California's Former ADAP Contractor Faces Lawsuit for an HIV Privacy Breach

Contributing Editor
zimmytws for iStock via Thinkstock

Last week, the LGBT organization Lambda Legal filed a class-action lawsuit in California Superior Court against A.J. Boggs & Company, a private vendor hired by California's health department in 2016 to create an "online enrollment portal" for its AIDS Drug Assistance Program (ADAP) program.

ADAP provides HIV treatment and care to low-income state residents with no other kind of coverage.

The suit was filed on behalf of 93 low-income Californians living with HIV whose confidential medical records -- including their HIV statuses -- were exposed by a data breach of the enrollment system.

"From day one, July 1, 2016, when A.J. Boggs's ADAP enrollment system went on-line, there were problems, and it is not as if these problems were unexpected," Jamie Gliksberg, staff attorney for Lambda Legal, said in a press release. "Several nonprofits that enroll community members in ADAP, as well as the Los Angeles County Department of Health, raised concerns before the system went online that there had been no testing or vetting of the new enrollment system," she said.

"Low-income Californians living with HIV who rely on the AIDS Drug Assistance Program for life-saving medication trust that the program will keep their HIV status confidential: A.J. Boggs violated that trust," added Scott Schoettes, counsel and HIV project director at Lambda Legal, in the release.

"When members of already vulnerable communities -- transgender people, women, people of color, undocumented people -- have to jump through hoops to access health care," he continued, "undermining the community's trust in ADAP is not just a breach of security but another barrier to care."

"It hit me like a ton of bricks, when I was notified that someone had obtained my private medical information," said Alan Doe (using a pseudonym for the purposes of the lawsuit) in the release.

"I need these medications to live, and I could only afford them through ADAP," Doe continued. "That doesn't mean, however, that I want everyone to know my HIV status. That's for me to decide, and A.J. Boggs took that choice away from me."

The AIDS Drug Assistance Program is part of the federal Ryan White CARE Act. It makes states eligible to receive federal funding to run programs that provide HIV meds and treatment for lower-income people living with HIV who can't get Medicaid or other sources of affordable HIV meds and care.

According to Lambda Legal's press release, approximately 30,000 people are enrolled in California's ADAP program.

As recounted in the press release, in 2016, the California Department of Public Health (CDPH) selected A.J. Boggs, an outside company, to administer its ADAP enrollment program and develop an online "enrollment portal" that required members to provide detailed access and information to medical records showing that they were HIV positive. California law dictates that such records remain private.

But, according to Lambda Legal, the portal was launched without adequate testing -- and, in November 2016, a security vulnerability in it was discovered and it was taken off-line.

Then, in February 2017, according to Lambda, CDPH discovered that unknown individuals had accessed the system and downloaded the private medical information of 93 people. CDPH then cancelled the contract with A.J. Boggs and alerted the affected individuals to the data breach.

"The contract with A.J. Boggs has been terminated and the HIV-related confidential information of those in the program is now secure -- Lambda Legal is bringing this suit to ensure that a breach like this never happens again," said Anthony Pinggera, Lambda Legal HIV Project law fellow.

According to the press release: "In the complaint filed today in the San Francisco County Superior Court, Lambda Legal alleges that A.J. Boggs & Company violated California's medical privacy laws, including the California AIDS Public Health Records Confidentiality Act and the California Confidentiality of Medical Information Act."

"Lambda Legal is seeking to have the lawsuit certified as a class action, and is seeking statutory and compensatory damages."

According to Schoettes, Lambda Legal still doesn't know when or how A.J. Boggs and California ADAP first realized that there was a security breach -- or whether A.J. Boggs' system was hacked from the outside or someone using the system from within leaked the HIV statuses. "Finding out is part of the purpose of this lawsuit," he said.

In an email, a representative for A.J. Boggs told TheBody that the company has not yet received the complaint and therefore declined to comment.

In another email to TheBody, a representative for the CDPH detailed that the site was breached several times in 2016 -- mostly involving an ADAP client logging in and seeing another ADAP client's information, then reporting it to CDPH. According to the CDPH representative, CDPH attributes these leaks to human technical errors in A.J. Boggs' system, not to any deliberate intent to violate privacy.

But when TheBody asked whether CDPH knew which individuals had accessed the system in 2017 and then downloaded 93 people's private medical info, CDPH declined to elaborate.

To be sure, many people with HIV choose to disclose their status via traditional or social media, for the purposes of educating the public and reducing stigma, and the vast majority of them do not suffer adverse consequences regarding employment, health coverage, etc.

Nevertheless, having one's HIV status floating around could have bad consequences for ADAP enrollees, according to Schoettes: "This information could be used by an employer. Once it's out there, there's no telling whose hands it could get into and how it could be turned against them."