HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Humana and Cotiviti Facing Class Action Lawsuit over 63,000-Record Data Breach

The Louisville, KY-based health insurance and healthcare provider Humana and its business associate Cotiviti are facing legal action over a data breach discovered in late December 2020.

On May 26, 2021, a lawsuit was filed in the U.S. District Court for the Western District of Kentucky over the mishandling of Humana insurance plan members’ medical records. Humana had contracted with Cotiviti to handle medical records requests to send to the HHS’ Centers for Medicare and Medicaid Services (CMS). Cotiviti had subcontracted some of the work to Visionary Medical Systems Inc.

According to the lawsuit, an employee of Visionary Medical Systems uploaded the private and confidential medical records of Humana members to a personal Google Drive account in order to provide medical coding training as part of a “personal coding business endeavor.”

The medical records were copied to the Google Drive account between October 12 and December 16, 2020, and that account was publicly accessible. The actions of the employee violated HIPAA and the terms of the business associate agreement. Visionary Medical Systems discovered the violation and reported the breach to Humana on December 22, 2020.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

As required by the HIPAA Breach Notification Rule, Humana notified the Department of Health and Human Services about the breach within 60 days, with the breach notice, submitted on February 22, 2021, listing the data breach as an unauthorized access/disclosure incident on a network server that affected 63,000 individuals. Those individuals were notified about the exposure of their personal and health information on March 1, 2021.

Patients were informed the exposed information included names, addresses, dates of birth, full and partial Social Security numbers, and other sensitive information. Humana said it was working with its business associate and subcontractors to ensure appropriate physical and technical safeguards are put in place. Humana also offered affected individuals a complimentary membership to Equifax’s credit monitoring and identity theft protection services for two years.

Plaintiff, Janie Segars of South Carolina, claims Humana failed to provide any information about how the breach occurred, did not explain exactly what information had been exposed, and who may have accessed the exposed data. “Since Humana has decided to keep this information secret, part of the reason this lawsuit is necessary is to determine what happened so that class members may take whatever steps may be necessary to protect themselves,” states the lawsuit.

The lawsuit also alleges the defendants were negligent for failing to implement appropriate security measures to prevent employees from uploading sensitive data to personal accounts and criticizes them for the time taken to discover the data breach – 2 months – and for the length of time it took to issue notifications to patients – 3 months after the breach was discovered.

The lawsuit, which names Humana and Cotiviti as plaintiffs (but not Visionary Medical Systems), alleges negligence, invasion of privacy and breach of implied contract and seeks monetary and actual damages, restitution and/or punitive damages, and a jury trial.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.