A class action lawsuit against AvMed, a health plan company, stemming from a 2009 data breach, has been settled for $3 million. The settlement is significant because it awards payments to those who were not victims of identity theft.
Preliminary settlement documents recently filed in the U.S. District Court for the Southern District of Florida describe payments to be offered to 460,000 individuals whose personal information was contained on two stolen unencrypted laptops - and who paid insurance premiums to AvMed. The stolen computers contained information on 1.2 million AvMed members, including dependents of members who paid premiums, as well as customers who did not pay premiums during the timeframe specified in the settlement.
The 460,000 individuals will receive $10 for every year they paid premiums prior to the theft, with a maximum payment of $30. The settlement explains that amount represents what AvMed should have spent on protecting data, so it amounts to a refund of premium overpayment.
Additionally, individuals who were victims of identity theft as a result of the breach can submit claims to be reimbursed for their monetary losses.
The settlement comes in the wake of an appellate court ruling last year that paved the way for the case to move forward. The U.S. Court of Appeals Eleventh Circuit decision in September 2012 reversed an earlier district court decision that dismissed the case, in part, due to failure to state a cognizable injury (see: Breach Class Action Suit Advances).
Security attorney Ronald Raether of the law firm Faruki Ireland & Cox P.L.L., who was not involved in the case, explains the settlement payment for those who were not victims of identity theft "is based on a theory that the class had an expectation that some portion of their insurance premium would go to data security."
But consumer advocate Deven McGraw, a security and privacy attorney, says this type of settlement is unusual. "HIPAA does not provide for individual causes of action for violations, so typically the ability for individuals to sue - and recover damages - in breach cases depends on state law," notes McGraw, who is director of the health privacy project at the Center for Democracy & Technology.
"Frequently, those statutes limit recovery to demonstrable economic damages only - for example, those who suffered identity theft or who experienced discrimination due to the information being revealed," she says. Because it is often difficult for plaintiffs to prove actual damages, any financial settlements of breach-related lawsuits often are given to charitable organizations to promote the interests of patients affected, McGraw says. "The theory advanced by the plaintiffs' attorneys here - that the plaintiffs should be refunded the portion of their premium that should have been spent on security but apparently wasn't - is very novel."
Raether says the AvMed settlement could lead to the filing of similar cases. "I do think that the ruling ... will lead to other cases being filed and thus the likelihood that companies will settle to avoid the catastrophic losses posed by a class action. The payment of $750,000 [to the plaintiffs'] attorneys will incentivize some attorneys to bring these cases." The $750,000 being paid to the attorneys is part of the $3 million settlement.
"The settlement demonstrates the point that most companies are fearful of discovery in these cases," Raether points out, explaining that many organizations don't want to answer probing questions about their security practices.
"Unfortunately, many companies do not give info security enough attention and resources," he says. "Thus the other significant point is the injunctive relief to make security improvements."
The settlement cites a number of measures that AvMed will implement - or has already implemented - to prevent data breaches. That includes security training for employees, encryption of devices and physical security.
In a statement provided to Information Security Media Group, AvMed claims that an investigation by the Department of Health and Human Services' Office for Civil Rights into the breach did not result in federal regulators taking any enforcement actions against AvMed.
"Though the federal investigation found no cause to hold AvMed financially liable for the incident, AvMed has submitted a proposal for a $3 million mutually-agreed-upon settlement for the federal court's approval," the statement says. AvMed decided to settle the case because "as a not-for-profit company, AvMed found little advantage to continuing to litigate this class action matter because of the substantial projected time and expense ahead."
The plaintiffs in the case were two AvMed health plan members - Juana Curry and William Moore - who filed the suit on behalf of approximately 1.2 million other AvMed customers whose data was on two unencrypted laptops stolen from a company conference room in December 2009.
Data on the stolen devices included members' names, addresses, Social Security numbers and medical information.
The plaintiffs alleged that as a result of AvMed's failure to properly secure their information, they suffered damages from having their identities stolen and by overpaying for insurance coverage, the price of which, they allege, included the costs associated with protecting their information.
The lawsuit alleged that both Curry and Moore became victims of identity theft within about a year after the AvMed laptops were stolen. The case alleges that Curry's sensitive information was used to open a Bank of America account and change her address with the United States Post Office, and Moore's sensitive information was used to open an E*Trade Financial account in his name.
Among the steps that AvMed must take as part of the settlement's "prospective relief" are:
- Mandatory security awareness and training programs for all company employees;
- Mandatory training on appropriate laptop use and security for all company employees whose employment responsibilities include accessing information stored on company laptop computers;
- Upgrading of all company laptop computers with additional security mechanisms, including GPS tracking technology;
- New password protocols and full disk encryption technology on all company desktops and laptops so that electronic data stored on such devices would be encrypted at rest;
- Physical security upgrades at company facilities and offices to further safeguard workstations from theft;
- Review and revision of written policies and procedures to enhance information security.