Screen Actors Guild Health Plan sued after September data breach exposes healthcare info

A class action lawsuit has been filed against the health plan for the Screen Actors Guild-American Federation of Television and Radio Artists (SAG-AFTRA) over a data breach announced last week that exposed union members’ sensitive healthcare information.

On December 2, the union’s health plan informed members and California regulators that hackers broke into an employee’s email account in September. 

An investigation found that while the union health plan’s systems were not breached, the email account “contained emails and attachments that included some participants’ names and Social Security numbers, and, in some cases, may also have contained information associated with claims and health insurance information, such as participants’ health plan participant identification numbers, if applicable.”

SAG-AFTRA Health Plan said investigators traced the breach back to a phishing email that compromised the account. Law enforcement has been notified and the investigation is ongoing. 

Officials did not respond to requests for comment about how many people were affected but said it has sent letters to those impacted.  

SAG-AFTRA Health Plan covers the union’s 160,000 members — which include actors, journalists, singers, announcers and artists. According to the Hollywood Reporter, the SAG-AFTRA Health Plan has about 150 employees and a revenue of nearly $14 million. 

By December 5, several union members filed a class action lawsuit against the union health plan, arguing that the lack of public information on who was affected, the lengthy notification time and the failure to protect member information were a “direct and proximate result of Defendant’s misconduct.”

The union health plan acknowledged in its own notice that it knew member information was leaked by October 3 but waited another two months to notify people, the lawsuit highlighted. 

The lawsuit argues that the union health plan did not provide clear instructions on what people can do to protect themselves and “downplayed the extent of the data breach, and the likely harm affected victims may experience.”

Union members will now have to spend money and time protecting themselves from identity theft and may be permanently exposed to risk due to the breach, the plaintiffs claimed. 

“This exfiltrated personal data, the full extent of which SAG Health has failed to disclose to the public, allows hackers to gain a clear image of each individual and track their whereabouts, leading hackers to each victim’s behavior and background,” the lawsuit said. 

The 52-page suit accuses SAG Health of failing to protect its systems even after suffering a previous data breach in 2019. That breach, which involved the separate but related AFTRA Retirement Fund, impacted nearly 500,000 people. 

Union members pay annual dues of $236 and 1.575 % of all individual earnings under SAG or AFTRA contracts between $1 and $500,000 — in addition to $375 each quarter for healthcare. 

“Countless victims impacted by the Data Breach now face a constant threat of being repeatedly harmed, including but not limited to living the rest of their lives knowing that criminals can compile, build and amass and build profiles on them for decades,” the suit says, adding that the breach now exposes them “to a continuing threat of identity theft, disclosure of PII/PHI, threats, extortion, harassment and phishing scams, and the attendant anxiety from not knowing how your information will be used when it comes into nefarious individuals’ hands.”