Humana and Cotiviti Dealing with Class Action Lawsuit Because of 63,000-Record Data Breach

The health insurance and healthcare provider Humana in Louisville, KY and its business associate Cotiviti are confronted with legal action due to a data breach identified in late December 2020.

On May 26, 2021, a lawsuit was filed in the U.S. District Court for the Western District of Kentucky in association with the mishandling of the medical records of Humana insurance plan members. Humana had worked Cotiviti to manage health records requests to deliver to the HHS’ Centers for Medicare and Medicaid Services (CMS). Cotiviti had subcontracted a few of the tasks to Visionary Medical Systems Inc.

Based on the legal action, a staff of Visionary Medical Systems uploaded the private and confidential medical records of Humana members to a private Google Drive account so as to give medical coding training as a part of a “personal coding business endeavor.”

The health files were copied to the publicly accessible Google Drive account between October 12 and December 16, 2020. The actions of the worker violated HIPAA and the conditions of the business associate agreement. Visionary Medical Systems found the HIPAA violation and notified Humana on December 22, 2020.

As necessitated by the HIPAA Breach Notification Rule, Humana informed the Department of Health and Human Services regarding the breach within 60 days. The submitted breach notice on February 22, 2021 listed the data breach as an unauthorized access/disclosure incident on a network server that affected 63,000 people. Those persons were advised concerning the breach of their personal and health data on March 1, 2021.

Patients were informed that the exposed information included the following: names, addresses, dates of birth, partial and full Social Security numbers, and other sensitive details. Humana mentioned it was working with its business associate and subcontractors to make sure correct physical and technical safety measures are in place. Humana likewise offered impacted people a no-cost two-year membership to Equifax’s credit monitoring and identity theft protection services.

Plaintiff, Janie Segars of South Carolina, states that Humana did not give any details regarding how the breach happened, didn’t state exactly what data were compromised, and who might have accessed the compromised data. Because Humana has made the decision to keep this information confidential, part of the reason this lawsuit is required is to know what took place so that class members could take the necessary steps to safeguard themselves.

The lawsuit additionally claims the defendants were negligent for not implementing proper security steps to stop employees from uploading sensitive information to personal accounts and criticizes them for the long time taken to find out about the data breach – 2 months – and for the period of time required to send notifications to patients – 3 months after breach discovery.

The legal action, which names Humana and Cotiviti as plaintiffs (although not Visionary Medical Systems), alleges negligence, intrusion of privacy, and breach of implied contract and wants monetary and actual damages, restitution and/or punitive damages, plus a jury trial.

About Christine Garcia 1303 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at