On November 15, 2022, Commonwealth Care Alliance of California (“CCA Health California”) reported a data breach with the Attorney General of California after an unauthorized party was able to access files on the company’s network containing sensitive information belonging to certain individuals. According to CCA Health California, the breach resulted in the names, Social Security numbers, dates of birth, driver’s license numbers and protected health information of certain people being compromised. Recently, CCA Health California sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

If you are a member of CCA Health California, chances are you never thought that the information you provided to the company would end up in the hands of a potential criminal. However, based on the company’s recent announcement, this is now a possibility. As we’ve noted in previous posts, healthcare providers have been a favorite target of hackers in 2022, with millions of patients having their personal information exposed. Healthcare providers have a duty to protect the information in their care, and when they fail to live up to this duty, patients may be able to hold them accountable through a data breach lawsuit.

What We Know About the CCA Health California Data Breach

The available information regarding the CCA Health California breach comes from the company’s filing with the Attorney General of California. According to this source, on September 16, 2022, CCA Health California first learned of a possible cybersecurity incident when portions of the company’s IT system were disrupted. In response, CCA Health California secured its systems, contacted law enforcement, and then began working with a third-party data security firm to investigate the incident. Through this investigation, CCA Health California hoped to learn more about the nature and scope of the incident, as well as whether any consumer data was leaked as a result.

The CCA Health California investigation confirmed that an unauthorized party was able to access part of the company’s computer network between May 4, 2022, and September 16, 2022. Further, the investigation revealed that the unauthorized party removed certain files containing sensitive information belonging to consumers.

Upon discovering that sensitive consumer data was made available to an unauthorized party, CCA Health California began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, contact information, demographic information, date of birth, Social Security number, passport number, government issued identification number, diagnosis and treatment information, prescription information, Medical Record Number, laboratory test results, provider name(s), date(s) of service, and/or health insurance and plan member information, including member ID number.

On November 15, 2022, CCA Health California sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

Founded in 2003, Commonwealth Care Alliance is a not-for-profit, health care system based in Boston, MA. CCA operates four smaller organizations in several states, including CCA Massachusetts, CCA Rhode Island, CCA Health Michigan, and CCA Health California. Commonwealth Care Alliance employs more than 4,100 people and generates approximately $2 billion in annual revenue.