Humana Sued After Data Breach Exposes Personal Health Information


Steven K. Farmer is bringing suit against Humana, Inc., and Coviti, Inc. over claims that the companies failed to “properly secure and safeguard personal and sensitive information,” which ultimately led to a data breach that compromised Farmer and other class members’ personal identifying information (PII) and personal health information (PHI). Farmer is seeking both class certification and a trial by jury over the allegations. The suit was originally filed in May but was removed to federal court Thursday.

Humana provides medical benefit plans to many people, including the plaintiff and class members. Cotiviti, the other defendant in the suit, is contracted by Humana. With their authorization and approval, Cotiviti “collects medical records from health care providers to verify data reported to CMS,” (Centers for Medicare & Medicaid Services). The plaintiff asserted that Cotiviti shared both the PII and PHI with a subcontractor who disclosed the information to “unauthorized individuals to promote a personal business endeavor.” Two months after obtaining knowledge regarding the data breach, Humana began taking steps to inform members of their compromised information.

Farmer explained that Humana’s “negligent and careless acts and omissions and the failure to protect” their information has led to significant injuries for both himself and other class members. After gaining access through a personal google drive, the information was distributed and sold throughout the dark web. This poses “a lifetime risk of identity theft,” which is a significant risk given that the stolen information includes social security numbers and addresses.

Further allegations detail that Humana did not provide timely notice to the class members that their information had been compromised, or what type of information had been compromised. Though Humana had asserted “that it understands the importance of protecting such information,” they waited two months to inform their clients of the violation of their PHI and PII. Farmer argued that this gap worsens the situation since he and the class members had no idea that they were at significant risk and could not take necessary precautions to protect their identity.

The data breach has caused multiple alleged injuries. Farmer cites “lost or diminished value” of PII and PHI, as well as expenses associated with recovering from the lost information. He further includes both lost opportunity costs and increased/continued risk to the information. These injuries have prompted counts of negligence, breach of implied contract with plaintiff and class members on behalf of Humana, invasion of privacy, breach of confidence, and a violation of the Florida Deceptive and Unfair Trade Practices Act. Farmer is seeking class certification, equitable and injunctive relief, damages, and a trial by jury.

The plaintiff is represented by John A. Yanchek.