Class Action Aims to Find Out What Happened in Humana Data Breach, Blames Incident on Vendor

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action alleges Humana and vendor Visionary Medical Systems, a subcontractor of Cotiviti Holdings, were negligent in their handling of sensitive medical information posted last year to a publicly available Google Drive account in a data breach whose specifics are, to date, still unknown. 

The 17-page lawsuit chides Humana in particular for learning of the data breach in December 2020 and, rather than acting “swiftly and responsibly” by informing those affected, deciding to “sit on the information for three months” before providing minimal, if any, details on the incident, which the case says has been traced back to the actions of a Visionary employee.

“Once Humana eventually bothered to inform Plaintiff and other affected individuals of the breach, it provided no details as to the breach, how it happened, precisely what information was exposed, who might have Plaintiff and class members’ sensitive information, or what would be done going forward,” the suit, filed in Kentucky federal court, scathes, arguing that Humana’s “notice” of the breach was, in truth, no notice at all.

“Indeed, since Humana has decided to keep this information a secret, part of the reason this lawsuit is necessary is to determine what happened so that class members may take whatever steps may be necessary to protect themselves,” the complaint reads. 

According to the lawsuit, an unnamed Visionary Medical Systems employee took the private medical information of Humana customers and posted it on a publicly accessible Google Drive account sometime around October 2020. At some point before then, Humana entered into a business arrangement with Cotiviti, who’s named as a defendant in the suit, to handle “quality and data reporting for Centers for Medicare and Medicaid Services,” with Cotiviti providing as part of that arrangement “systems that allow Humana to contact health care providers and request medical records necessary to verify data reported to CMS,” the lawsuit says. Cotiviti, in turn, contracts with defendant Visionary to “review the collected medical records,” per the suit. 

The case claims the unnamed Visionary employee linked to the data breach uploaded proposed class members’ medical records to a Google Drive account “in an effort to provide medical coding training” as part of “a personal coding business endeavor.” Whatever the nature of the employee’s use of proposed class members’ medical data, it was “obviously improper” and “reckless in the extreme” for the information to be shared publicly and made available to anyone, the suit asserts. 

Per the lawsuit, Humana has acknowledged the information was available on the Google Drive account for two full months, from October 12 to December 16, 2020. Despite reportedly learning of this on December 22, Humana, the case says, made no effort to inform those affected, and finally sent notice of the incident nearly five months later, in March. 

The plaintiff, a South Carolina resident, stresses that she and others affected by the incident were barely informed of what took place, as Humana’s letter lacked any details. From the complaint: 

“The letter Humana sent to Plaintiff and class members was deficient in several respects. It provides no details as to the nature of the ‘personal coding endeavor’ giving rise to the breach, nor regarding the identity of the individuals who had access to the class members’ medical records. Nor does the letter provide any explanation for why the breach went undetected for two months, or why it took two additional months for Humana to contact its customers and inform them of the breach. Finally, although it gives a laundry list of the types of information that may have been exposed, it provides no specificity about what information specifically was, in fact, exposed. Plaintiff barely knows more about the breach now that [sic] she did before the received the letter.” 

With regard to what actions Humana has taken in response to the breach to prevent a similar event in the future, the letter, the case says, provided “only the vaguest explanation.” According to the suit, Humana has offered no compensation or restitution to those affected, other than an offer to pay for some credit monitoring services.

“This remedy is completely inadequate—at most, it will inform Plaintiff and class members when they have suffered additional negative consequences of Defendants’ reckless actions, but it does nothing to compensate class members for that harm, nor will it prevent harm from occurring,” the suit reads. 

According to the lawsuit, the defendants had a duty to properly secure proposed class members’ data, especially in light of widespread data breach incidents involving medical records. The case contends that the companies “clearly failed to implement robust practices” necessary to protect the sensitive medical information given the ease with which it was taken by the Visionary employee. 

The suit looks to represent all persons in the United States who are or were customers of Humana, Inc. and whose medical information was placed on a Google Drive account by Visionary Medical Systems, Inc. on or after October 12, 2020. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.