Doe v. AJ Boggs & Company
Lambda Legal filed a class-action lawsuit in California Superior Court against A.J. Boggs & Company on behalf of 93 low-income Californians living with HIV whose confidential medical records – including their HIV status – were compromised by a data breach of A.J. Boggs’s California AIDS Drug Assistance Program (ADAP) online enrollment system.
The AIDS Drug Assistance Program is part of the federal Ryan White CARE Act, through which states are eligible to receive federal funding to conduct a program that helps ensure access to HIV medications for lower-income people living with HIV who are not eligible for Medicaid and do not have an alternative source to obtain HIV medications at a reasonable cost. In California, approximately 30,000 people are enrolled in its ADAP.
Until March 2017, California contracted with private vendors to administer the ADAP program. In 2016, the California Department of Public Health (CDPH) selected A.J. Boggs to administer the enrollment program, including developing an “ADAP enrollment portal.” The enrollment process requires applicants to provide detailed information and access to their medical records, sensitive and confidential information that California state law requires not be disclosed or disseminated without consent.
Notwithstanding state law, however, the A.J. Boggs enrollment portal was launched without adequate testing; it was not until late November 2016, that the security vulnerability was discovered and the portal was taken off-line. And it was not until February 2017, that CDPH discovered that unknown individuals accessed the ADAP system and downloaded the private medical information of 93 people. CDPH cancelled the contract with A.J. Boggs on March 1, 2017, and notified the affected individuals of the data breach in April 2017.
- April 3, 2018: Lambda Legal files a class-action lawsuit in California Superior Court against A.J. Boggs & Company on behalf of 93 low-income Californians living with HIV whose confidential medical records – including their HIV status – were compromised by a data breach.