The Superior Court of California has rejected a motion to dismiss a class action lawsuit on behalf of 93 HIV-positive people, who had their personal information compromised by a data breach of the state’s AIDS Drug Assistance Program online enrollment system.
The lawsuit alleges that A.J. Boggs & Company, the former administrator of the ADAP program, violated California’s medical privacy laws, including the California AIDS Public Health Records Confidentiality Act and the California Confidentiality of Medical Information Act, when it failed to properly secure a website containing sensitive medical information.
Lambda Legal, which is representing the 93 plaintiffs, claims that the company moved ahead with its new online enrollment system despite receiving warnings from several nonprofits and the Los Angeles County Department of Health that the system had not been tested or checked for bugs or glitches.
“From day one, July 1, 2016, when A.J. Boggs’s ADAP enrollment system went on-line, there were problems, and it is not as if these problems were unexpected,” Jamie Gliksberg, a staff attorney for Lambda Legal, said in a statement.
When the new enrollment system went live, any information that patients had entered, including access to their medical records, were made vulnerable to potential attacks. The state tried to fix the problem by taking the portal offline in November 2016.
But in February 2017, officials from the state Department of Health discovered that unknown individuals had accessed the ADAP system and downloaded the private medical information of 93 people.
California subsequently cancelled its contract with A.J. Boggs on Mar. 1, 2017, switching over from private contractors to a state-run system.
ADAP is part of the federal Ryan White CARE Act, which allows states to receive federal funding to ensure lower-income HIV-positive people who make too much money to qualify for Medicaid, yet lack an alternative way to access the antiretroviral medications needed to combat HIV, can do so at a reasonable cost. Approximately 30,000 in California are currently enrolled in ADAP.
“These medications are life-saving for me, and I could only afford them through the AIDS Drug Assistance Program,” Alan Doe, an anonymous ADAP recipient who is the chief plaintiff in the lawsuit, said in a statement. “That does not mean, however, that I deserved to have my confidential medical information exposed publicly. With whom, when and how I share my HIV status is my right and my decision, and A.J. Boggs & Company took both away from me.”
Scott Schoettes, legal counsel and the HIV Project Director at Lambda Legal, said ADAP patients whose privacy rights were violated by the security breach can be especially vulnerable to discrimination if their HIV status is disclosed.
Even those who were not compromised by the breach may delay seeking necessary care if they feel they cannot trust the system to protect their information.
“HIVis still a highly stigmatized medical condition,” Schoettes said. “When members of already vulnerable communities — transgender people, women, people of color, undocumented people, individuals with low incomes — already face challenges in accessing health care, undermining the trust they have in the ADAP is not just a breach of security; it creates a barrier to care.”