throbber
Case 8:21-cv-01478-MSS-SPF Document 1-1 Filed 06/17/21 Page 1 of 55 PageID 17
`Case 8:21-cv-01478—MSS-SPF Document 1-1 Filed 06/17/21 Page 1 of 55 PageID 17
`
`EXHIBIT A
`
`EXHIBIT A
`
`

`

`Filing # 1.26308305 E-Filed 05/06/2021 01:44:38 PM
`
`IN THE CIRCUIT COURT FOR THE TWEL-FTH JUDICIAL
`CIRCUIT IN AND FOR SARASOTA-COUNTY, FLORIDA
`STEVEN K. FARIvIER,
`on behalf of hunself and all others
`similarly situated,
`
`Case No.::
`
`CLASS,ACTION COIVIPLAIN.T
`
`DEMAND:FOR JURY TRIAL
`
`Plai.ntiff,
`
`V.
`
`HUIy1ANA INC.,
`a Delawai'e corpor"ation,
`
`and
`
`COTIVITI, INC.,
`a Delaware corporation,
`
`De.fendants.
`
`Plaintiff Steven X. Farmer ("Plaintiffl) brings. fhis Cl.ass Action Complauit against
`Huiizana:Inc. ("Huivana") and'Cotiviti, Inc. ("Cotiwiti.").(collectively;."Defeiidants"), individually
`
`and on behalf of all, others similarly. situated, aiid alleges;: upon personal knowledge as to his own:
`
`aetions aiid his counsels' :investigations;, arid iipon mforinatiori-artd: belief, as,. to a11.ot1ier inatYers, as
`
`follows:
`
`I::IIVTRODUCTION
`
`1.
`
`Pl.aintiff brings this class action aganist Defendants' for their- failure to :pr.operly
`
`s,ecure and.safeguard-personal andsensif'i.ve Yn£orinat'ion that Cotiviti; witli Huinaria.'.s'authorization
`and: approval, collected from med'ical providers, iiicluding, u?ithoiit:limitation, fu11. Social Security
`
`numtie.rs, partial'Social.S`ecurity rii3nibers, nlnnes, dates ofbu-th; addresses, cities, states;,zip cgd;es,
`
`phone numiiers, email ad. dresses; member .;identification numbers,. subscriber identification,
`
`nurribers,, dates of service-s; aridlor'dates of death .(collectiVely; "persorial identifiable iriforrnatioxi"
`:
`or"PII") as well as pr.ovider names; tnedical record n.umbers, Ii; ment related inforixiation, and/or
`1
`
`

`

`actual images (x-ray, photographs, etc:) (cQllectively, "protected healtli iiiforniation" or 'PHI").
`Plaintiff also alleges Defendants failed'to provide tim.ely, accurate, and adequate notice to Plaiut'iff
`aud siiiiilarly situated, c.urrent and former iriembers of Humana ,(collectiv:ely, "Class Members")
`that their PII and PHI had been exposed and precisely what types of infonriation was unencrypted
`and an the possession of.utiknown aliird..parties..
`
`2.
`
`Humana provides: medical benefit plans to approxiinately 17 million members'.
`Huniana':s: rriembers entrust. Huiiiana, either° directly or through rnedical providers, witli an
`extensive amount of their PII and PHI: Humana, asserts that. it understands the importance of,
`protecting sueli inforrnation:
`
`3.
`
`On or before December 22, 2020; .Humana learned that PIl and PHI for .
`approximately 62,000 of .its membexs had been exposed to unauthorized individuals throtigh a
`personal "Google Di-ive" .acco.unt.{the "Data Breach'),
`
`4:
`
`Huftnana: detennined that the . Data. Breach. occurreEl:: because CotivA with
`
`Humana''s authoriiation and approval, collected the.PlI:and PIII from rnedical providei-s and then
`
`shared the PIl and. PHI wit.h: a:subcontractor, "Visioriary," which, fr.om October 12., 2020 through.
`Deceviber iG, 2020, disclosed. tlie Pll:and PHT:to unauthorizefl individua.ls to:.proinoCo' a.p.ersonal,
`
`business endeavorx.
`
`5..
`
`1YSore<than two months later; iri a "Notice::of Privacy Incident;".dated.March ;.1, 202"1;.
`Humana advised.Plaintiff of the Data BreaclL.:
`
`6::
`
`By otitaining, c.ollecting, using, and de.riving a :benefit froin the PII :an:d PHI of
`
`Plaintiff and Class Me.mbers; .I)ef.endarits assumed.legal and equitable duties to. those itidividuals
`
`to protpct an.d. safegnar.d tliat information: froiirunauthoi•.'ized access and intrusion: Humana adriiits .
`
`that the unencrypted. PII a.nd Pi-II exposed .to iinauthorized individuals included. naines,. Social
`
`.2
`
`~
`
`i
`,
`
`I
`
`

