Skip to main content
A white-haired woman looks at her computer with concern as she realizes her important online data was breached.

CareSource Data Breach Lawsuit | MOVEit Class Action

The Lyon Firm is investigating data breach claims related to CareSource, a third party vendor linked to the Indiana Family and Social Services Administration (FSSA). Call for a free consultation. Our firm is still accepting claims linked to the MOVEit attack that impacted many CareSource patients. Join the class action to be eligible for rightful compensation. 

What Happened at CareSource?

Recent reports suggest that a data breach could have impacted more than 3 million individuals on Medicaid. The Clop threat group exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution in May 2023 and obtained the protected health information of 3,180,537 individuals. The stolen data includes names, addresses, date of birth, Social Security Numbers, health plan information, medications, and other health information.

CareSource was notified by Progress Software about the vulnerability on May 31, 2023, and patched the flaw on June 1, 2023. The software fix was a bit too late to matter, however, as the vulnerability had already been exploited.

CareSource, the entity that manages software for the Indiana Family and Social Services Administration (FSSA), suffered an IT security incident in May 2023 that may have exposed personal information of Indiana Medicaid members.

The Dayton, OH-based Medicaid and Medicare plan provider is now facing multiple class action lawsuits over the MOVEit cyberattack and data breach. Plaintiffs claim CareSource had a legal duty to safeguard the protected health information of its customers, and failed to accomplish this task.

CareSource notified the U.S. Department of Health and Human Services Office for Civil Rights (HHS) of a data breach involving the company’s use of the MOVEit file transfer application. The MOVEit cyberattack impacted hundreds of companies and millions of individuals. In a data breach notice sent to individuals, CareSource explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information.

What Personal Data was Compromised?

CareSource is a nonprofit, multi-state health plan based out of Dayton, Ohio. CareSource provides health care coverage for Medicaid consumers as well as other insurance plan offerings available on the Health Insurance Marketplace.

The information that could have been compromised may include the following:

  • Names
  • Addresses
  • Social Security numbers
  • Dates of birth
  • Gender
  • Medical conditions
  • Diagnoses
  • Medications
  • Allergies
  • Health conditions
  • Member ID and plan name

Can I Join the CareSource Class Action?

The pending class action CareSource lawsuits allege the company conducted inadequate vendor screening and had insufficient security measures in place. These alleged failures breached its legal duties and obligations under state laws and HIPAA. Lawyers say the company also delayed sending notification letters, despite being aware that highly sensitive data had been stolen.

Plaintiffs claim invasion of privacy, loss of benefit of the bargain, lost time remedying harms, lost opportunity costs, diminution of value of PHI, an increase in spam calls, texts, and emails, and an imminent and ongoing threat of identity theft and fraud. The lawsuit states five causes of action: negligence, negligence per se, breach of fiduciary duty, breach of third-party beneficiary contract, & unjust enrichment, and seeks class action certification, a jury trial, actual damages, punitive damages, restitution, and disgorgement, and equitable, injunctive, and declaratory relief.

Plaintiffs have made allegations about the lack of safeguards and delay in breach notifications and the class action seeks compensation for damages including loss of privacy, fraudulent charges, damages to credit, time lost responding to the breach and out-of-pocket expenses.

CareSource confirmed the breach on June 27, 2023, but did not notify the affected individuals until August 24, 2023. Two years of complimentary credit monitoring and identity theft protection services were offered to the affected individuals, though attorneys say victims are deserving of much more.

Contact our privacy lawyers if you have been affected by any data theft incident. We believe entities that collect and store personal data have a duty to protect it. Should they fail to protect your information, contact a class action lawyer to discuss legal action and possible compensation.

Our data breach lawyers are currently involved in the massive MOVEit litigation. We work with the nation’s largest privacy law firms and we represent plaintiffs in all fifty states. To hold any negligent company accountable for damages, you can consider legal action. By filing a data privacy lawsuit, you not only find justice and compensation, but make the consumer marketplace a safer place in the future.