Metro Weekly

Lambda Legal sues California’s ADAP administrator for privacy breach

Security flaw allowed outsiders to access medical information of 93 clients in state's HIV/AIDS drug assistance program

Blood vials – Photo: Lt. Cpl Austin Schlosser, via Wikimedia.

Lambda Legal has filed a class-action lawsuit in San Francisco Superior Court against A.J. Boggs & Company, which manages the state’s AIDS Drug Assistance Program, for compromising the confidential medical records and HIV statuses of at least 93 low-income state residents.

The lawsuit claims that A.J. Boggs went forward with plans to roll out an online enrollment system for ADAP patients despite warnings from several nonprofits and the Los Angeles County Department of Health that the system had not been tested or checked for bugs or glitches.

“From day one, July 1, 2016, when A.J. Boggs’s ADAP enrollment system went on-line, there were problems, and it is not as if these problems were unexpected,” Jamie Gliksberg, a staff attorney for Lambda Legal, said in a statement.

When the new enrollment system went live, any information that patients had entered, including access to their medical records, were made vulnerable to potential attacks. The state tried to rectify the situation by taking the portal offline in November 2016.

In February 2017, state Department of Health officials discovered that unknown individuals accessed the ADAP system and downloaded the private medical information of 93 people. The state subsequently cancelled the contract with A.J. Boggs on March 1, 2017, switching over from private contractors to a state-run system, and notified those who had been affected by the breach.

ADAP is part of the federal Ryan White CARE Act, which allows states to receive federal funding to ensure lower-income HIV-positive people who make too much money to qualify for Medicaid, yet lack an alternative way to access life-saving medications, can do so at a reasonable cost. Approximately 30,000 in California are currently enrolled in ADAP.

“It hit me like a ton of bricks, when I was notified that someone had obtained my private medical information,” Alan Doe, a pseudonym for the chief plaintiff in the class-action lawsuit, said in a statement. “I need these medications to live, and I could only afford them through ADAP. That doesn’t mean, however, that I want everyone to know my HIV status. That’s for me to decide, and A.J. Boggs took that choice away from me.”

In its complaint, Lambda Legal alleges that A.J. Boggs & Company violated California’s medical privacy laws, including the California AIDS Public Health Records Confidentiality Act and the California Confidentiality of Medical Information Act. Lambda Legal is seeking damages on behalf of its clients — though more may join the existing 93 as more information about the breach, or any other security breaches, becomes available through discovery.

Under the California laws that Lambda Legal contends were violated, each plaintiff is entitled to sue for damages of up to $25,000 per person in “statutory damages,” and the LGBTQ law firm is also suing for $1,000 per client, plus any additional amount based on any harm suffered by individual plaintiffs due to the release of their personal information, in “compensatory damages.”

Gliksberg says it is still unknown who accessed the medical records of the 93 patients, or for what purpose. Gliksberg says that California’s robust laws on medical privacy mean that if the information was made vulnerable due to security flaws in the enrollment system, the administrator is responsible for allowing access to that information, thereby violating the law.

“California’s AIDS Public Health Records Confidentiality Act is basically intended to protect against exactly this situation, to make sure that individuals have the choice about when and to whom to disclose their HIV status,” she says. “The purpose of this lawsuit is to ensure that people living with HIV know they can trust the system. When they are seeking care for this condition, they need to know that the health care system is going to maintain their privacy and confidentiality.

“We’re asking for damages, but the point of the damages is to set precedent for the future,” adds Gliksberg, noting that there have been other breaches of patient information by insurance companies and pharmaceutical chains in other states. “The only way to prevent future violations of this type is for people who are violators of these laws to pay for the damage they’ve caused.”

Support Metro Weekly’s Journalism

These are challenging times for news organizations. And yet it’s crucial we stay active and provide vital resources and information to both our local readers and the world. So won’t you please take a moment and consider supporting Metro Weekly with a membership? For as little as $5 a month, you can help ensure Metro Weekly magazine and MetroWeekly.com remain free, viable resources as we provide the best, most diverse, culturally-resonant LGBTQ coverage in both the D.C. region and around the world. Memberships come with exclusive perks and discounts, your own personal digital delivery of each week’s magazine (and an archive), access to our Member's Lounge when it launches this fall, and exclusive members-only items like Metro Weekly Membership Mugs and Tote Bags! Check out all our membership levels here and please join us today!