`

`Security nunlbers, dates of birth, treatment_ related informatioii, andfor actual iinages (x-ray,.
`photograpbs, ete.
`
`7..
`
`The exp,osed PIT and PHI of Plaintiff and Class Meinbers can be sold on the dark
`-
`web. Hackers can access: and then offer for sale the unencrypted, unre,dacted. P.II. and PH:1 to
`criminals. Plaintiff aizd Class Meinbers now face a lifetime risk of identity tlieft, which is
`heighteiied.here by the loss. ofSocial Security, nurnbers and dates of birth.
`
`8:
`
`Tkiis PII and PHI was comprornised due to Defendants' negligent andlor carele.ss
`
`acts and ornissions and the failure to_ protect tlie PII and `PI-Il of Plaintiff and Class Members. In
`
`addition to Defendants' failure: to prevent the Data Breach, after discoveririg the :breach,
`
`Defendants waited morethan two months to report it to the states.' Attomeys General and affected
`
`indiv.iduals:
`
`9.
`
`_
`As a r.esult of tliis delayed:response; Plaintiff and Class 1Vleinliers had ino idea their
`
`PIT and PHlbad been.comproinised; and that tney were, and co.ritinue to b6;:4fsign.ificAw ift
`
`ol:' .
`
`idezitity theft and various other £orrns of personal; sociat, and financial har-m. The:risk
`
`i,eniai"zi
`
`for theirrespective lifetimes::
`
`10.
`
`Plaintiff brings this action on. °behalf of all persons wliose .PII and. PHI. wO
`
`comproinised as a restilt of Defendants' :failure to: (i) adequately protect the PIi and PHl of Plaintiff.
`
`and C1as.s:lVTemb.e.rs.; (ii) warn Plaintiff and Class Membcrs of Defendaiits' 'inadeduate information
`
`security practices; and; i
`
`ensure .that the PII.. and PHi.of Plaintiff and C1ass.lVle .mbers. would be,
`
`adequately safeguarded froiii .misuse: or exposure .to unauthoriz.ed individuals wherievelr•
`
`Defeiidanfs: shared .it witli third.parties. Defcndants' conduct amounts to iiegligence: and violates :
`
`federal and.state statutes.:
`
`11.
`
`Plaintiff and Class Members h:ave; suffered injury as: a result of Defendants'
`
`3
`
`,
`
`

`

`4
`
`~
`
`~
`
`co..nduc.t, These injuries include: (i) l,ost- or diininished value of PII and, PHI; (ii) out-of-pocket
`expenses associated with the preventioii, detection, and recove .ry froni id.entity theft; tax. fraud,
`and/or unauthorized use of their PIl and PHI; (iii) lost opportullity costs associated with attempting
`to initigate the actual consequences ot`the Data Breach, includhig btitnot limited to lost time, aiid
`(iv) tlie coiitinued and cei-tainly increased risk to:their PII and PHI, which: (a) reinains uiiencrypted
`and available for unauthorized third parties to access and abuse; and (b) ma.y remain backed up :m
`Defendants' possession and is subject.to further unauthorized disclosures so long as Defendants
`fail fo undertake appropriate and.adequate measures to protect the PII and:PHI..
`
`12. Defendants disregarded the rights of.Plaintiff atid Class Melribers by intentionally,:
`
`willfully,, recklessly, or :negligently failing to take and ilnplemen.t adequate and reasonable
`
`measures to ensure that tlie PII and PHI ofPlaintiff arid CClass Members was safeguarded; failing
`to take available steps to prevent an unautHorized disclosure of data; and failing to follow
`
`applicable, required and appropriate protocols, pol.icies at3d pr-ocedures regarding:.ahe encryption.
`
`of data,.everi for internal use. As the result; the. PIX and hHLIo
`
` laintiff and Clas.s Members was
`
`conipromised through disclosure to an'unknowii ~id.unauthorized third pa~i.1?laintiff and Class
`
`Menibers have a.coiitinuing interest:in ensuring.thattheir: infortnatiori:is arid remains safe, and they
`
`should bc entitled to lnjuiictive and otlier equitable reli.ef,
`
`IT. :PARTIES
`
`Plaintiff'Steveri Farmer ("Fanner") is a Cit'izen of:: Florid'a" residing in Saras.ota
`
`County, Florida. N1i: Farmer rec.eived. Humana's 1Votice ofPriycicy Incident, dated Marcli i, 202.1,
`
`on:or about tliat date.l The notiee stated`that Plaintiff's fiill Social Security number, partial Social
`
`Security number,.naine, date of bii-th, address, city, .state, z~p :code; phone number, :.email address~
`
`t Ex. 1,
`
`4
`
`

