Customers of Florida-based AvMed Health Plans have filed a class action lawsuit against the insurance company in connection with a breach of privacy that occurred in December 2009. Seeking unspecified damages, the plaintiffs claim that, in addition to failing to safeguard the private medical data, the company vastly underreported the number of customers affected by the breach.
The company reported in February that two laptops had been stolen from its corporate offices and that attempts to recover them had been fruitless. In the original press release, the company estimated that the personal information of 80,000 current and 128,000 former subscribers was compromised because the data “may not have been protected properly.” In June, the number was revised. Not 208,000 customers, but 1.2 million customers had been affected.
The data included in the files released was not limited to protected health information; the plaintiffs’ names, addresses, phone numbers and Social Security numbers were compromised as well.
The plaintiffs’ attorney added that AvMed had not complied with the Health Insurance Portability and Accountability Act (HIPAA) by failing to encrypt the data files. However, HIPAA and the HITECH Act passed in 2009 fall short of requiring encryption. HITECH includes what critics refer to as “tips ‘n’ tricks” for encryption, but the law goes on to state that an insurance company does not have to abide by HIPAA’s notification rules and cannot be named in a lawsuit if encryption is in place when there is a breach.
Breach lawsuits are difficult to win, and judges have been known to view them unfavorably. The plaintiffs will have to prove that they have been damaged, and that generally means they must have experienced some kind of economic harm as a result of the breach.
The Florida court that hears the case may be swayed by the enormity of the breach. We’ll talk about health insurance company breaches in our next post.
Resource: SC Magazine “Class Action Lawsuit Brought Against AvMed Over Breach” 11/23/10Share