Mark S. Melodia, Steven Boranian, Frederick Lah and Melissa A. Geist comment on the AvMed breach lawsuit settlement. The AvMed breach involving a stolen laptop with unencrypted information on 1.2 million people and lawsuit have been mentioned numerous times on the companion PHIprivacy.net blog (coverage linked from here).
Last week, a judge for the Southern District of Florida gave final approval to a settlement between health insurance provider AvMed and plaintiffs in a class action stemming from a 2009 data breach of 1.2 million sensitive records from unencrypted laptops. The settlement requires AvMed to implement increased security measures, such as mandatory security awareness training and encryption protocols on company laptops. More notably, AvMed agreed to create a $3 million settlement fund from which members can make claims for $10 for each year that they bought insurance, subject to a $30 cap (class members who experienced identity theft are eligible to make additional claims to recover their monetary losses). According to Plaintiffs’ Unopposed Motion and Memorandum in Support of Preliminary Approval of Class Action Settlement (“Motion”), this payment to class members “represents reimbursements for data security that they paid for but allegedly did not receive. The true measure of this recovery comes from comparing the actual, per-member cost of providing the missing security measures—e.g., what AvMed would have paid to provide encryption and password protection to laptop computers containing Personal Sensitive Information, and to otherwise comply with HIPAA’s security regulations—against what Class members stand to receive through the Settlement” (p. 16). It’s been reported that this settlement marks the first time that a data breach class action settlement will offer monetary reimbursement to class members who did not experience identity theft. In defending the fairness, reasonableness, and adequacy of the settlement, plaintiffs noted in the Motion, “[b]y making cash payments available to members of both Classes—i.e., up to $30 to members of the Premium Overpayment Settlement Class, and identity theft reimbursements to members of the Identity Theft Settlement Class members—the instant Settlement exceeds the benefits conferred by other data breach settlements that have received final approval from federal district courts throughout the country” (p. 16).
Read more on Mondaq.
Note that this breach does not show as a closed case on HHS’s public breach tool, which means that their investigation of the incident is not concluded or that there may be some enforcement action afoot that we have yet to find out about.