A security breach by a private company that contracted with California’s public health department inadvertently allowed unauthorized access to the HIV status of 93 people, according to a lawsuit filed this week in San Francisco County Superior Court.
New York-based nonprofit Lambda Legal filed the lawsuit against the contractor, A.J. Boggs & Company, on behalf of the people whose confidential medical information was compromised.
“People have a right to choose when and to whom to disclose their HIV status,” said Jamie Gliksberg, a staff attorney for Lambda Legal, which supports LGBT rights. “Their right was taken away from them with this breach.”
The plaintiffs were all beneficiaries of the state’s version of the federally funded AIDS Drug Assistance Program (ADAP), which helps more than 30,000 low-income Californians with HIV and AIDS pay for their medications and insurance premiums. The California Department of Public Health hired A.J. Boggs in 2016 to handle enrollment for the program but terminated the contract last year.
The lawsuit alleges that A.J. Boggs violated a California state law that bars the release of public health records related to HIV and AIDS.
A.J. Boggs’ CEO, J. Clarke Anderson, declined to comment on the case, saying his company had not yet received the official complaint.
The California lawsuit is not the only one involving an inadvertent release of people’s HIV status. In January, health insurance giant Aetna settled a suit for $17 million after some of the letters it sent to 12,000 patients in 2017 — ironically, regarding a previous violation of privacy — revealed through the envelope windows that they were taking HIV medications.
CVS Health faces a legal challenge in Ohio over allegations that it exposed the HIV statuses of 6,000 patients last year in the same way.
“There has not been enough care given to people’s private medical information, specifically HIV patients,” Gliksberg said. “People living with HIV … need to know that health organizations are protecting the privacy and confidentiality of their status.”
This week, BuzzFeed News reported that Grindr, a dating app for the LGBTQ community, had provided the HIV statuses of its users to other companies. Grindr admitted doing so and said it would stop, though it noted it was a public forum and its users had the option not to post such personal details.
The California lawsuit alleges that the enrollment portal for the state’s AIDS drug program was “left vulnerable to unauthorized third-party access” in August 2016 and that the contractor didn’t notice it for three months. During that time, enrollees’ medical information was improperly viewed, according to the suit. It said that the company had “violated the trust” placed in it to safeguard patient privacy.
The state’s public health department sent patients a letter about the security breach in April 2017. It said the department had determined that its contractor did not adequately protect patients’ personal information, and that the information may have been available to unauthorized third parties from Aug. 16, 2016, to Dec. 7, 2016.
One plaintiff, who declined to be named in the lawsuit or to talk to a reporter, said in a statement that the notification hit him “like a ton of bricks.”
“I need these medications to live, and I could only afford them through ADAP,” he said. “That doesn’t mean, however, that I want everyone to know my HIV status.”
Lambda Legal is basing the suit on that plaintiff’s experience, but is seeking class-action status. The goal of the lawsuit is to prevent future breaches, Gliksberg said.
The state hired A.J. Boggs despite the concerns of AIDS service organizations and the Los Angeles County Department of Public Health, which said the company had not adequately prepared for the task and that the transition was too hasty.
Kaiser Health News reported in January 2017 that after A.J. Boggs took over enrollment, some patients were unable to get their drugs or timely medical care. AIDS service providers and advocates said patients were turned away from pharmacies and others were dropped from the program for no reason.
After the state public health department discovered the security breach, it closed down the online enrollment portal. In March 2017, it fired A.J. Boggs, saying the company’s performance threatened patients’ access to lifesaving medications. The department decided to determine eligibility and enroll patients in-house rather than hire a new contractor.
Since then, there have not been any new security problems, said Courtney Mulhern-Pearson, senior director of policy and strategy for the San Francisco AIDS Foundation. “We are glad that the concerns were addressed and now we are working to get things back on track,” she said.
KFF Health News' coverage in California is supported in part by Blue Shield of California Foundation.