`

`member identificationn niunber, subscriber identificatioii riumber, date of sei-vice, date of dcath,
`provider naiiie, medical: record iluiiib.er; treatnient related inforniation, aiid acaual images (x-ray,
`photographs, etc:) riia.y have been expose.d.2
`
`14. Defendant Hurriana is a corporation orgariized uiider the laws of Delaware;
`headquartered at 500. West 1Vlaiii'Street; Louisville, Kentucky, wiih its principal place :of business
`in Loiiisville, Kentucky.
`
`15.
`
`D'efendant Cotiviti is: a corporation organized under the lawss of Delaware,
`headquartered at 10701.S River Eront Pkwy, Unit 200; Soutli Jordan, Utah, with its: principal place
`of business in South.J.ordaii; Utali.
`
`16.
`
`The trta:e nanzes aiid capacities ofpersons or entities; wliether iiidividual, corporate,
`
`associate, or.otllerwise, who m.:ay be responsible.for some.of the clai.m.s alleged.herein are currently
`
`unkriown fo Plaintiff: P"laintiff will seek.leave ,of court to amerid tlils complairit to reflect the true.
`
`names ,and: capacities of sucli_ other responsible parties'when ;their id.etitities :become known. .
`
`17.
`
`All, of Plaintiff's claims, stated herein are asserted against Defendants. arid any of
`
`their o.wners, predecessors, successors; subsidiaries;;agents and/or assigns.
`
`III, JURI5DTCTrO;N ANb VENUE
`
`18.
`
`The. Couit lias subject,matter jurisdtction over Plaint;iffs' claims und.er Florida Stat.
`
`§ 26.;.012 and § 86;0.11: This Court'ha.s urisdiction ov:&this dispute because this complaint seeks
`
`dainages ~in: excess of'$30;000; 00` dollars; exclusive of interes`t and attorneys fees:
`
`19.
`
`The Court.has:personal j.unsdictiort over, Defe.ndants ttnder Florida.Stat:.§ 48.193,
`
`because,Defendants persoriallyor through their agents operated, conducted; engaged iii, or caiTied
`
`on a business or business. ~Venture _iii FIotida; Hurriariahad offices;iri Florida•, Defendants.coriimitted
`
`5
`
`

`

`tortious: acts in Florida; and Defeiidants breaclied ail implied contract in Florida by failing to
`perfonn acts required by the contract to be perfomied in Florida.
`
`20. Venue is proper in Sarasota. Couiity pursuaiit' to Florida Stat. § 47.051 beeaus.e
`Huinaiia has an agent or otlier representative in Sarasota Co.unty and Sarasota County is where: the
`cause of action accrued when Cotiviti, with Humana's authorization and .approval, collected
`Plaintiff's PII and PHI froin. Plaintiff's tiiedical provider(s) that tre.ated Plaintiff in Sarasota
`County; Florida.
`
`IV. FACTUAL ALLEGATIONS
`
`Background
`
`21:.
`
`Hunnana provides medical benef t plans to approximately 17 inillion :niembers.
`
`Cotiviti prov"ides Humana quality and .data reporting to the Centers- for Medicare and 1Vledicaid
`
`Seivices ("C1VIS"); as part of this; Cotiviti; with Humana's authoiization and approval, co.11ects
`
`medical re,cords from liealth care providers to: veri.fy data reported la CMS. Cotiviti uses
`
`"Visionary" to: re:view the rnedical records it c.ollects, for Hurnaiia. for data reporting: .
`
`22.
`
`Pla'intiff alid Class 1Vlembexs entrusted. Defendarits with :serisitive :arid corifidential
`..
`infoniiation, including full Social Security numbers, partial S:ocial Security numbers;.narnes, dates
`
`ofb'irth, addresses, .cities;atates, z'ip codes, phone riumbers, email addresses; merrilier."identification
`
`riumbers; subscriber identifcation. n.umbers; dates of services;.,da"tes of deat.h., provider names;
`
`medical record numbers? :treatment related infotmation actual ima es . x-ra , h.oto a hs
`~
`g
`~
`Y P. ~.P--,
`and other, ;personal identifiable :infornxiation; which inelude .iriformation that is static, does not
`
`,
`
`cliange; and can be,'use,d to coiximit.m.yriad:financial crimes:
`
`23.
`
`.Plaintiff an.d Class:Meinbers relied oii, these so,phisticated Defendants,to keep theit
`
`PII aztd..PHI co.nfrdential.and securely niaintained} to use ahis information. for bus'iness purposes
`
`6
`
`

