A class action lawsuit was filed against the Screen Actors Guild-American Federation of Television and Radio Artists (SAG-AFTRA) Health Plan following a September data breach that exposed members' protected health information (PHI).
The SAG-AFTRA Health Plan recently disclosed that a phishing attack in September 2024 compromised an employee’s email account, exposing sensitive healthcare data. The account reportedly contained participants’ names, Social Security numbers, and potentially health plan participant IDs and claims information.
Although the plan's internal systems were not breached, an investigation revealed hackers gained unauthorized access to emails and attachments. Affected members were notified two months after the breach was discovered, prompting criticism for the delay.
Union members filed a class action lawsuit, citing insufficient guidance on mitigating the breach’s risks, downplaying its severity, and prolonged exposure to identity theft and privacy violations.
The breach comes just a few years after a 2019 data breach involving the related AFTRA Retirement Fund, which impacted nearly 500,000 individuals. Union members now face increased concerns about systemic security vulnerabilities and insufficient cybersecurity protocols.
The class action lawsuit claims that SAG-AFTRA “downplayed the extent of the data breach” and failed to disclose the full scope of the leaked PHI, exposing victims to significant risks, like identity theft, extortion, and harassment.
“Countless victims impacted by the data breach now face a constant threat of being repeatedly harmed,” the suit added.
The SAG-AFTRA Health Plan breach shows broader vulnerabilities in the entertainment and healthcare industries, where cybercriminals target sensitive data. Stronger safeguards, like implementing HIPAA compliant email solutions, could help providers mitigate the risk of phishing attacks.
Platforms like Paubox use advanced threat detection to identify and block phishing emails before they reach the inbox. It includes real-time scanning for malicious links, suspicious attachments and known phishing patterns.
Yes, phishing attacks in healthcare fall under Health Insurance Portability and Accountability Act (HIPAA) regulations. Phishing attacks compromising the privacy and security of protected health information (PHI) can lead to severe penalties, including fines and reputational damage.
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle protected health information (PHI).
Go deeper: How to set up HIPAA compliant emails on Google