A.J. Boggs and Company's motion to dismiss a lawsuit filed against it for an alleged data breach that compromised the medical records of 93 HIV-positive people in California in November 2016 was denied by a San Francisco Superior Court judge Thursday, October 4.
"We are very pleased," said Scott Schoettes, an attorney and HIV project director at Lambda Legal Defense and Education Fund, in an interview with the Bay Area Reporter. "This will allow the case to move forward. It's clear to us that evidence has already shown that 93 individuals' information was breached."
Currently, the suit has only one plaintiff, a California man living with HIV, but Lambda Legal is seeking a class action certification to include the 92 other individuals whose data was allegedly breached.
Schoettes said the case will now go into discovery, in which Lambda Legal will seek further information from A.J. Boggs regarding the data breach, and will submit a subpoena to gather information from the California Department of Public Health and its investigation into the matter.
"We are curious to get more information as to what the results of the investigation were," Schoettes said.
As previously reported by the B.A.R., Lambda Legal in April filed a lawsuit in San Francisco Superior Court against A.J. Boggs, which at one time held the AIDS Drugs Assistance Program contract with CDPH.
A.J. Boggs, a private company based in Michigan, was awarded a contract by CDPH in July 2016 to oversee the state's ADAP online enrollment system. ADAP, part of the Ryan White HIV/AIDS Treatment Extension Act of 2009, provides life-saving medication to low-income people living with HIV who have limited or no health care coverage and are not eligible for Medi-Cal.
Lambda Legal attorneys claim A.J. Boggs did not do enough beta testing before rolling out the new online enrollment system, also known as a portal. Prior to the system going public, the Los Angeles County Department of Health voiced its concern over the lack of testing and vetting of the online portal, as did various nonprofit HIV/AIDS service organizations in the California HIV Alliance, including the San Francisco AIDS Foundation.
"These medications are life-saving for me, and I could only afford them through the AIDS Drug Assistance Program. That does not mean, however, that I deserved to have my confidential medical information exposed publicly," said Alan Doe, the plaintiff in the case who is using a pseudonym for purposes of the lawsuit, in a Lambda Legal news release. "With whom, when, and how I share my HIV status is my right and my decision, and A.J. Boggs & Company took both away from me. Lambda Legal is here to make sure a breach like this never happens again."
In response to the rejection of A.J. Bogg's motion to dismiss, Schoettes added that his client is pleased.
"He is very happy and not surprised, given the strength of the claim, but he's very pleased it's going to move forward and vindicate his privacy right," Schoettes said.
A.J. Boggs CEO Clarke Anderson did not respond to a request for comment.
In California, approximately 30,000 people are enrolled in ADAP, according to a Lambda Legal news release. The enrollment process requires people to provide sensitive information, including detailed medical records that contain their HIV status, which under state law requires confidentiality.
The complaint filed by Lambda Legal alleges A.J. Boggs became aware of the breach in November 2016, at which point it took the portal offline. In February 2017, the state health department discovered that unknown individuals accessed the ADAP system and downloaded the private medical information of 93 people. The state department canceled its contract with A.J. Boggs in March 2017 and now oversees the enrollment system.
Courtney Mulhern-Pearson, director of state and local policy at SFAF, told the B.A.R. in an interview that she is glad the suit will continue.
"I am pleased to see the case moving forward," she said. "The plaintiff's statement was pretty compelling to me, in that HIV disclosure needs to be taken seriously. I fully support his position."
Mulhern-Pearson previously told the B.A.R. in April that there had been issues with ADAP since A.J. Boggs first took control, including patients' difficulty receiving medicine and being denied care. ADAP has since been running sufficiently.
She also said A.J. Boggs' process for getting the online portal up and running was "rushed." The breach set back the state's PrEP Assistance Program for uninsured people by a year. That program aims to expand access to PrEP for uninsured people.
Historically, the state has contracted with private vendors to administer the ADAP program. As previously reported by the B.A.R. CDPH previously contracted with Ramsell, a pharmaceutical benefit company, and then split its contract into three contracts: Magellan Rx Management and Pool Administrators Inc., which along with Boggs, were the new contractors. The state had split up the contract in an effort to get better prices, spokespeople said.
However, Ramsell is suing the state over losing its contract. In court documents, the Oakland-based company alleges that its bid had been "$9 million lower than Boggs'."
In their response, state officials admitted "Boggs' proposal resulted in a higher cost (by $9 million) over three years compared to Ramsell's."
Lambda Legal is seeking statutory and compensatory damages. It is suing over the violation of California's medical privacy laws, including the California AIDS Public Health Records Confidentiality Act and the California Confidentiality of Medical Information Act.
Contact the reporter at [email protected].