The Superior Court of California (San Francisco) on Monday denied A.J. Boggs & Company’s motion to dismiss a class action lawsuit Lambda Legal filed on behalf of a California man living with HIV and 92 others whose confidential medical records – including their HIV status – were compromised by a data breach of A.J. Boggs & Company’s California AIDS Drug Assistance Program (ADAP) online enrollment system.

ADAP is part of the federal Ryan White CARE Act, through which states receive federal funding to help people living with HIV who are ineligible for Medicaid but are nonetheless unable to afford these life-saving medications without financial assistance. In California, approximately 30,000 people are enrolled in the program.

“These medications are life-saving for me, and I could only afford them through the AIDS Drug Assistance Program. That does not mean, however, that I deserved to have my confidential medical information exposed publicly. With whom, when and how I share my HIV status is my right and my decision, and A.J. Boggs & Company took both away from me. Lambda Legal is here to make sure a breach like this never happens again.” said Alan Doe, using a pseudonym for purposes of the lawsuit.

“We are very pleased California’s Superior Court rejected A.J. Boggs & Company’s attempt to have this case dismissed. A.J. Boggs & Company must be held responsible for failing to secure the private and confidential HIV-related medical information of Californians with HIV who rely on the ADAP for life-saving medication,” said Jamie Gliksberg, the Lambda Legal attorney leading this case.

Until March 2017, California contracted with private vendors to administer the ADAP program. In 2016, the California Department of Public Health (CDPH) selected A.J. Boggs & Company to administer the enrollment program, including developing an “ADAP enrollment portal.” The enrollment process requires applicants to provide detailed information and access to their medical records, sensitive and confidential information that California state law requires not be disclosed or disseminated without consent.

Notwithstanding state law, however, the A.J. Boggs & Company enrollment portal was launched without adequate testing; it was not until late November 2016 that the security vulnerability was discovered and the portal was taken offline. And it was not until February 2017 that CDPH discovered that unknown individuals accessed the ADAP system and downloaded the private medical information of 93 people. CDPH canceled the contract with A.J. Boggs & Company on March 1, 2017, and notified the affected individuals of the data breach in April 2017.

“HIV is still a highly stigmatized medical condition,” added Lambda Legal Counsel and HIV Project Director Scott Schoettes. “When members of already vulnerable communities—transgender people, women, people of color, undocumented people, individuals with low incomes—already face challenges in accessing health care, undermining the trust they have in the ADAP is not just a breach of security; it creates a barrier to care.”

In the complaint filed April 3, 2018, Lambda Legal with pro bono co-counsel Cozen O’Connor alleged on behalf of the plaintiff and a proposed class consisting of the other 92 individuals whose medical information was accessed that A.J. Boggs & Company violated California’s medical privacy laws, including the California AIDS Public Health Records Confidentiality Act and the California Confidentiality of Medical Information Act. Alan Doe is seeking statutory and compensatory damages and to have the lawsuit certified as a class action to include the other 92 individuals whose medical information was accessed.

In addition to Ms. Gliksberg and Mr. Schoettes, Alan Doe, individually and on behalf of all others similarly situated, is also being represented jointly by Lambda Legal’s Anthony Pinggera and Cozen O’Connor’s Lawrence Gordon, Andrew M. Hutchison, and Nandini Kavuri.