`

`only, aiid to niake only autliorized disclosures of this inforniation: Plaintiff and Class Meinbers
`dernand security to saf.eguard their PII aiid PHI_
`
`24.
`
`Defendants had duties .to adopt reasonable measu. res to protect the.PII azid PHI of
`Plaintiff and Class Members from involuritary disclosure to.third parties.
`
`Th e Data Bt-each
`
`25.
`
`On or about March 1; 2021, Humana- seiit: Pla'intiff a Notice of. Pi-ivacy Iiacident.3
`I-Iumana informed Plaintiff that:
`
`What Happened
`
`On December 22, 2020, Humana was informed :that an employee of,
`a Humana subcontractof; Visionary, inappropxiately used their
`access to your information to disclose information, iin tlie foriii of
`medical. records, to unautliorize,d. irzdividuals in an effort to provxde,
`medical c.odizag train'ing to those :inclividuals for a personal coding,
`business endeavor. The .subcontractor disc.overed `the incident ori
`Deceriiber 16, 2020.. The activityoccurred October 12,.2020 through:
`Deceniber .T 6, 2020. We deeply apologize for- this :situation:
`
`Cotiviti is .a vendor fIurriana uses for quality.:and data. reportiiig to
`Centers for Medicare :and Medicaid Services (CMS): Cotivih :
`provides systerris ihatallow Huinatia to contact he.altli care pi~oviders ;
`and request medi .c.al. recordsi riecessary to verify . data r.eported to ;
`CMS.: Cotiviti; utiiizes . a sitbcontrac,tor; . Visionary,, to .review th'8;.;
`coll'eeted medical.records..
`
`.
`
`-
`
`..
`
`In the incident. descrrbed above, the Visionary empToyee;. wlio vvas
`authorized to access and use the data :for :Humana purposes, '
`dis:closed the information to the unauth'ori"zed individuals tlirough,g ~
`personal Google-TDrive accou.nt.
`
`.
`
`:
`
`Wh.at.Ijaforrr► ation Wasln.v.olved:
`
`T.he followuig infoxniation may have;been irieluded.,as part of tbe '
`medical records; -invo.l.ved. in the incident:
`
`3: E7C, 1.,
`
`~
`
`7
`
`j
`;
`~
`
`I
`
`~
`
`
`
`*
`
`

`

`•
`Full Social SecurityNuii7ber
`~ Partial Social Security Number
`•. Name
`• Date of Birth
`~ Address
`• City
`•
`State
`•
`Zip Code'
`•
`Phone rauznber
`•
`Eiiiail address
`~ Member ldentification Nuniber.
`+ Subscriber ldentificatiori;Number
`• Date of Service
`• Date of Death.
`•
`Provider Name
`•
`1Vledical Record Number
`Treatment;Related Inforination
`•
`• Actual Images (x-ray, photographs, etc_)
`
`What We Are Doing
`VVe pr.eemptively shut down our systeriis to contain the incident and
`then undertoolc a secure, manag~d restoration.. We .also engaged a
`third-party eybersecurity firm to assist lvvith, our review and notified
`law .eriforcement and contmue. ao cooperate with tliem.. We have
`takeri steps to further strengthen and.enhance the seci%rity of systems
`in our iietwork, mCludingi updating admiiustrative. and technica.l'
`safeguards.''
`
`26,
`
`On or about February 23.,.2021, Humana„ilotifi`ed variotis state Attorneys General,.
`
`including Washington';s Aftozney Gerieral, of the Data Br.each, Hum°ana also provided. the
`v
`Attorneys General with "sample" notices of the`Data Breach that suggest the informatiorrexposed'
`
`in the Data $reach.;lnay incltide full .Soc;ial, Secutity;riumbers, partial Social, Security .numbersi
`
`names, dates ofbirth, addiesses,:citres, states, zip.codes,phoiie;nuinbers, email.addresses,;uieniber.
`
`i:dentifcati.on iiurilbers; siibseriberi ideiitificatioii numbers; dates of services, dates of'' death,
`
`providernames,.medical.record_nuinbers,,:treatinent:related information, and-actual:irriages (x-ray,
`
`4
`
`
`
`11
`
`

