HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Humana & Cotiviti Settle Class Action Data Breach Lawsuit

Humana & Cotiviti have agreed to settle a class action lawsuit to resolve claims from individuals affected by a 2020 data breach that exposed the PHI of 64,654 individuals.

Humana had contracted with Cotiviti to assist with medical record requests to verify the data it reports to the HHS’ Centers for Medicare and Medicaid Services. In order to provide those services, Cotiviti was provided with the protected health information of certain plan members. Cotiviti used a subcontractor, Visionary, to review the medical records that were collected.

Between October 12, 2020, and December 16, 2020, a former employee of Visionary accessed its systems and obtained plan members’ data, which was provided to others in connection with a personal coding business. The data disclosed included plan members’ names, partial or full social security numbers, dates of birth, addresses, phone numbers, email addresses, member identification numbers, subscriber information numbers, dates of service, dates of death, provider names, medical record numbers, treatment information, and medical images.

A lawsuit was filed in response to the data breach – Steven K. Farmer v. Humana Inc. and Cotiviti – that alleged the defendants failed to properly protect plan members’ data and that the data breach has placed the plaintiffs at risk of identity theft and fraud. The decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Humana and Cotiviti have not admitted any wrongdoing.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Under the terms of the settlement, class members will be entitled to submit claims for out-of-pocket losses incurred in response to the data breach, up to a maximum of $5,250. Up to $250 can be claimed for ordinary losses, including up to 3 hours at a rate of $20 per hour. Claims may be submitted for up to $5,000 for extraordinary losses, such as losses due to the misuse of their data. Class members will also be entitled to a two-year membership to a credit monitoring and identity theft protection service. Humana & Cotiviti have also agreed to implement additional security measures to better protect customer information.

Class members have until November 15, 2022, to object to the settlement or exclude themselves. The final approval hearing is scheduled for February 8, 2023.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.