NationsBenefits Hit with Class Actions Over January 2023 Cyberattack Impacting 3M Patients

New to ClassAction.org? Read our Newswire Disclaimer

At least two proposed class action lawsuits have been filed against NationsBenefits in the wake of a data breach early this year that reportedly affected more than three million patients whose health plans use the company’s supplemental benefits administration services.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

According to one case filed on May 5, NationsBenefits stored patient data in a “negligent and/or reckless manner” on a file transfer platform owned by IT management software company Fortra, which Russian-linked ransomware group Clop was able to hack between January 28 and 30 this year. The lawsuit says that NationsBenefits is reportedly one of over 130 organizations impacted by the Fortra cyberattack, all of which used Forta’s file transfer solution, GoAnywhere MFT.

Another complaint, filed May 11, claims the NationsBenefits data breach compromised private information belonging to roughly 3,037,302 current and former Elevance Health, Aetna and UAW health plan members, including their first and last names, addresses, phone numbers, dates of birth, gender, health plan subscriber ID numbers, Social Security numbers and/or Medicare numbers. 

“NationsBenefits knowingly disregarded standard information security principles, despite obvious risks, by allowing unmonitored and unrestricted access to unsecured [personally identifiable information] and [protected health information],” one suit contends.

Per the case, the company could have prevented the incident had it adequately secured its network, properly encrypted its data or better selected its IT partners.

Individuals whose personal information was exposed in the breach now face a heightened risk of identity theft and fraud, along with out-of-pocket costs associated with the prevention, detection and recovery from these threats, the complaints allege.

Although NationsBenefits purportedly learned of the Fortra data breach in early February 2023, it nevertheless waited months before it began to notify affected individuals in April 2023, the filings say.

By failing to provide victims timely notice of the breach, NationsBenefits “deprived Plaintiff and Class Members of the chance to take speedy measures to protect themselves and mitigate harm,” causing “their injuries to fester and the damage to spread,” one case argues.

What’s more, NationsBenefits, in its notice to consumers, “deliberately underplayed” the severity of the attack and provided little detail as to the nature of the breach, one case argues.

The lawsuits seek to represent anyone in the United States whose personally identifiable information or protected health information was impacted by the data breach referenced in the notice sent by NationsBenefits in April 2023.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.