Milberg Coleman declined to comment on pending litigation. Clapp & Lauinger and Wynne Law Firm did not immediately respond to requests for comment.

The plaintiffs accuse SAG Health of violating the California Confidentiality of Medical Information Act by not implementing the appropriate industry security standards to prevent an email phishing scam that exposed sensitive data such as names, Social Security numbers, and health insurance information.

Additionally, they said, SAG Health failed in its duties to members by failing to notify them until almost three months after the event. According to the U.S. Department of Health and Human Services Office of Civil Rights, which is currently investigating the case, 35,592 individuals were affected by the leak.

SAG Health provides healthcare coverage to members of the Screen Actors Guild and American Federation of Television and Radio Artists, the world's largest labor union representing performers, actors, and other professionals in the entertainment and media sector. The collective, which is headquartered in Los Angeles and has 160,000 members, attracted international media attention in 2023 after staging the longest strike in its history against the Alliance of Motion Picture and Television Producers, calling for better pay, improved working conditions, and regulation of artificial intelligence in the industry.

Participants in the SAG Health Plan pay between $375 and $747 quarterly for their health insurance premiums, per the SAG Health website.

According to a press release published by SAG Health on December 2, the Burbank-based company first discovered that an employee’s email had been compromised in an email phishing attack conducted by an “unauthorized third party” on September 18 and determined that the email account “contained personal information related to some plan participants” on October 3. SAG Health claimed that the event was not the result of a ransomware attack and that its systems were not impacted. It has since alerted law enforcement to the issue and will offer credit-monitoring services to SAG-AFTRA members whose data was compromised, it said.

The AFTRA Retirement Fund, which provides retirement benefits to SAG-AFTRA members, was hit with a similar data breach class action in December 2021 in the U.S. District Court for the Southern District of New York after a cyberattack took place in October 2019.

The claims against SAG Health argue that the company should have anticipated the data breach given the volume of personal data involved and the recent prevalence of similar, high-profile incidents at major companies. The data breach was directly caused by its failure to adhere to industry standards for data protection, including the Federal Trade Commission’s cybersecurity guidelines, it said.

“SAG Health disregarded the rights of Plaintiffs and Class Members by, inter alia, failing to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions; failing to disclose that it did not have adequately robust computer systems and security practices to safeguard Private Information; failing to take standard and reasonably available steps to prevent the Data Breach; and failing to properly train its staff and employees on proper security measures,” wrote attorneys for the plaintiffs in the complaint filed by the Clarkson Law Firm. “In addition, SAG Health failed to properly monitor its computer network and systems that housed the Private Information.”

Additional causes of action include violation of California’s Unfair Competition law, deceit by concealment, negligence, breach of express warranty, invasion of privacy, violation of California’s Consumer Privacy Act, and breach of implied contract. The proposed suits also allege that SAG Health is guilty of unjust enrichment because SAG-AFTRA members “overpay” for their premiums, which they reasonably expect to cover adequate data protections.

SAG Health did not immediately respond to a request for comment.

————————————————————
From: BenefitsPRO