Insurance Firm Didn't Warn Data Breach Victims 'Promptly and Fully,' Suit Alleges
Insurance firm Keenan & Associates discovered a data breach in its computer systems on Aug. 27, but waited six months before it notified and warned customers that their personally identifiable information (PII) was vulnerable, alleged a negligence class action Thursday (docket 8:24-cv-00544) in U.S. District Court for Central California in Santa Ana.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The breach touched some 1.5 million Keenan customers, the complaint said. It occurred from Aug. 21-Aug. 27 in a cyberattack on the company’s network, the complaint said. The unauthorized party obtained information including Keenan customers’ name; birthdate; Social Security, passport and driver’s license numbers; and health insurance and general health information. Keenan requires that information from customers as a condition of receiving insurance benefit services, the complaint said.
As a result of Keenan’s failure to protect customers’ PII and warn them “promptly and fully” about the breach until Jan. 26, plaintiff Donya Ghyam, an Irvine, California resident, and class members suffered “widespread injury and damages,” the complaint said.
In addition, the complaint alleges Keenan’s data breach notice “minimized the consequences” of the incident. Keenan told customers it was not aware of evidence that PII was “misused,” said the complaint. Instead, Keenan told customers it wanted to make them aware of the incident and provide information on steps they “may consider taking,” it said. The company encouraged data breach victims to “be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity.”
The defendant advised customers that they contact credit reporting agency Experian, to place fraud alerts with the three credit bureaus, and to place a security freeze on their credit reports, the complaint said. It offered victims identity theft protection services through Experian IdentityWorks, including 24 months of credit monitoring and theft recovery services, it said.
As a result of the breach, victims face "a lifetime risk of identity theft,” the complaint said. The breach included sensitive information “that cannot be changed,” such as birthdates and Social Security numbers, it said. Keenan’s identity theft protection and credit monitoring through IdentityWorks “is wholly insufficient” to compensate Ghyam and class members for their damages, it added.
In the aftermath of the breach, Ghyam began receiving “an influx of phishing and spam calls and emails,” alleged the complaint. In October, Ghyam had to install a spam blocker on her phone because she was receiving so many phishing calls, it said. As a result of the data breach, Ghyam faces “a lifetime risk of additional identity theft, as it includes sensitive information that cannot be changed, like her date of birth and Social Security number,” it said.
Keenan “tortiously failed to take the necessary precautions required to safeguard and protect” customers’ PII from hackers, the complaint said. Its actions represent a “flagrant disregard” for the rights of Ghyam and class members, who were “foreseeable and probable victims” of Keenan’s “inadequate security practices and procedures,” it said. The company should have known the risks in collecting and storing PII and the “critical importance of providing adequate security for that information,” it said.
In addition to negligence, Ghyam asserts claims of breach of implied contract; unjust enrichment; breach of confidence; invasion of privacy, intrusion upon seclusion; bailment; and violation of the California Consumer Privacy Act. Ghyam requests awards of compensatory, actual, exemplary and punitive damages; restitution; injunctive relief; an order enjoining Keenan from “further deceptive practices and making untrue statements” about the breach; pre- and post-judgment interest; and attorneys’ fees and costs. Keenan didn't comment Friday.