On June 8, 2022, Choice Health Insurance (“Choice Health”) reported a data breach to the California Attorney General’s Office. Choice Health, based in South Carolina, is an independent insurance broker, offering health insurance options to individuals nationwide.
Choice Health states in its official Data Breach Notice that the recent incident may affect the privacy of some California residents’ personal information.
According to the Data Breach Notice, on or about May 7, 2022, an unauthorized person accessed a Choice Health database from the internet and took certain database files.
The data was allegedly made available due a Choice Health service provider’s to failure to configure the database’s security settings properly. On May 14, 2022, Choice Health learned that this unauthorized person was offering to make this personal data available to others. The company has stated that it worked with its service provider to reconfigure the security settings on the affected database, and has confirmed that the database is no longer accessible through the internet.
Individuals with personal information in the compromised files may have already been notified by the company.
What Data May Have Been Compromised by Choice Health’s Data Breach?
According to the Choice Health Notice, the following data may have been accessed and taken:
- First and Last Name
- Social Security number
- Medicare Beneficiary identification number
- Date of birth
- Address
- Contact information
- Health insurance information
The full notice provided by Choice Health can be viewed here.
Choice Health is offering affected individuals 24 months of complimentary identity monitoring services through Experian IdentityWorks.
While not discussed in Choice Health’s Data Breach Notice, according to databreaches.net on May 9, 2022, the data taken from Choice Health was offered for sale on a popular hacking forum.
The sale listing alleges that 600MB of Choice Health data is available, comprised of over 2.1 million records, and includes a large number of data types, including, in part:
- First Name and last name
- Occupation
- Marital status
- Date of birth
- Gender
- Medicaid number
- Medicare number
- Credit card number, expiration date, security code
- Date of medications being prescribed
- Name of medication and what medical condition it is prescribed for
- Medication dosage and frequency
- Hospitalizations, illnesses and diseases Notes
- Rx history notes, and more.
Special California Laws Protect You From Data Breach Harms
If you are a California resident and received a Notice of Data Breach from Choice Health you may be entitled to between $100 and $1,000 plus actual damages resulting from the negligent release of your confidential information. California has unique state laws, including the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA) that compensate individuals whose confidential and sensitive data have been accessed and offered for sale on the dark web.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again) and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.
As Electronic Personal Data Doesn’t Degrade, 2 Years Of Identity Theft Services Offered by Choice Health May Not Be Enough
Cybercrimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is under $20, depending on the type of information according to Privacy Affairs Dark Web Index of 2021.
Certain critical types of personal information – like social security numbers, names, and birth dates – are almost impossible to change. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. “The effects of a health data breach on consumers outlast the initial breach.”[1] Thus, once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses.
Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
Corporations Should Be Held Accountable For Data Breaches
When businesses decide to collect and keep personal data about current or former California residents, under California law they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[2] The stakes are high: Data breach victims are more likely to also be victims of additional fraud.[3]
[1] Source: R. Bonta, California Attorney General, BULLETIN: Obligation to Proactively Reduce Vulnerabilities to Ransomware Attacks and Requirements Regarding Health Data Breach Reporting (2021). [2] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016). [3] Same
