring.