Highmark Data Breach Affecting At Least 300K People Triggers Class Action Lawsuit

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit alleges Highmark, Inc.’s “grossly negligent” cybersecurity practices resulted in a “massive” data breach purportedly discovered by the company in December 2022.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 39-page lawsuit says that Pittsburgh, Pennsylvania-based Highmark, one of the top health insurance organizations in the country, claims to have detected unauthorized access to its network servers on December 13 and 15 of last year. The suit relays that some of the personal information compromised in the breach included consumers’ full names, physical addresses, dates of birth, phone numbers, email addresses, financial information and Social Security numbers.

Also affected during the incident was health enrollment information including consumers’ group names and Medicaid identification numbers, and claims or treatment information such as claim numbers, dates of service, procedures and prescription information, the case relays.

The “massive and preventable” cyberattack, which has reportedly compromised the sensitive data of over 300,000 adults and children, was a result of Highmark’s failure to implement basic cybersecurity policies to protect consumers’ private information, the complaint says. The highly confidential data was allegedly stored “unprotected” in the defendant’s network servers and therefore left vulnerable to unauthorized disclosure to “an undoubtedly nefarious third party,” the filing claims.

The lawsuit additionally takes issue with Highmark’s failure to promptly notify victims of the data breach. Though the defendant says it learned of the unauthorized activity as early as December 13, 2022, notices were not sent to those affected until mid-February 2023, two months later, the suit reports.

The notices themselves provided little detail as to precisely when the breach occurred and how long it lasted, the case says. As the complaint tells it, the information given to victims included merely the “basic details” of the cyberattack and Highmark’s recommendations for what to do next.

Victims of the breach remain “in the dark” regarding what precise data was stolen and what steps Highmark is taking to safeguard their private information in the future, the filing shares.

The plaintiff, a Pennsylvania resident, received notice on February 13 of this year that his highly sensitive personal information had been compromised in the Highmark data breach, the case states. The man, like other victims, now faces an increased risk of fraud, identity theft, and other unwanted activity as a result of Highmark’s “reckless” and “negligent” actions, the suit charges.

According to the complaint, Highmark covers the insurance needs of roughly 6.8 million people across Pennsylvania, Delaware, New York and West Virginia.

The lawsuit looks to represent anyone in the United States whose personal and/or financial information was compromised as a result of the data breach discovered by Highmark, Inc. in December 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.