An individual (Plaintiff) filed a class action complaint against medical benefit plan provider, Humana and Cotiviti, (Defendant) for alleged unauthorized disclosure of customer information. Customers of the Defendant had their personally identifiable information (PII) and protected health information (PHI) exposed to unauthorized individuals. The allegation is that company was negligent by failing to protect the members’ information.
In order to become a member of the company the Plaintiff was required to provide PII. Later, the Plaintiff learned that the PII and PHI of 62,000 members was exposed. The information that was exposed included:
- Social Security number
- Date of birth
- Phone numbers
- Dates of service
- Medical record numbers
- Treatment-related information
Cotiviti Inc, a vendor of Humana, had collected members PII and PHI to verify data reported to the Centers for Medicare and Medicaid Services. In turn, Cotiviti shared this data with Visionary, a subcontractor hired to review medical records. An employee of Visionary uploaded the data to a Google drive in order to provide medical coding training for a personal coding business. This Google drive was then accessed by unauthorized individuals therefore exposing the data.
The Plaintiff alleges the Defendant failed to protect Humana members’ PII and PHI and implement appropriate technical safeguards. Plaintiff asserts claims for:
- Negligence, invasion of privacy, breach of confidence, and violations of the Florida Deceptive and Unfair Trade Practices Act (FDUTPA)
- Breach of implied contract, in which the Defendant agreed to safeguard the PII and PHI of customers
- Invasion of privacy, as the Defendant allowed authorized parties to access the PII and PHI
- Breach of confidence, as the Defendant failed to prevent the data breach
- Unfair or deceptive acts in violation of FDUTPA, failing to implement adequate data security practices to safeguard data.
The Defendant argued they didn’t owe any duty, as an employee of a non-party caused the data breach.
The claims for invasion of privacy and breach of confidence were dismissed. This was because the Plaintiff did not allege that Humana or Cotiviti intentionally disclosed their PII and PHI to unauthorized persons. There was also no alleged facts suggesting that Defendants disclosed the Plaintiff’s information to a third party. The claims for damages under FDUTPA were also dismissed.
However, the claims for injunctive relief under FDUTPA survived as did the claims for negligence and breach of implied contract. It was found the Defendant and its vendors owed a duty to ensure the subcontractor had appropriate technical safeguards in place for PII and PHI. The Defendant also failed to implement industry protocols and exercise reasonable care in protecting and safeguarding PII and PHI or heed industry warning and alerts to provide adequate safeguards.
The breach would not have occurred if appropriate safeguards were in place before sharing the PII and PHI with the subcontractor. The Plaintiff and other members have suffered actual harm as a result of the breach. They have incurred out-of-pocket expenses associated with identity theft and fraud detection and prevention and have a substantially increased harm of identity theft.
Not taking care of your business’ data is costly. By not prioritizing the data of consumers and ensuring you have the right policies and practices in place could greatly damage your company’s finances and reputation. Contact us today to find out how we can help you value your privacy.