Settlement in AvMed Breach Suit

Class Action Settlement Offers Payments for Lack of Security

By , October 31, 2013.
Settlement in AvMed Breach Suit

A class action lawsuit against AvMed, a health plan company, stemming from a 2009 data breach, has been settled for $3 million. The settlement is significant because it awards payments to those who were not victims of identity theft.

See Also: Actionable Threat Intelligence: From Theory to Practice

Preliminary settlement documents recently filed in the U.S. District Court for the Southern District of Florida describe payments to be offered to 460,000 individuals whose personal information was contained on two stolen unencrypted laptops - and who paid insurance premiums to AvMed. The stolen computers contained information on 1.2 million AvMed members, including dependents of members who paid premiums, as well as customers who did not pay premiums during the timeframe specified in the settlement.

The 460,000 individuals will receive $10 for every year they paid premiums prior to the theft, with a maximum payment of $30. The settlement explains that amount represents what AvMed should have spent on protecting data, so it amounts to a refund of premium overpayment.

Additionally, individuals who were victims of identity theft as a result of the breach can submit claims to be reimbursed for their monetary losses.

The settlement comes in the wake of an appellate court ruling last year that paved the way for the case to move forward. The U.S. Court of Appeals Eleventh Circuit decision in September 2012 reversed an earlier district court decision that dismissed the case, in part, due to failure to state a cognizable injury (see: Breach Class Action Suit Advances).

Settlement Details

Security attorney Ronald Raether of the law firm Faruki Ireland & Cox P.L.L., who was not involved in the case, explains the settlement payment for those who were not victims of identity theft "is based on a theory that the class had an expectation that some portion of their insurance premium would go to data security."

But consumer advocate Deven McGraw, a security and privacy attorney, says this type of settlement is unusual. "HIPAA does not provide for individual causes of action for violations, so typically the ability for individuals to sue - and recover damages - in breach cases depends on state law," notes McGraw, who is director of the health privacy project at the Center for Democracy & Technology.

"Frequently, those statutes limit recovery to demonstrable economic damages only - for example, those who suffered identity theft or who experienced discrimination due to the information being revealed," she says. Because it is often difficult for plaintiffs to prove actual damages, any financial settlements of breach-related lawsuits often are given to charitable organizations to promote the interests of patients affected, McGraw says. "The theory advanced by the plaintiffs' attorneys here - that the plaintiffs should be refunded the portion of their premium that should have been spent on security but apparently wasn't - is very novel."

Raether says the AvMed settlement could lead to the filing of similar cases. "I do think that the ruling ... will lead to other cases being filed and thus the likelihood that companies will settle to avoid the catastrophic losses posed by a class action. The payment of $750,000 [to the plaintiffs'] attorneys will incentivize some attorneys to bring these cases." The $750,000 being paid to the attorneys is part of the $3 million settlement.

"The settlement demonstrates the point that most companies are fearful of discovery in these cases," Raether points out, explaining that many organizations don't want to answer probing questions about their security practices.

"Unfortunately, many companies do not give info security enough attention and resources," he says. "Thus the other significant point is the injunctive relief to make security improvements."

The settlement cites a number of measures that AvMed will implement - or has already implemented - to prevent data breaches. That includes security training for employees, encryption of devices and physical security.

AvMed's Statement

In a statement provided to Information Security Media Group, AvMed claims that an investigation by the Department of Health and Human Services' Office for Civil Rights into the breach did not result in federal regulators taking any enforcement actions against AvMed.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Unencrypted Devices Still a Breach Headache

A new report of a data breach involving hard drives and a laptop stolen from a car in Indiana calls...

Latest Tweets and Mentions

ARTICLE Unencrypted Devices Still a Breach Headache

A new report of a data breach involving hard drives and a laptop stolen from a car in Indiana calls...

The ISMG Network