Getty Images
Humana, Cotiviti Sued After Insider-Related Healthcare Data Breach
A patient affected by a healthcare data breach reported by Humana and its vendor Cotiviti has filed a lawsuit, claiming the business associates were negligent with PHI security.
A proposed class action lawsuit has been filed against insurance giant Humana and its vendor Cotiviti following a healthcare data breach impacting 65,000 patients, which was caused by an insider-related security incident in the Fall of 2020.
Patient Janie Segars filed the lawsuit in the US District Court of Western Kentucky on May 26, following the Humana breach notice released in early March.
The lawsuit stems from an insider wrongdoing incident at one of Humana’s vendors. Cotiviti supports Humana with medical records requests to verify data reported to the Centers for Medicare and Medicaid Services.
Cotiviti used the subcontractor Visionary Medical Records (VMR) to review collected medical records, from which the breach originated. VMR is not named as a defendant in the lawsuit.
A VMR employee inappropriately disclosed patient data to unapproved individuals for unauthorized training purposes between October 12, 2020 and December 16, 2020, by posting private medical data of Humana patients on a publicly accessible, personal Google Drive account.
This information included patient names, dates of birth, Social Security numbers, contact details, insurance identification numbers, medical records numbers, dates of service, medical images, and treatments.
Humana was notified of the incident on December 22, 2020. But while the notice confirmed the subcontractor let the employee behind the incident go, it did not explain the near-three month delay in reporting the breach to patients.
The delay and sparse breach notification are among the drivers behind the lawsuit.
“Rather than act swiftly and responsibly to inform those affected, [Humana] sat on the information for three months, according to the suit. “Once Humana eventually bothered to inform [patients] of the breach, it provided no details as to the breach, how it happened, precisely what information was exposed, who might have [patient] information, or what would be done going forward.”
The lawsuit also alleges further notification failures, as the breach went undetected for two months. The notice did not shed light on those delays, nor the reason Humana took additional time before informing patients of the incident.
The alleged vagueness is “part of the reason this lawsuit is necessary to determine what happened, so that class members may take whatever steps may be necessary to protect themselves.”
The lawsuit claims Humana and its vendor were both negligent in handling protected health information and in how the security incident was handled, including the insufficient breach notice. The patient also brought claims of invasion of privacy and breach of implied contract.
The patient also takes issue with the employee’s act of taking the medical information for a “personal business coding endeavor (whatever that may mean)”, which was taken without consent of those customers.
As the employee was easily able to take the information of patients and uploaded it online, the lawsuit further claims that Humana and Cotiviti failed to implement robust security measures for the sensitive medical information in its possession.
Other claims include failing to properly secure, encrypt, tokenize, and maintain patient information using industry standards or widely used available defense tools.
These failings will continue to cause victims additional damages to related costs and time spent on monitoring personal information, according to the lawsuit.
The lawsuit is seeking financial compensation, injunctive relief, punitive damages, attorneys’ fees, and other relief deemed by the court. The patient is also asking for a jury trial on all counts.
The frequency of healthcare data breach lawsuits has risen in the last year in light of the severity and intensity of incidents in the sector. In the last three months, lawsuits have been filed against Google, Pennsylvania Department of Health, and Einstein Health, among others.
As seen with the recent approval of a preliminary settlement between Nebraska Medicine and breach victims, many of these lawsuits are settled out of court. In other instances, “actual harm”, or lack thereof, has resulted in swift dismissals, as was the case with the recent Universal Health Services’ case.