`

`photographs, exc.).5'
`
`27. Humana acltnit"ted in. tlxe 1Votice of Privacy Incident, the letters. "to the Attorneys
`General, and the "sample'' notices of the Data Breacli tliat unautliorized third persoiis accessed
`files that contaiiie.d sensitive inforination about IIumana's members, including names, Social
`Secitrity numbers, dates of birth; treatiiient related. inforniation, and actual images.
`'28..
`
`In response to tlie Data Breach, Cotiviti has not claizned to undertake any remed'ial
`measures; Huinana; claiins that it "has worked with Coti.viti to ensure it took itnmediate steps to
`enliance protections and: ensure the safety and security of your inforrnation: now aiid into the future.
`To help prevent soinething like this. from happening again; Hiunana has fiaken prompt .action to
`ensure the appropriate pliysical and technical safeguards are in place at Cotiviti and Visionarq."6
`T-Towever, the defic'iencies in the physical and:technical safeguards at Cotiviti and Visionary have
`riot, beeri shared with regulators or Plaiii'tiff. arid Class Merribers; -vvho. rctain a vestod ihi'eiest in
`ensuring that their iriforriiation remains pro"tected:
`
`29:
`
`The uuencrypted PII aYid pHI of Plaintiff and;Glass M;embers may eild up for sale
`on the datk web; or simply fall into the hands of compari'ies tliat will use the detailed PII for targeted,
`
`rnarketing withotzt the .approv:al. of Plaintiff and Class iVlembers.... Unauthorizcd.indiyiduals cart
`easily access the. PII of PJaiiitiff and Class.lVlernbers.
`
`30, Defe4dants did not use. reasonable security proeedures and:~ra~tices appropriate tp
`
`the. riatore of fhe sensitive, unencrypted: inforrriatioii. they were maintairiing for. Plaintiff and .Class
`
`Meinhers, causing the exposure of PlLand PHl foi- approximately 62,000 individiials.
`
`Cotiviti Acquhto Callects, ;St~res, at~d. Shares tl:e PII and PHI of I'laintiff and .Clasx -
`
`5 Ex, 2,
`
`6 Eks. 1., 2.
`
`9
`
`

`

`Menzber•s.
`
`31.
`
`Cotiviti, witli Humana's authorization and a.pproval, acquired, collected, and. stored
`tlie PII aild PHI of Plaintiff and Class .M. ernbers. and sllared ahe PII and PHI with Visionary:
`32.
`As a condition of,m.einbership ruith Huinana, Huinana requires tliat its, members
`pei-mit Humaiia to authorize Hiimana's vendors; sucli as Cotiviti, to collect the: members' PII and
`PHI from health care prov.iders..
`
`33.
`
`By obtaining, collecting, and storiug the PII. and PHI of Plaintiff and Class
`Meinbers and sharing it with Visionary; Defendsnts assunied legal .aiid equitable duties and.knew
`or should h..ave lenown that they were responsivle for protecting the PII and PHI from disclosure.
`3.4.
`
`Plaintiff and Class Meinbers have .taken reas.onable steps, ta maintain the
`confidentiaYity of their, PII and PHI antl reTie:d on Defendants to keep their PII and PHI confidential,
`and securel:y mainfained, to use this information ,for business purposes oiily, and- to make only
`authorized disclosures of this infonnation.
`
`Secu"rin'gPll and:PI-Il and I?reventirrg Brea'chek:
`
`35
`
`Defendants could have prevented this Data Bi-each. by ensuri:ng tli;at Cotiviti and
`
`Visionary had the appropriate technical safeguards in .place prior to: sharing the PII arid. PHI of`
`
`Plaintiff and Class 1Vlembers with Visionar34:
`
`..
`36,; Defevdants' negligence in safeguardin~ :.t1ie..PaI atid'PHI of:Plaintiff. anrl Class
`
`Members .is 'exacci-bated by tlie rcpzated warnirigp and. alerts directed ao protectirig arid securiiig
`
`serisitive data.
`
`-
`
`37: Despite the prevalence of publ.ic annouricements of data breach ;and data sectirity,
`
`comproriiises, Defendants failed to take appropria.te steps to protect the PII and PHI` of PlaintiV
`
`and Class Ivlemliers froin. being cotripromise.d..
`
`10
`
`

`

`38.
`
`The Federal Trade Coniniission. ("FTC") defines identity theft as "a fraud
`committed or atteiupted using the identifying information of another p'ersou without author.ity:"7
`The.FTC .describes "identifying.iiiformation" as "any riame or iiumber that may be used, alone or
`in coiijuiiction with any other informatiion, to identify a specifi'c person," including, among other
`things,. "[n]ame, Social. Securi.ty iiuniber, date of birth, offieial State or goveniment issued driver's
`licetise or identification nurnber, alien registration nurnber, government passport number,
`'employer or taxpayer ideritification number."8
`
`39.
`
`The-ramifications of Defendants' failure to keep secure t}ie PII ofPlaintiff and Class
`Members are long lasting and severe. Otice "P11. and PHI is stoleii, particularly So.cial Securi"ty
`num, bers, fraudulent.use of that information and dainage to victims may continue for years.
`
`Valare of Personal Irlentifia6le.Infornrtction
`
`40.
`
`The. PII. ofindividuals remains of higli value to crrinninals; as evidenced by the prices
`they will pay thr.ough ther dark web. .Numerous sources cite dark web pricing for° stolen identity°
`credeiitials.. For exaxnple, personal information :can be sold :at a;price ra.nging frQrn .$40 to $200;
`
`and:bank details have a. pr'ice range of $.50" to $200 9 EXperian reports :that a stole. n'credit tir .debit
`
`card riumber can se.1l..for. $S .to $110 on the dark web.1° Crimiiials cari;also purchase access to-eiitire
`
`.
`
`i
`;
`,
`
`-~
`
`7 .17 C.F:R. § 248.201 (20_13).
`
`9 Yourpersonal data is for sale on the dark web. Ilere's how.~nuch::it costs; Digital Trends, O,et.:
`-
`.
`:.
`.16;
` 2019;. available at: :https://www.digitalti•euds.coin/cornputing/ncrsorial-data-sold-on tlic-..
`dark-web-how-niuch-it-costs/ (last accessed. Apr. 26,: 202,1.): .
`Io Here s How ilLluch You"r PeYsonallnformation Is Sellingfor on..the Dark Web..,. Experiari,.Dec.. `.
`6:, 2017, available; Rt: https://www-:eXperiaii:com/tilog_s%ask-experian/heres-how-iilucli-your-
`pers.onal-information :is-selling-for oii-fhe=dark-web%. (last accessed Apr: 2(; 2Q2,1),
`
`11
`
`

