CareSource

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

CareSource, a Dayton, Ohio-based Medicaid and Medicare plan provider, experienced a significant data breach due to a cyberattack that exploited a vulnerability in the MOVEit Transfer file transfer solution. This incident, which came to light in June 2023, has led to multiple class action lawsuits against the company. The breach was confirmed by CareSource on June 27, 2023, and affected individuals were notified on August 24, 2023. In response, CareSource offered two years of complimentary credit monitoring and identity theft protection services to those impacted.

The breach was part of a larger cyberattack by the Clop threat group, which exploited a zero-day vulnerability in the MOVEit software. Despite CareSource patching the flaw promptly after being notified by Progress Software on May 31, 2023, the attackers had already accessed sensitive data including names, addresses, Social Security numbers, health plan information, medications, and other health information. This incident has affected over 3 million individuals, with sensitive personal and medical information being compromised.

Several lawsuits have been filed against CareSource, alleging negligence in safeguarding protected health information, inadequate vendor screening, insufficient security measures, and delayed breach notifications. These lawsuits claim that CareSource’s failures breached its legal duties and obligations under state laws and the Health Insurance Portability and Accountability Act (HIPAA). The lawsuits seek various forms of relief, including class action certification, actual and punitive damages, and injunctive relief to prevent future breaches.

One notable aspect of this breach is its scale, impacting not only CareSource members but also potentially over 200,000 Indiana Medicaid members due to CareSource’s role as a third-party vendor for the Indiana Family and Social Services Administration (FSSA). The MOVEit cyberattack has affected hundreds of companies and millions of individuals globally, highlighting the widespread vulnerability of personal information in the digital age[1][2][5][6][7][15].

Citations:

  1. https://www.hipaajournal.com/caresource-facing-multiple-class-action-lawsuits-over-moveit-data-breach/
  2. https://www.thelyonfirm.com/blog/caresource-data-breach-investigation/
  3. https://www.businesswire.com/news/home/20230822094274/en/CareSource-to-provide-impacted-members-with-credit-monitoring-services-following-global-cybersecurity-incident
  4. https://www.daytondailynews.com/gdpr.html
  5. https://www.classaction.org/caresource-data-breach-lawsuit
  6. https://www.wdtn.com/news/local-news/caresource-faces-class-action-lawsuit-over-data-breach-impacting-millions/
  7. https://www.whio.com/news/local/dayton-based-caresource-facing-class-action-lawsuit-after-millions-peoples-data-exposed/VMKQ7VOUDNC6NAXXYI2S2VKGAU/
  8. https://www.doj.nh.gov/consumer/security-breaches/documents/caresource-onetouchpoint-20220803.pdf
  9. https://www.caresource.com/about-us/legal/hipaa-privacy-practices/hipaa-privacy-practices-ohio-medicaid/
  10. https://www.10tv.com/article/news/local/columbus-identity-theft-victim-now-also-affected-by-caresource-cyberattack/530-658e91fc-6c9f-4753-99b9-af6dca70f84b
  11. https://news.bloomberglaw.com/litigation/caresource-lastest-to-face-moveit-data-breach-class-action
  12. https://www.daytondailynews.com/business/mercy-health-patients-among-giant-data-breach-affecting-89-million-people-company-says/3C6AZ66GOVF2PJ6Z5247U22M5U/
  13. https://cybernews.com/news/caresource-data-leak-cl0p-ransomware-attack/
  14. https://www.reddit.com/r/Ohio/comments/16rb5iz/data_breach_from_care_source/?rdt=42890
  15. https://www.lawcommentary.com/articles/caresource-faces-multiple-lawsuits-after-cybersecurity-data-breach
  16. https://www.caresource.com/about-us/legal/hipaa-privacy-practices/third-party-use-of-health-data/
  17. https://oag.ca.gov/system/files/CareSource%20Notification%20Ltr.pdf
Breach Submission Date Jul 27, 2023
Converted Entity Name CareSource
Converted Entity Type Business Associate
State OH
Individuals Affected 3,180,537
Breach Type Unauthorized Access/Disclosure

Breach Information Location Network Server

Business Associate Present Yes