Following the discovery of a data breach in December 2020, the health insurance and healthcare provider Humana and its business associate Cotiviti are facing legal action. A lawsuit was filed naming both companies on May 26, 2021 in the U.S. District Court for the Western District of Kentucky.
The lawsuit alleges Humana mismanaged the records of members of its health insurance plans. The group had outsourced the duty of processing requests for medical records sent to the HHS’ Centers for Medicare and Medicaid Services (CMS) to Cotiviti. This group then subcontracted some of the work to Visionary Medical Systems Inc.
It was alleged that a staff member at Visionary Medical Systems transferred the private and confidential medical records of Humana members to a personal Google Drive account in order to conduct medical coding training as part of a “personal coding business endeavor.” This is believed to have taken place at some point between October 12 and December 16, 2020. During this time the account was accessible to the public. This action was in direct breach of HIPAA regulations and the business associate agreement between Humana and Cotiviti.
Once Visionary Medical Systems identified the breach on December 22, 2020 Humana was notified, and Humana notified the Department of Health and Human Services about the breach within 60 days, as required by the HIPAA Breach Notification Rule. The breach notice, filed on February 22, 2021, said the data breach was an unauthorized access/disclosure incident on a network server that impacted 63,000 people. Those people were made aware of the breach of their personal and health information on March 1, 2021.
The data believed to have been impacted included names, addresses, dates of birth, full and partial Social Security numbers, and other sensitive information. Humana said it was assisting its business associate and subcontractors to apply the correct levels of security. Additionally those impacted by the breach were offered complimentary membership to Equifax’s credit monitoring and identity theft protection services for the next 24 months.
Plaintiff Janie Segars of South Carolina alleged Humana had not shared any details in relation to how the breach was allowed to happen, did not outline what level of information was impacted, and failed to say who had access to the data in the breach notification letter. The lawsuit states, “Since Humana has decided to keep this information secret, part of the reason this lawsuit is necessary is to determine what happened so that class members may take whatever steps may be necessary to protect themselves”.
The legal action claims the defendants were negligent for failing to implement the required security measures to stop members of staff from sharing sensitive data to personal accounts and refers to the unacceptable amount to time – two months – taken for the breach to be discovered and the three month delay in notifying affected individuals that they had had their sensitive data exposed.