`

`conipany data,breaches from $900 to $4,500."
`
`4.1.
`
`Social Security numbers, forr example, are among tlie worst kind of personal,
`iiiformation to .have stolen because they may be put to a variety of fraudulerituses and_.are difficult
`for an iildividual to cl?ange. The Social Security Adm.inistration stresses that- the loss of an
`individual's So.cial Secui-ity number, as is the: case here, can lead, to ideiitity tlieft and extensive
`financial fraud:
`
`A.dishonest person who.has your`Social Security number can-use'.'it
`to get oiher personal information:about you.. ldentity thieves can use.
`y.our nurnber and your good credit to apply for more credit.in your
`name.. Theii, they use the credit cards and don't pay tlie bills; it
`damages your credit. You. may not find out that soirieorie is using
`your number until you're turned down for, credit, or you begin ao. get
`calls from unknown creditors demanding payirient for items you
`never bought. Soixieone il7ega11y using:your Social Security numbez
`and asslYrli.ing yoUr identity.Gan Gaus:e a lot of probrems..12
`
`42: What:is more; it is no easy task to ch.ange or cancel a.stolen Social Security.number.
`
`An individual cannot obtain a new Soc,ial Security nurnber without significant papei-work and,
`
`evidence of actual misuse.. ui other, wor,ds, preventive action to,deferid agaiiist. tlie: possibility, of
`
`misuse:of'a Social. Secu.rity number is no,t permitted; an inditriduai must show evidetice of actual;
`
`o1.ngo'ing fraud :activity to obtain, a neW, number,_
`
`43.~
`Even. theit; a,:riew Social.Security number may not be'effectiV0
`-
`,Qccordiu~
`~c~
`..
`Ferguson:of the Identity Theft Resource Center, "The :c"redit bureaus and b.anks are'able to linkahe:
`;.
`new number very quickly totlie old riurribez; so all o f that. old:bad ffiformation is quickly':inherited
`
`Juiie
`
`11 In. theDark, VI'NOverview, 2019, available.a.~: http_s:/1v np oyerview.com/priyacy/anonVm4us=:
`browsiuliii-tbe-darlc/,(last accessed Apr: 26, 2021).
`12 S.ocial Security'Acirriinistration; IdentityThefi and Yctur :Social;Securit)> Num'ber•, available at:
`https://wvv.wasa gov/pubs/EN OS-10064:pdf (last accessed Apr. 26, 202.1).
`
`12
`
`~x
`
`-
`
`,.
`
`u
`
`

