A class action lawsuit has been settled by Humana & Cotiviti after a data breach that disclosed the personal information of 64,654 individuals. The breach occurred after Humana had employed Cotiviti to help verify data in medical record requests before submitting them to the Department of Health and Human Services’ Centers for Medicare and Medicaid Services. In order to provide the service for Humana, Cotiviti contracted Visionary, a subcontractor, to examine the medical records gathered by the vendor.
In the period of October 12, 2020, to December 16, 2020, a former member of staff had gained access to the company’s networks and acquired the information of clients. The information was then distributed to others via a personal Google Drive for a private coding business.. The data breach resulted in the exposure of various forms of information including names, birth dates, addresses, phone numbers, email addresses, Social Security numbers, member I.D. numbers, subscription information numbers, death dates, dates of services, provider names, treatment information, medical record numbers, and medical images.
Humana notified individuals who potentially had their information exposed in the breach 3 months later. While the notification confirmed how the breach took place, it did not explain why there was a three month delay in reporting the breach to the patients.
In response to the breach, a lawsuit was filed against Humana and Cotivii alleging the companies failed to adequately protect patient data and as a result, the patients are at risk of identity theft and fraud. Additionally, the patient asserted claims for privacy invasion and implied contract violation. Both Humana and Cotiviti agreed to settle the claim, in order to avoid additional legal fees and the uncertainty of trial. Despite the settlement, the companies have made no admission of wrongdoing.
Under the settlement, Humana and Cotiviti have agreed to cover claims worth up to $5,250 made by class members who have suffered damages due to the data breach. For regular damages, up to $250 may be claimed including up to 3 hours at a cost of $20 per hour. Claims for irregular damages, like those brought on by the abuse of their data, may amount to up to $5,000. The companies will also provide 2 years of credit monitoring and identity theft protection services to class members free of charge. Additionally, the companies will implement further security measures to ensure a data breach of this nature does not occur again.