Dayton-based CareSource facing class-action lawsuit after millions of people’s data exposed

DAYTON — A federal class action lawsuit was filed against Dayton-based Medicaid and Medicare plan provider CareSource over a data breach in August.

On Sept. 14 members received a letter stating that the software of one of CareSource’s vendors (MOVEit) was hacked on May 31.

Caresource said it patched the software as instructed on June 1 and on June 27 was named as one of the victims of the hacked data.

“We are sorry to say that some of your protected health information was part of the data stolen by the bad actor,” the letter reads.

The letter states that data such as first and last names, addresses, date of birth, Social Security Numbers, health plan information, medications and more were possibly accessed.

It suggested those impacted sign up for two years of credit monitoring through Kroll.

>> 3 easy ways to obtain unused cash

The class action lawsuit filed Sept. 21 on behalf of three people who were impacted by the data breach alleges that CareSource failed to:

  • Secure its network
  • Quickly notify its members of the breach, as despite knowledge of the breach on June 1, CareSource did not notify victims until Aug. 24
  • To make sure any vendors it elects to offload sensitive information to could be entrusted and would safeguard sensitive data
  • To comply with regulatory, ethical and industry standards to ensure the security and confidentiality of sensitive information
  • Adequately respond to a foreseeable data breach

The plaintiffs named in the lawsuit are asking for compensation for damages such as loss of privacy, fraudulent charges, damages to credit, time lost responding to the breach and out-of-pocket expenses.

Some plaintiffs also alleged anxiety and emotional distress as a result of their personal information being released.

CareSource services over a million members across six states.

News Center 7 reached out to CareSource about the lawsuit Monday evening and received the following statement from a CareSource spokesperson Tuesday morning:

“Upon learning CareSource members were impacted by a global cybersecurity event that exploited the MOVEit platform, CareSource launched a prompt and thorough response. We have notified potentially impacted members, offering two years of complimentary credit and identity monitoring. Right now, we are focused on responding to member inquiries and assisting them with resources to help safeguard their data.”