Lambda Legal today filed a class-action lawsuit in California Superior Court against A.J. Boggs & Company on behalf of 93 low-income Californians living with HIV whose confidential medical records – including their HIV status – were compromised by a data breach of A.J. Boggs’s California AIDS Drug Assistance Program (ADAP) online enrollment system.
“From day one, July 1, 2016, when A.J. Boggs's ADAP enrollment system went on-line, there were problems, and it is not as if these problems were unexpected,” said Jamie Gliksberg, Staff Attorney for Lambda Legal.
“Several nonprofits that enroll community members in ADAP, as well as the Los Angeles County Department of Health, raised concerns before the system went online that there had been no testing or vetting of the new enrollment system.”
“Low-income Californians living with HIV who rely on the AIDS Drug Assistance Program for life-saving medication trust that the program will keep their HIV status confidential: A.J. Boggs violated that trust,” said Scott Schoettes, Counsel and HIV Project Director at Lambda Legal.
“When members of already vulnerable communities—transgender people, women, people of color, undocumented people—have to jump through hoops to access health care, undermining the community’s trust in ADAP is not just a breach of security but another barrier to care.”
“It hit me like a ton of bricks, when I was notified that someone had obtained my private medical information,” said Alan Doe, who is using a pseudonym for purposes of the lawsuit.
“I need these medications to live, and I could only afford them through ADAP. That doesn’t mean, however, that I want everyone to know my HIV status. That’s for me to decide, and A.J. Boggs took that choice away from me.”
The AIDS Drug Assistance Program is part of the federal Ryan White CARE Act, through which states are eligible to receive federal funding to conduct a program that helps ensure access to HIV medications for lower-income people living with HIV who are not eligible for Medicaid and do not have an alternative source to obtain HIV medications at a reasonable cost.
In California, approximately 30,000 people are enrolled in its ADAP.
Until March 2017, California contracted with private vendors to administer the ADAP program. In 2016, the California Department of Public Health (CDPH) selected A.J. Boggs to administer the enrollment program, including developing an “ADAP enrollment portal.”
The enrollment process requires applicants to provide detailed information and access to their medical records, sensitive and confidential information that California state law requires not be disclosed or disseminated without consent.
Notwithstanding state law, however, the A.J. Boggs enrollment portal was launched without adequate testing; it was not until late November 2016, that the security vulnerability was discovered and the portal was taken off-line.
And it was not until February 2017, that CDPH discovered that unknown individuals accessed the ADAP system and downloaded the private medical information of 93 people. CDPH cancelled the contract with A.J. Boggs on March 1, 2017, and notified the affected individuals of the data breach in April 2017.
“The contract with A.J. Boggs has been terminated and the HIV-related confidential information of those in the program is now secure—Lambda Legal is bringing this suit to ensure that a breach like this never happens again,” said Anthony Pinggera, Lambda Legal HIV Project Law Fellow.
In the complaint filed today in the San Francisco County Superior Court, Lambda Legal alleges that A.J. Boggs & Company violated California’s medical privacy laws, including the California AIDS Public Health Records Confidentiality Act and the California Confidentiality of Medical Information Act.
Lambda Legal is seeking to have the lawsuit certified as a class action, and is seeking statutory and compensatory damages.