What happened
On August 1st, 2023, Progressive Casualty Insurance Company filed a data breach notice with the Attorney General of Maine.
According to the notice, the insurance company discovered that an employee of a third-party vendor had shared Progressive access credentials with unauthorized individuals on May 19th, 2023. The incident resulted in an unauthorized party being able to access consumer information, including names, addresses, driver’s license numbers, email addresses, phone numbers, dates of birth, and additional confidential information.
Progressive stated that they rely on third-party vendors for call center services, but the vendor had improperly shared Progressive access credentials, which ultimately led to unauthorized access of confidential information.
At the time, notices were sent to 347,100 impacted individuals.
What’s new
Since then, Progressive has been involved in class action litigation. The suit alleges that the breach was “massive and preventable,” but Progressive had inadequate data security procedures, protocols, and practices.
According to the complaint, the “Defendant betrayed the trust of plaintiff and the other class members by failing to properly safeguard and protect their personally identifiable information, thereby enabling unauthorized individuals to view and steal their valuable and sensitive information.”
The Plaintiff also noted that Progressive’s notice said the earliest date of employment for any of the potentially involved employees of the third-party service was May 2021, meaning that the breach could have been occurring for years. According to the suit, the incident may have provided criminals everything they needed to “wreak havoc on the financial and personal lives of hundreds of thousands of individuals.”
What’s next
Ultimately, Progressive denied all claims of wrongdoing and liability, but decided to settle the case to avoid “the burden, expense, risk, and uncertainty of continued litigation.”
The proposed settlement amount is $3.25 million, and is likely to be finalized on February 25th. Once finalized, the settlement money, minus fees and costs, will be split amongst class action members. Individuals have until February 18th to submit a claim.
The big picture
The incident at Progressive shows why it’s critical for organizations to monitor their third parties and ensure that they are HIPAA compliant and hold a high standard for data security. With large organizations, it's common for many third parties to be involved, necessitating clear policies and frameworks for handling data.
In this case, it’s possible that the breach occurred long before it was discovered, highlighting the need for monitoring and auditing of cybersecurity practices. With the right policies and tools, the vast majority of data breaches are preventable.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
