|
|
The recent settlement in the class-action lawsuit involving a potential data breach at AvMed, a Florida-based health insurer, is a wake-up call for HIPAA- (Health Insurance Portability and Accountability Act-) covered entities and their business associates providing records and information management (RIM) services. The potential breach arose in December 2009, when two AvMed laptops were stolen from the company’s Gainesville, Fla., facility. One of the laptops contained encrypted patient information and was recovered using a tracking mechanism, while the other device, which contained unencrypted information, including names, addresses, dates of birth, Social Security numbers and health care details of 1.2 million customers, was not recovered. What makes this $3 million settlement unique is that it permits customers who suffered no monetary losses resulting from identity theft to claim a portion. Under the agreement, each current and former AvMed customer whose personal information was involved in the breach will receive up to $10 for each year he or she paid AvMed an insurance payment. The settlement maxes out at $30 per claimant who do not show proof that their personal information was misused in any way. AvMed agreed to reimburse those individuals whose IDs were stolen as a result of the incident in the amount of the proven actual monetary loss that was shown to likely have occurred as a result of the breach. Regardless of whether their personal information was misused, the plaintiffs argued that AvMed should have been spending a portion of the money they paid for the company’s services to increase its data security measures. Even though they did not prove that financial harm resulted from the theft, the plaintiffs said AvMed was unjustly enriched as a result of failing to allocate a portion of their fees to shoring up data security. AvMed, which has not admitted fault, also has agreed to implement a number of security improvements, such as security awareness and training programs for its employees; the review and revision of written policies and procedures to enhance information security; and upgrading company laptops with additional security mechanisms, including GPS tracking technology. As a result of this settlement, HIPAA-covered entities and their service providers who are implicated in data breaches could be looking at class-action lawsuits and related expenses in addition to the expenses associated with breach notification. While the potential liability for covered entities has increased as a result of this settlement, so have the opportunities for educating clients and helping them achieve HIPAA compliance. To help our readers brush up on HIPAA, one of the SDB Summer School sessions will feature Tom Dumez of Prime Compliance. Visit www.SDBmagazine.com/SummerSchool.aspx to register for this July 16 webinar. |
