CareSource, Inc
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
CareSource, Inc., an Ohio-based nonprofit health plan, experienced a significant cybersecurity incident that affected more than 700 organizations worldwide. The breach was orchestrated by CL0P, a Russia-based ransomware gang, which exploited a vulnerability in the MOVEit file transfer system[2]. This incident compromised the personal data of CareSource members, including member identification numbers, names, addresses, dates of birth, emails, phone numbers, gender, social security numbers, plan names, and aspects of health conditions[2].
In response to the breach, CareSource has offered complimentary credit monitoring and identity theft protection services for two years to the impacted members. This includes fraud consultation and identity theft restoration[2]. CareSource began mailing notices to affected members with details on how to register for these services and additional information for safeguarding their data[2].
CareSource has also informed state and federal officials and is working closely with law enforcement on the matter[2]. The compromised data includes sensitive healthcare information, which has raised significant concerns among the affected individuals and has led to multiple class action lawsuits against the company[4][5][13][14][15].
The lawsuits allege that CareSource failed to adequately protect personal health information (PHI) and personally identifying information (PII), did not properly manage its third-party vendors, and did not comply with industry data-security standards and regulations required by the Federal Trade Commission and the Health Insurance Portability and Accountability Act (HIPAA)[4][13][14][15]. The plaintiffs are seeking compensation for damages such as loss of privacy, fraudulent charges, damage to credit, and emotional distress[13][14][15].
CareSource has not yet filed a response in court to these allegations[12]. However, the company has stated that upon learning of the impact on its members, it launched a prompt and thorough response, including retaining a leading cybersecurity firm and providing resources to help members protect and monitor their data[5][9][12].
The breach has had a wide-reaching impact, affecting approximately 45 million people and more than 700 organizations, including governments, banks, educational institutions, and businesses[2]. It is part of a larger trend of increasing data compromises, with 2023 already setting a record for the number of such incidents[6].
Citations:
- https://www.daytondailynews.com/gdpr.html
- https://www.businesswire.com/news/home/20230822094274/en/CareSource-to-provide-impacted-members-with-credit-monitoring-services-following-global-cybersecurity-incident
- https://www.healthcareitnews.com/news/cyberattack-roundup-dna-data-auctioning-and-fourth-party-medicaid-breach
- https://www.hipaajournal.com/caresource-facing-multiple-class-action-lawsuits-over-moveit-data-breach/
- https://www.wdtn.com/news/local-news/caresource-faces-class-action-lawsuit-over-data-breach-impacting-millions/
- https://www.daytondailynews.com/business/2023-is-already-a-record-year-for-data-breaches-and-exposures/U7OU25VFJBHWHPT4AL2WT3LWVQ/
- https://www.caresource.com/about-us/legal/hipaa-privacy-practices/hipaa-privacy-practices-ohio-medicaid/
- https://www.wfyi.org/news/articles/a-data-breach-exposed-private-health-information-of-more-than-200000-medicaid-clients-in-indiana
- https://www.whio.com/news/local/playing-wild-wild-west-with-our-whole-life-local-caresource-members-speak-out-after-data-breach/PXWTSZTBN5HIBNMZGSIDRI4WH4/
- https://www.thelyonfirm.com/blog/caresource-data-breach-investigation/
- https://www.doj.nh.gov/consumer/security-breaches/documents/caresource-onetouchpoint-20220803.pdf
- https://www.10tv.com/article/news/local/ohio/caresource-sued-cyber-attack/530-9f2eb24b-b8f2-4881-bbd4-12a748c24868
- https://www.lawcommentary.com/articles/caresource-faces-multiple-lawsuits-after-cybersecurity-data-breach
- https://topclassactions.com/lawsuit-settlements/privacy/data-breach/caresource-class-action-claims-company-failed-to-data-breach/
- https://news.bloomberglaw.com/litigation/caresource-lastest-to-face-moveit-data-breach-class-action
- https://cybernews.com/news/caresource-data-leak-cl0p-ransomware-attack/
- https://www.classaction.org/caresource-data-breach-lawsuit