`

`into the new Social Secui-ity nuinber."13
`
`44.
`
`Based on tlie foregoing, the. informatio.n comprornised in the Data 'Breacli is
`significantly more valuable tlian the loss of,; for exarriple, credit car.d informatioil in. a. retailer data
`breach because, there, victims can cancel or close credit and debit card, accounts. The information
`comproi-hised ii-i tliis Data Bre.ach is impossible to "close" and difficult, if not impossible, to
`change—Social Security nuinber; name; and date ofbirtll; arid,potentially governnaent-issued ID
`iiumber, mother's maiden naine, birth certificate,, and biometric information.
`
`45.
`
`This data demands a much higher pi`ice on tlie black market. Martin: Walter; senior
`d.irector at, cybersecurity firin RedSeal, explained, "Compared to credit card information,
`personally identifiable infonnation and Social Security nurnbe"rs-are wortli.more than lOx .on the
`black market."la
`
`46.
`
`Among other forms of fraud, identity thieves .:may obtain driver's licenses,
`government benefits; inedical sei=vices, aiid housing or:even:give ,fals.e infornnatioii t"o police.
`
`47.
`
`The fraudulent activity resulting from the D.ata $reach may not c.ome to-light...for
`
`years;
`
`48:
`
`There may be a tirue 1ag between when harin o`ccurs versus, wheii it is discovezed;
`
`and also between when PII and PHI is' Stolen and when it is. us:ed: Acoording t.o the U.S.
`Goverriment;A ccountability Qffice ("GAO"), which coriducted: a sttidy regardiiig;.data.breaches;
`[L]avv eriforcement: officials told us that ,in. some cases~,~tolen data=
`
`~3 B.ryan Naylor, Vi"ctims :of Social Securi"ty NwInib'er. Theft Find Ir.'s. Hard to. Bounce.Back; NPR
`(Feb; 9, 2015,), avail..able;:at: littp:%/www:npr,org%2015L02/09/384875839/data-~tolen=by-aiithem-s--
`hackers-has-nullionswori yiiig-about=ideiitity-theft (lasti accessed Apr. 26.; 2021).
`14 Tilne C'rreeiie; Arcthein Hack: Pexsonal Data.Stolen Sells for lOx Priceiof Stolert Credit Caxd
`Wurribers;
`IT
`World,,
`(Feb.
`5,;
`2,015),
`available
`at::
`https:I/www:networkworld:com/article/2880366/aiitliem-haek-personal-.da"ta-stoleil-sells-for-1`(Sx-,
`price-of=stolen-cre:dit-card-numbers.htiril (last accessed Apr. 25,,202'1),.
`
`13
`
`

`

`may be .held for up to a, year or more before being used to, cominit
`identity fheft. Further, once sto:.len data'have been sold oi: posted oil
`tlie Web, fraudulent use ofthat iiifoi-niation° may continue for years.
`As a. result, stiidies that attempt to measure the haim resulting from
`data breaches cannot necessarilq rule out all futur.e hann. ls
`49. At all relevant: times, Defendants knew, or.reasonably should have known, of the
`importance of safegltardirig tlie PII atid PHI of Plaintiff. and Class Menibers, including Social
`Security n.umbei•s and dates. of'birtlr; and of tlie foreseeable consequences that would occur if the
`PII and .PHI were not safeguarded, including, specifically, the significant costs that would be
`imposed on Plaintiff and Class 1bleriibers as a result of a breach.
`
`50.
`
`Pl.aintiff. arid Class .Members iiow face, ye..ars of constant surv.eillance of their
`financial and pers.onal reco.rds, inonitoriug, and.loss of rights. The Class ia incurr'ing and will
`continue to iiicur such damages in a:dditioi~~ to any fi~auduient use of their P.II and PHI:
`
`51.
`
`Deferidants were, or. should have been;. .fully awaie of °the unique type and tlie
`signi,ficarit volumei of data shared. with Visionary, amounting to tens of thousaiids. of individuals'
`detailed, personal information and; thus; the significant number of individuals whho would be
`hanned by the ,exp,osure of the.unencrypted data.
`
`52.
`
`To, date; Defendants have offered Plaintiff and C1ass Members orily two years of
`
`ideiitity theft prot.ection through asiitgle. credit bureau, Equifax. The offered-service is.inadequate
`
`to protect Plainthff:and t3lass Members..frorri tlie threats they face for years to comei particularly zn
`
``
`
`light'.of the~.PII :and PHI at issue here..
`
`53:
`
`The iiijuries to Paairitiff. and Class 1Vlembers were dizeetly and proximately. caused
`by Defendants' failure to im,plernent or. mairritain.adequate data secu.rity me.a.sures for`the PlI and.
`
`l s
`
`..
`e.
`Report
`to 'Congr~essio~lal .Reguesters, GAG; at _ 29 (June:
` 2007); available. .at:
`https://www,gao.gov/as.sets/gao:=07-737.pdf: (last accessed Apr. 26, 2021):
`
`14
`
`LE
`
`

