SAG-AFTRA members are suing the union health plan over a data breach that exposed their personal information.
The proposed class action accuses SAG-AFTRA of failing to adequately safeguard member data, employ basic security measures and timely notify members of the breach. It brings claims for negligence, invasion of privacy, unjust enrichment and deceit by concealment, among others, and seeks at least $5 million.
In September, an unauthorized party obtained member information — including names, social security numbers and health insurance and medical details — through an email phishing attack. It’s unknown how many people were impacted by the breach.
The lawsuit targets the union neglecting to notify members impacted by the data breach until December, nearly three months after learning of it. It claims affected members are now at increased risk of identity theft and fraud.
“This exfiltrated personal data, the full extent of which SAG Health has failed to disclose to the public, allows hackers to gain a clear image of each individual and track their whereabouts, leading hackers to each victim’s behavior and background,” states the complaint, filed on Thursday in California federal court. This “effectively provides criminals with a key to their personal lives, making it easy to match additional data, gaining access to their personal accounts and insight on their preferences.”
The members also allege that they overpaid for their health plans in light of the data breach. SAG-AFTRA initiation fees are $3,000, with annual dues of $236 plus roughly 1.5 percent of covered earnings. Members must pay $375 per quarter for health coverage.
The lawsuit was filed by Matthew Robillard and Kristy Munden. It seeks to represent all members impacted by the breach.
The SAG-AFTRA Health Plan employs nearly 150 people and generates roughly $14 million in annual revenue. The union didn’t immediately respond to a request for comment.