Consumer Electronics Daily was a Warren News publication.
‘Gold Mine for Data Thieves’

NationsBenefits Exposed Data of 3M Customers to Hackers, Says Class Action

June 28, 2023 by Paul Gluckman|Top News

The negligence of healthcare company NationsBenefits enabled hackers associated with the Clop ransomware group to gain access to the personally identifiable information (PII) of more than 3 million customers in a data breach the company kept hidden from account holders for two months, alleged plaintiff Robert Lizotte in a class action Monday (docket 0:23-cv-61209) in U.S. District Court for Southern Florida in Fort Lauderdale.

The information stolen is “a gold mine for data thieves,” including social security numbers and health insurance information, said the complaint, which names Aetna as a co-defendant for the account data it shared with NationsBenefits. Lizotte and his potential class members face an imminent and ongoing threat of fraud and identity theft due to the data breach, it said.

After being notified by letter April 13 that his PII was exposed in the data breach, Lizotte “made reasonable efforts to mitigate the impact,” said the complaint. He reviewed his credit reports and financial account statements “for any indication of actual or attempted identity theft or fraud,” and he placed a freeze on his credit, it said. This was “valuable time” Lizotte “otherwise could have spent on other activities,” it said.

NationsBenefits and Aetna had “duties” under the 1996 Health Insurance Portability and Accountability Act (HIPAA) “to ensure that all information they collected and stored was secure, and that they maintained adequate and commercially reasonable data security practices to ensure the protection” of plan members’ PII, said the complaint. The lawsuit alleges NationsBenefits and Aetna “failed to comply with their duties under HIPAA and their own privacy policies despite being aware of the risks associated with unauthorized access” of members’ PII.

The defendants were aware, or should have been aware, they were collecting “highly valuable data,” for which they knew, or should have known, “there is an upward trend in data breaches in recent years,” said the complaint. Medical databases “are particularly high value targets for identity thieves,” it said. A June 2012 report in the insurance industry publication Claims Journal said a stolen medical identity has a $50 street value on the black market, compared with $1 for a stolen social security number, it said.

Hackers can commit identity theft, financial fraud and other identity crimes against Lizotte and his class members “now and into the indefinite future,” said the complaint. Class members “may be subject to blackmail from nefarious actors concerning the disclosure of their medical records,” it said. They face “an imminent and substantial risk of further injury including identity theft and related cybercrimes,” it said. Lizotte’s PII “may now be circulating on the dark web and it is highly valuable,” it said.

In addition to violations of the HIPAA, the complaint alleges NationsBenefits and Aetna ran afoul of Section 5 of the FTC Act Section 5 of the FTC Act “by failing to use reasonable measures” to protect the PII of more than three million customers and by not complying with “applicable industry standards.” NationsBenefits’ conduct was “particularly unreasonable” due to the nature and amount of PII it obtained, stored, and disseminated, “and the foreseeable consequences of a data breach involving a company as large as NationsBenefits,” said the complaint.