`

`PHI of Plaiiitiff and Cla.ss'Meiiibers.
`
`Plaintiff Steven, K. Farfrrer's Experience
`
`54.:
`
`In or around January 2019, Plaintiff Steven K. Fariner becanie a Humana, member
`through his Medicare Advantage Plan provided by the Kentucky Retiremerit System. As .a,
`condition of becomiilg a Hutiiana member, Humana req.uired tliat he provide liis PII, includ'ing,
`but:not limited to, his naine; Social Se.curity number, "and date of bir:th.
`55. Mr: Farmer received the Notice of Privacy Incident, dated March 1., 2021; on or,
`abo.ut that date.
`
`56,
`
`As: a result of the Data Breacli notice; Mr. Farmer spent time" dealing with .the
`consequences of the,Data:Breach; wliich includes time spent verifying the legitimacy of the Notice
`of Privacy Incident, exploring credit monitoring and ident"ity theft insurance optiozis, sigriing up
`and. routinely moriitoring the credit monitoring offered. by Humaria; atid self-moriitoring his
`accounts. This time has been Iost foz-ever and caniiot be recaptured.
`
`57. Additionally, Mr. Farmer is very, careful "about sharing his PII" and, PHI.: He has
`never lcnowiiigly transriiitted.unencrypted PII and PHI' over the internet or.any o.thei.unsecured
`sQi:lPCe.
`
`;
`
`5.8.. Mr. Farmer stor.es any docuirients containing. his PII ;and PHI m a, safe an secure
`
`location_ or, destroys the docuinents. 1Vloreover; he di:Iigently ehooses unique usernarnes arid
`passwords for his, vartous .onl'ine acc.ounts,
`
`-
`
`..
`
`..
`
`.
`
`'
`
`J .
`
`..
`
`..
`
`.
`
`..
`
`.
`
`59; Mi. Farmer suffered :a_etual injury in,th'e form of damages to and;diniinutiori• iri;the
`value ofhis PZI arid PHI=a foi-m: of.intarigib.le piop.er.ty that:Mr Farmer .entrust.ed to. Defendarits
`for the purpose of his.Huniana mernbersli'ip, whieh was; compromised in:and as a resttlt of the Data
`Breach.
`
`15
`
`

`

`60. Mr.. Farmer suffered lost tiiue, aniioyance, interferenc.e, and inconvenience as a
`result of the Data.Breach and lias anxiety and increased coiicenis for the loss of..his privacy.
`61. Mr. Farrner has suffered imminent aiid impending injury arising from the
`substantially increased risk of fraud, identity theft, and nvsuse restilting from his PII and PHI;
`especially his Social Security nuznber, ili coinbination with-his.iianie and date of birth, beingplaced
`in the hands of unauthorized tliird parties and possibly criininals..
`
`62. Mr. Fariher has a continuiiig interest in ensuring that h'is PII and PHI, which,.upon
`infoimation and belief, reinairi backed up in Defendants" p..o.ssession,, areprotected and safeguarded
`from fiiture breaches.
`
`V. CLASS ALLEGATi(}NS
`
`63,
`
`Plaiiitiff brings this nationwide class acti.on on behalf of himself and on: behalf of
`all others similarly situate.d pursuant to Rule 1,220(b)(2), (b)(3), and: (d)(4) of the Florida Rules of
`Civil° P.rocedure.
`
`64.
`
`The N'ationwide=Giass; that Plairitiff seeks to _repr.esent is def i~'ed.. as follows;.
`
`All individuals wh'o reside.irt the United Statcs and. whose .P1I was
`compromised-in. the data .breach that is'the subjcct of tlie Notice af
`Priv,acy Incident that .Humana :sent to Plaintiff on or around 1Vlarch
`1,. 2021 (the "Nationwide• Class").
`
`65.
`
`Pursuaiit to :Rule 1.220; and -in. the.a'l,terriative .to claims' asserted on behalf of the
`
`Natioilv~ide.Class, Plaintiff asserks claixtls on.behalf.of a.separate subclas,s; defined as follows; .
`
`All indi.viduals who° r.eside: in Florida and whose .PII wa"s
`compromised iii the rlata breacli that is the subject of ihe No:ttce of
`Privacy Incident :that Plumaria sent to Plaintrff.:on. or ai ound '1Vlarch
`1,`202Z (the "PloridaClass").
`
`66.
`
`Excluded from the Class:es, are the. follolving:iiidividuals and/or entities: Defe,ridarits
`and any Defendant.'s parents, subsi.d'iaries, affiliates; officers atid directors,. and any entity in wliicli.
`
`16
`
`

`

`f
`
`~
`
`;
`
`~
`~
`~
`~
`
`~
`~
`
`~
`,
`
`any Defendarit has :a controlling interest; all individuals who niake a timely election to be excluded
`from this proceeding using the correct protocol for opting out; aiiy aiid all federal, state or local.
`govenlments; includ'uig but not limited: to their departmeiits, agencies, divisioiis, bureaus, boards;
`sections, groups, counsels andfor subdivisions; and all, judges assigiied to hear any aspect of tliis
`litigation, as well as their immediate famil.y meinbers.
`
`67.
`
`PlaintiffIreserves tlie right .to modify or amend the definition of the proposed .classes
`
`b:efore the Court deterinines wliether certification is appropriate.
`
`6&:
`
`Nume"rositv, Fla R. Civ. P. 1.220(a)(1): The Nationwide Class is so numeious that
`joitider of all mernbers is itnpracticable. Humana has identifed thous.ands of current and. former
`
`Htunana members twhose PTI and PHl.may have been improperly accessed iii the Data Br.each;, and
`
`the Class is apparently ;identifiable wi

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket