Lawsuit: Software Marketer Failed to Protect Health Data Later Exposed in a Breach
Software marketing firm Cierant Corporation failed to safeguard customers' personally identifiable information (PII) and protected health information (PHI), which allowed their exposure in a 2024 breach, alleged a class-action lawsuit filed Thursday. Plaintiff Melissa Gifford brought the suit in the U.S. District Court for Connecticut on behalf of her minor child, whose health information was leaked.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
According to the complaint, the data breach happened in 2024 and "stemmed from Cierant’s use of a vulnerable third-party file transfer tool, VLTrader." During the incident, "an unauthorized actor exploited this vulnerability to gain access to Cierant’s systems and files containing sensitive PII and PHI of health plan members, including minors."
In addition, "despite knowing the severity of the breach, Cierant failed to provide timely and adequate notice to affected individuals, waiting until August 2025, approximately nine months after discovery, to notify Plaintiff and other Class Members," which "exacerbated the harm by depriving victims of the opportunity to take prompt protective measures," the complaint said.
"Cierant’s negligence in failing to implement adequate cybersecurity measures, combined with its failure to act swiftly to notify those affected, constitutes a clear disregard of consumer privacy and data security obligations," the suit added. Case 3:25-cv-01345 includes counts of negligence, breach of implied contract and unjust enrichment.
Cierant has a page on its website informing clients of the breach. It said after discovering the vulnerability in VLTrader, Cierant "promptly began an investigation with assistance from an industry-leading cybersecurity team," which "determined that an unauthorized actor exploited the third-party vulnerability to gain limited access to Cierant systems that may have compromised personal or health data."
"This personal data was processed by Cierant on behalf of third-party health plans -- Cierant notified and then worked with these health plans to identify and notify potentially affected individuals," the page added. It noted that the leaked information may have included treatment-related dates, a generic description of services received, provider name, medical record number, health plan beneficiary number, claims number, and/or plan member account number, but "there is no indication that this information has been or will be misused at this time."
Although the lawsuit alleged that impacted individuals weren't informed of the breach until August, the Texas attorney general site reported the breach twice on July 8. The first entry says 1,576 Texans were affected, while the second entry says 1,817 Texans were. Washington state's AG also reported the breach July 7, and noted that 902 Washingtonians were impacted. California's attorney general office reported the breach July 7, and included a sample notification letter dated July 3.
The sample letter said that "upon becoming aware of suspicious activity, [Cierant] immediately ceased the use of Cleo VLTrader, rotated passwords, and took a number of steps to enhance [their] existing network security controls." It also said Cierant "reported the event to federal law enforcement and [is] notifying relevant regulators," though it did not specify when that occurred.