Getty Images/iStockphoto

Humana, Cotiviti Reach Settlement Over Insider Data Breach

Humana experienced an insider data breach in 2020 when a contractor under Cotiviti inappropriately disclosed patient data for unauthorized training purposes.

Humana and Cotiviti reached a proposed settlement in a class-action lawsuit over an insider data breach that occurred in 2020. Settlement members are entitled to file claims for up to $250 for ordinary damages, and up to $5,000 for extraordinary damages.

In December 2020, Humana learned that the protected health information (PHI) and personally identifiable information (PII) of more than 62,000 of its members were exposed to unauthorized individuals via a personal Google Drive account.

Humana had worked with Cotiviti on medical records requests to verify data it reported to the Centers for Medicare and Medicaid Services (CMS). As a result, Humana had authorized Cotiviti’s use of its member data to share with a subcontractor, Visionary Medical Records (VMR).

A Visionary employee allegedly disclosed patient data to unauthorized individuals for unapproved training purposes between October 12 and December 16, 2020 by posting patient data on a personal Google Drive account.

The information involved may have included names, full or partial Social Security numbers, addresses, phone numbers, birth dates, email addresses, subscriber information numbers, member identification numbers, dates of death, dates of service, medical record numbers, treatment information, provider names, and images such as x-rays and photographs.

Despite discovering the breach in December, Humana notified impacted individuals in March.

“By obtaining, collecting, using, and deriving a benefit from the PII and PHI of Plaintiff and Class Members, Defendants assumed legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion,” the original complaint stated.

The plaintiff accused Humana and Cotiviti of negligence, breach of confidence, breach of implied contract, invasion of privacy, and violation of the Florida Deceptive and Unfair Trade Practices Act (FDUTPA). The initial complaint also noted that the defendants waited more than two months to report the breach to the states’ Attorneys General and impacted individuals.

“As a result of this delayed response, Plaintiff and Class Members had no idea their PII and PHI had been compromised, and that they were, and continue to be, at significant risk of identity theft and other various forms of personal, social, and financial harm,” the complaint stated. “The risk will remain for their respective lifetimes.”

Humana and Cotiviti denied all wrongdoing and agreed to a settlement. Cotiviti will reimburse claimants, subject to an aggregate cap of $500,000 for all claim of any kind.

Class members may submit claims of up to $250 for ordinary out-of-pocket expense reimbursement, such as the cost to obtain a credit report, card replacement fees, fees relating to a credit freeze, and more.

Claimants can file a claim of up to $5,000 for extraordinary expenses, which are defined as actual, unreimbursed monetary loss caused by the incident that wasn’t included in the “ordinary” expense reimbursement section.

Humana and Cotiviti also agreed to implement updated security measures to safeguard patient information.

Next Steps

Dig Deeper on Cybersecurity strategies