Humana and Cotiviti Confronting Class Action Suit Over 63,000-Record Data Breach

The medical insurance and healthcare company Humana in Louisville, KY, and its business associate Cotiviti are dealing with a lawsuit because of a data breach found at the end of December 2020.

On May 26, 2021, a lawsuit was submitted in the U.S. District Court for the Western District of Kentucky concerning the wrong handling of the medical information of Humana insurance plan members. Humana had partnered with Cotiviti to take care of health records requests to give to the HHS’ Centers for Medicare and Medicaid Services (CMS). Cotiviti had subcontracted a number of the jobs to Visionary Medical Systems Inc.

As per the legal action, a worker of Visionary Medical Systems copied the private and sensitive medical files of Humana members to an individual Google Drive account as a way to medical coding training as a component of a “personal coding business endeavor.”

The health data were uploaded to the publicly viewable Google Drive account from October 12 to December 16, 2020. What the staff did violated HIPAA and the provisions of the business associate agreement. Visionary Medical Systems learned about the HIPAA violation and informed Humana on December 22, 2020.

As demanded by the HIPAA Breach Notification Regulation, Humana advised the Department of Health and Human Services concerning the data breach within 60 days. The forwarded breach notice on February 22, 2021 indicated the data security incident as an unauthorized access/disclosure case on a network server that affected 63,000 persons. Those people were informed regarding the compromise of their personal and health data on March 1, 2021.

Patients were advised that the exposed data contained the following: names, addresses, birth dates, partial and complete Social Security numbers, and other sensitive details. Humana stated it was cooperating with its subcontractors and business associate to make certain proper physical and technical safeguards are set up. Humana furthermore provided impacted persons a free two-year membership to Equifax’s credit monitoring and identity theft protection services.

Plaintiff, Janie Segars of South Carolina, alleges that Humana didn’t present any data concerning the way the breach took place, failed to say specifically what information was compromised, and who could have viewed the exposed data. Considering that Humana has opted to hold this data secret, part of the reason this lawsuit is needed is to find out what transpired so class members can take the needed steps to secure themselves.

The lawsuit likewise states the defendants were at fault for not employing suitable security procedures to keep workers from uploading sensitive information to private accounts and criticizes them for the period of time consumed to learn about the data breach – two months – and for the span of time it had taken to give notices to patients – 3 months following breach discovery.

The legal action, with Humana and Cotiviti as plaintiffs (though not Visionary Medical Systems), claims negligence, breach of privacy and breach of implied contract and wishes financial and specific damages, restitution and/or punitive damages, along with a jury trial.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone