`Case 8:21-cv-01478—MSS-SPF Document 1-1 Filed 06/17/21 Page 1 of 55 PageID 17
`
`EXHIBIT A
`
`EXHIBIT A
`
`
`
`Filing # 1.26308305 E-Filed 05/06/2021 01:44:38 PM
`
`IN THE CIRCUIT COURT FOR THE TWEL-FTH JUDICIAL
`CIRCUIT IN AND FOR SARASOTA-COUNTY, FLORIDA
`STEVEN K. FARIvIER,
`on behalf of hunself and all others
`similarly situated,
`
`Case No.::
`
`CLASS,ACTION COIVIPLAIN.T
`
`DEMAND:FOR JURY TRIAL
`
`Plai.ntiff,
`
`V.
`
`HUIy1ANA INC.,
`a Delawai'e corpor"ation,
`
`and
`
`COTIVITI, INC.,
`a Delaware corporation,
`
`De.fendants.
`
`Plaintiff Steven X. Farmer ("Plaintiffl) brings. fhis Cl.ass Action Complauit against
`Huiizana:Inc. ("Huivana") and'Cotiviti, Inc. ("Cotiwiti.").(collectively;."Defeiidants"), individually
`
`and on behalf of all, others similarly. situated, aiid alleges;: upon personal knowledge as to his own:
`
`aetions aiid his counsels' :investigations;, arid iipon mforinatiori-artd: belief, as,. to a11.ot1ier inatYers, as
`
`follows:
`
`I::IIVTRODUCTION
`
`1.
`
`Pl.aintiff brings this class action aganist Defendants' for their- failure to :pr.operly
`
`s,ecure and.safeguard-personal andsensif'i.ve Yn£orinat'ion that Cotiviti; witli Huinaria.'.s'authorization
`and: approval, collected from med'ical providers, iiicluding, u?ithoiit:limitation, fu11. Social Security
`
`numtie.rs, partial'Social.S`ecurity rii3nibers, nlnnes, dates ofbu-th; addresses, cities, states;,zip cgd;es,
`
`phone numiiers, email ad. dresses; member .;identification numbers,. subscriber identification,
`
`nurribers,, dates of service-s; aridlor'dates of death .(collectiVely; "persorial identifiable iriforrnatioxi"
`:
`or"PII") as well as pr.ovider names; tnedical record n.umbers, Ii; ment related inforixiation, and/or
`1
`
`
`
`actual images (x-ray, photographs, etc:) (cQllectively, "protected healtli iiiforniation" or 'PHI").
`Plaintiff also alleges Defendants failed'to provide tim.ely, accurate, and adequate notice to Plaiut'iff
`aud siiiiilarly situated, c.urrent and former iriembers of Humana ,(collectiv:ely, "Class Members")
`that their PII and PHI had been exposed and precisely what types of infonriation was unencrypted
`and an the possession of.utiknown aliird..parties..
`
`2.
`
`Humana provides: medical benefit plans to approxiinately 17 million members'.
`Huniana':s: rriembers entrust. Huiiiana, either° directly or through rnedical providers, witli an
`extensive amount of their PII and PHI: Humana, asserts that. it understands the importance of,
`protecting sueli inforrnation:
`
`3.
`
`On or before December 22, 2020; .Humana learned that PIl and PHI for .
`approximately 62,000 of .its membexs had been exposed to unauthorized individuals throtigh a
`personal "Google Di-ive" .acco.unt.{the "Data Breach'),
`
`4:
`
`Huftnana: detennined that the . Data. Breach. occurreEl:: because CotivA with
`
`Humana''s authoriiation and approval, collected the.PlI:and PIII from rnedical providei-s and then
`
`shared the PIl and. PHI wit.h: a:subcontractor, "Visioriary," which, fr.om October 12., 2020 through.
`Deceviber iG, 2020, disclosed. tlie Pll:and PHT:to unauthorizefl individua.ls to:.proinoCo' a.p.ersonal,
`
`business endeavorx.
`
`5..
`
`1YSore<than two months later; iri a "Notice::of Privacy Incident;".dated.March ;.1, 202"1;.
`Humana advised.Plaintiff of the Data BreaclL.:
`
`6::
`
`By otitaining, c.ollecting, using, and de.riving a :benefit froin the PII :an:d PHI of
`
`Plaintiff and Class Me.mbers; .I)ef.endarits assumed.legal and equitable duties to. those itidividuals
`
`to protpct an.d. safegnar.d tliat information: froiirunauthoi•.'ized access and intrusion: Humana adriiits .
`
`that the unencrypted. PII a.nd Pi-II exposed .to iinauthorized individuals included. naines,. Social
`
`.2
`
`~
`
`i
`,
`
`I
`
`
`
`Security nunlbers, dates of birth, treatment_ related informatioii, andfor actual iinages (x-ray,.
`photograpbs, ete.
`
`7..
`
`The exp,osed PIT and PHI of Plaintiff and Class Meinbers can be sold on the dark
`-
`web. Hackers can access: and then offer for sale the unencrypted, unre,dacted. P.II. and PH:1 to
`criminals. Plaintiff aizd Class Meinbers now face a lifetime risk of identity tlieft, which is
`heighteiied.here by the loss. ofSocial Security, nurnbers and dates of birth.
`
`8:
`
`Tkiis PII and PHI was comprornised due to Defendants' negligent andlor carele.ss
`
`acts and ornissions and the failure to_ protect tlie PII and `PI-Il of Plaintiff and Class Members. In
`
`addition to Defendants' failure: to prevent the Data Breach, after discoveririg the :breach,
`
`Defendants waited morethan two months to report it to the states.' Attomeys General and affected
`
`indiv.iduals:
`
`9.
`
`_
`As a r.esult of tliis delayed:response; Plaintiff and Class 1Vleinliers had ino idea their
`
`PIT and PHlbad been.comproinised; and that tney were, and co.ritinue to b6;:4fsign.ificAw ift
`
`ol:' .
`
`idezitity theft and various other £orrns of personal; sociat, and financial har-m. The:risk
`
`i,eniai"zi
`
`for theirrespective lifetimes::
`
`10.
`
`Plaintiff brings this action on. °behalf of all persons wliose .PII and. PHI. wO
`
`comproinised as a restilt of Defendants' :failure to: (i) adequately protect the PIi and PHl of Plaintiff.
`
`and C1as.s:lVTemb.e.rs.; (ii) warn Plaintiff and Class Membcrs of Defendaiits' 'inadeduate information
`
`security practices; and; i
`
`ensure .that the PII.. and PHi.of Plaintiff and C1ass.lVle .mbers. would be,
`
`adequately safeguarded froiii .misuse: or exposure .to unauthoriz.ed individuals wherievelr•
`
`Defeiidanfs: shared .it witli third.parties. Defcndants' conduct amounts to iiegligence: and violates :
`
`federal and.state statutes.:
`
`11.
`
`Plaintiff and Class Members h:ave; suffered injury as: a result of Defendants'
`
`3
`
`,
`
`
`
`4
`
`~
`
`~
`
`co..nduc.t, These injuries include: (i) l,ost- or diininished value of PII and, PHI; (ii) out-of-pocket
`expenses associated with the preventioii, detection, and recove .ry froni id.entity theft; tax. fraud,
`and/or unauthorized use of their PIl and PHI; (iii) lost opportullity costs associated with attempting
`to initigate the actual consequences ot`the Data Breach, includhig btitnot limited to lost time, aiid
`(iv) tlie coiitinued and cei-tainly increased risk to:their PII and PHI, which: (a) reinains uiiencrypted
`and available for unauthorized third parties to access and abuse; and (b) ma.y remain backed up :m
`Defendants' possession and is subject.to further unauthorized disclosures so long as Defendants
`fail fo undertake appropriate and.adequate measures to protect the PII and:PHI..
`
`12. Defendants disregarded the rights of.Plaintiff atid Class Melribers by intentionally,:
`
`willfully,, recklessly, or :negligently failing to take and ilnplemen.t adequate and reasonable
`
`measures to ensure that tlie PII and PHI ofPlaintiff arid CClass Members was safeguarded; failing
`to take available steps to prevent an unautHorized disclosure of data; and failing to follow
`
`applicable, required and appropriate protocols, pol.icies at3d pr-ocedures regarding:.ahe encryption.
`
`of data,.everi for internal use. As the result; the. PIX and hHLIo
`
` laintiff and Clas.s Members was
`
`conipromised through disclosure to an'unknowii ~id.unauthorized third pa~i.1?laintiff and Class
`
`Menibers have a.coiitinuing interest:in ensuring.thattheir: infortnatiori:is arid remains safe, and they
`
`should bc entitled to lnjuiictive and otlier equitable reli.ef,
`
`IT. :PARTIES
`
`Plaintiff'Steveri Farmer ("Fanner") is a Cit'izen of:: Florid'a" residing in Saras.ota
`
`County, Florida. N1i: Farmer rec.eived. Humana's 1Votice ofPriycicy Incident, dated Marcli i, 202.1,
`
`on:or about tliat date.l The notiee stated`that Plaintiff's fiill Social Security number, partial Social
`
`Security number,.naine, date of bii-th, address, city, .state, z~p :code; phone number, :.email address~
`
`t Ex. 1,
`
`4
`
`
`
`member identificationn niunber, subscriber identificatioii riumber, date of sei-vice, date of dcath,
`provider naiiie, medical: record iluiiib.er; treatnient related inforniation, aiid acaual images (x-ray,
`photographs, etc:) riia.y have been expose.d.2
`
`14. Defendant Hurriana is a corporation orgariized uiider the laws of Delaware;
`headquartered at 500. West 1Vlaiii'Street; Louisville, Kentucky, wiih its principal place :of business
`in Loiiisville, Kentucky.
`
`15.
`
`D'efendant Cotiviti is: a corporation organized under the lawss of Delaware,
`headquartered at 10701.S River Eront Pkwy, Unit 200; Soutli Jordan, Utah, with its: principal place
`of business in South.J.ordaii; Utali.
`
`16.
`
`The trta:e nanzes aiid capacities ofpersons or entities; wliether iiidividual, corporate,
`
`associate, or.otllerwise, who m.:ay be responsible.for some.of the clai.m.s alleged.herein are currently
`
`unkriown fo Plaintiff: P"laintiff will seek.leave ,of court to amerid tlils complairit to reflect the true.
`
`names ,and: capacities of sucli_ other responsible parties'when ;their id.etitities :become known. .
`
`17.
`
`All, of Plaintiff's claims, stated herein are asserted against Defendants. arid any of
`
`their o.wners, predecessors, successors; subsidiaries;;agents and/or assigns.
`
`III, JURI5DTCTrO;N ANb VENUE
`
`18.
`
`The. Couit lias subject,matter jurisdtction over Plaint;iffs' claims und.er Florida Stat.
`
`§ 26.;.012 and § 86;0.11: This Court'ha.s urisdiction ov:&this dispute because this complaint seeks
`
`dainages ~in: excess of'$30;000; 00` dollars; exclusive of interes`t and attorneys fees:
`
`19.
`
`The Court.has:personal j.unsdictiort over, Defe.ndants ttnder Florida.Stat:.§ 48.193,
`
`because,Defendants persoriallyor through their agents operated, conducted; engaged iii, or caiTied
`
`on a business or business. ~Venture _iii FIotida; Hurriariahad offices;iri Florida•, Defendants.coriimitted
`
`5
`
`
`
`tortious: acts in Florida; and Defeiidants breaclied ail implied contract in Florida by failing to
`perfonn acts required by the contract to be perfomied in Florida.
`
`20. Venue is proper in Sarasota. Couiity pursuaiit' to Florida Stat. § 47.051 beeaus.e
`Huinaiia has an agent or otlier representative in Sarasota Co.unty and Sarasota County is where: the
`cause of action accrued when Cotiviti, with Humana's authorization and .approval, collected
`Plaintiff's PII and PHI froin. Plaintiff's tiiedical provider(s) that tre.ated Plaintiff in Sarasota
`County; Florida.
`
`IV. FACTUAL ALLEGATIONS
`
`Background
`
`21:.
`
`Hunnana provides medical benef t plans to approximately 17 inillion :niembers.
`
`Cotiviti prov"ides Humana quality and .data reporting to the Centers- for Medicare and 1Vledicaid
`
`Seivices ("C1VIS"); as part of this; Cotiviti; with Humana's authoiization and approval, co.11ects
`
`medical re,cords from liealth care providers to: veri.fy data reported la CMS. Cotiviti uses
`
`"Visionary" to: re:view the rnedical records it c.ollects, for Hurnaiia. for data reporting: .
`
`22.
`
`Pla'intiff alid Class 1Vlembexs entrusted. Defendarits with :serisitive :arid corifidential
`..
`infoniiation, including full Social Security numbers, partial S:ocial Security numbers;.narnes, dates
`
`ofb'irth, addresses, .cities;atates, z'ip codes, phone riumbers, email addresses; merrilier."identification
`
`riumbers; subscriber identifcation. n.umbers; dates of services;.,da"tes of deat.h., provider names;
`
`medical record numbers? :treatment related infotmation actual ima es . x-ra , h.oto a hs
`~
`g
`~
`Y P. ~.P--,
`and other, ;personal identifiable :infornxiation; which inelude .iriformation that is static, does not
`
`,
`
`cliange; and can be,'use,d to coiximit.m.yriad:financial crimes:
`
`23.
`
`.Plaintiff an.d Class:Meinbers relied oii, these so,phisticated Defendants,to keep theit
`
`PII aztd..PHI co.nfrdential.and securely niaintained} to use ahis information. for bus'iness purposes
`
`6
`
`
`
`only, aiid to niake only autliorized disclosures of this inforniation: Plaintiff and Class Meinbers
`dernand security to saf.eguard their PII aiid PHI_
`
`24.
`
`Defendants had duties .to adopt reasonable measu. res to protect the.PII azid PHI of
`Plaintiff and Class Members from involuritary disclosure to.third parties.
`
`Th e Data Bt-each
`
`25.
`
`On or about March 1; 2021, Humana- seiit: Pla'intiff a Notice of. Pi-ivacy Iiacident.3
`I-Iumana informed Plaintiff that:
`
`What Happened
`
`On December 22, 2020, Humana was informed :that an employee of,
`a Humana subcontractof; Visionary, inappropxiately used their
`access to your information to disclose information, iin tlie foriii of
`medical. records, to unautliorize,d. irzdividuals in an effort to provxde,
`medical c.odizag train'ing to those :inclividuals for a personal coding,
`business endeavor. The .subcontractor disc.overed `the incident ori
`Deceriiber 16, 2020.. The activityoccurred October 12,.2020 through:
`Deceniber .T 6, 2020. We deeply apologize for- this :situation:
`
`Cotiviti is .a vendor fIurriana uses for quality.:and data. reportiiig to
`Centers for Medicare :and Medicaid Services (CMS): Cotivih :
`provides systerris ihatallow Huinatia to contact he.altli care pi~oviders ;
`and request medi .c.al. recordsi riecessary to verify . data r.eported to ;
`CMS.: Cotiviti; utiiizes . a sitbcontrac,tor; . Visionary,, to .review th'8;.;
`coll'eeted medical.records..
`
`.
`
`-
`
`..
`
`In the incident. descrrbed above, the Visionary empToyee;. wlio vvas
`authorized to access and use the data :for :Humana purposes, '
`dis:closed the information to the unauth'ori"zed individuals tlirough,g ~
`personal Google-TDrive accou.nt.
`
`.
`
`:
`
`Wh.at.Ijaforrr► ation Wasln.v.olved:
`
`T.he followuig infoxniation may have;been irieluded.,as part of tbe '
`medical records; -invo.l.ved. in the incident:
`
`3: E7C, 1.,
`
`~
`
`7
`
`j
`;
`~
`
`I
`
`~
`
`
`
`*
`
`
`
`•
`Full Social SecurityNuii7ber
`~ Partial Social Security Number
`•. Name
`• Date of Birth
`~ Address
`• City
`•
`State
`•
`Zip Code'
`•
`Phone rauznber
`•
`Eiiiail address
`~ Member ldentification Nuniber.
`+ Subscriber ldentificatiori;Number
`• Date of Service
`• Date of Death.
`•
`Provider Name
`•
`1Vledical Record Number
`Treatment;Related Inforination
`•
`• Actual Images (x-ray, photographs, etc_)
`
`What We Are Doing
`VVe pr.eemptively shut down our systeriis to contain the incident and
`then undertoolc a secure, manag~d restoration.. We .also engaged a
`third-party eybersecurity firm to assist lvvith, our review and notified
`law .eriforcement and contmue. ao cooperate with tliem.. We have
`takeri steps to further strengthen and.enhance the seci%rity of systems
`in our iietwork, mCludingi updating admiiustrative. and technica.l'
`safeguards.''
`
`26,
`
`On or about February 23.,.2021, Humana„ilotifi`ed variotis state Attorneys General,.
`
`including Washington';s Aftozney Gerieral, of the Data Br.each, Hum°ana also provided. the
`v
`Attorneys General with "sample" notices of the`Data Breach that suggest the informatiorrexposed'
`
`in the Data $reach.;lnay incltide full .Soc;ial, Secutity;riumbers, partial Social, Security .numbersi
`
`names, dates ofbirth, addiesses,:citres, states, zip.codes,phoiie;nuinbers, email.addresses,;uieniber.
`
`i:dentifcati.on iiurilbers; siibseriberi ideiitificatioii numbers; dates of services, dates of'' death,
`
`providernames,.medical.record_nuinbers,,:treatinent:related information, and-actual:irriages (x-ray,
`
`4
`
`
`
`11
`
`
`
`photographs, exc.).5'
`
`27. Humana acltnit"ted in. tlxe 1Votice of Privacy Incident, the letters. "to the Attorneys
`General, and the "sample'' notices of the Data Breacli tliat unautliorized third persoiis accessed
`files that contaiiie.d sensitive inforination about IIumana's members, including names, Social
`Secitrity numbers, dates of birth; treatiiient related. inforniation, and actual images.
`'28..
`
`In response to tlie Data Breach, Cotiviti has not claizned to undertake any remed'ial
`measures; Huinana; claiins that it "has worked with Coti.viti to ensure it took itnmediate steps to
`enliance protections and: ensure the safety and security of your inforrnation: now aiid into the future.
`To help prevent soinething like this. from happening again; Hiunana has fiaken prompt .action to
`ensure the appropriate pliysical and technical safeguards are in place at Cotiviti and Visionarq."6
`T-Towever, the defic'iencies in the physical and:technical safeguards at Cotiviti and Visionary have
`riot, beeri shared with regulators or Plaiii'tiff. arid Class Merribers; -vvho. rctain a vestod ihi'eiest in
`ensuring that their iriforriiation remains pro"tected:
`
`29:
`
`The uuencrypted PII aYid pHI of Plaintiff and;Glass M;embers may eild up for sale
`on the datk web; or simply fall into the hands of compari'ies tliat will use the detailed PII for targeted,
`
`rnarketing withotzt the .approv:al. of Plaintiff and Class iVlembers.... Unauthorizcd.indiyiduals cart
`easily access the. PII of PJaiiitiff and Class.lVlernbers.
`
`30, Defe4dants did not use. reasonable security proeedures and:~ra~tices appropriate tp
`
`the. riatore of fhe sensitive, unencrypted: inforrriatioii. they were maintairiing for. Plaintiff and .Class
`
`Meinhers, causing the exposure of PlLand PHl foi- approximately 62,000 individiials.
`
`Cotiviti Acquhto Callects, ;St~res, at~d. Shares tl:e PII and PHI of I'laintiff and .Clasx -
`
`5 Ex, 2,
`
`6 Eks. 1., 2.
`
`9
`
`
`
`Menzber•s.
`
`31.
`
`Cotiviti, witli Humana's authorization and a.pproval, acquired, collected, and. stored
`tlie PII aild PHI of Plaintiff and Class .M. ernbers. and sllared ahe PII and PHI with Visionary:
`32.
`As a condition of,m.einbership ruith Huinana, Huinana requires tliat its, members
`pei-mit Humaiia to authorize Hiimana's vendors; sucli as Cotiviti, to collect the: members' PII and
`PHI from health care prov.iders..
`
`33.
`
`By obtaining, collecting, and storiug the PII. and PHI of Plaintiff and Class
`Meinbers and sharing it with Visionary; Defendsnts assunied legal .aiid equitable duties and.knew
`or should h..ave lenown that they were responsivle for protecting the PII and PHI from disclosure.
`3.4.
`
`Plaintiff and Class Meinbers have .taken reas.onable steps, ta maintain the
`confidentiaYity of their, PII and PHI antl reTie:d on Defendants to keep their PII and PHI confidential,
`and securel:y mainfained, to use this information ,for business purposes oiily, and- to make only
`authorized disclosures of this infonnation.
`
`Secu"rin'gPll and:PI-Il and I?reventirrg Brea'chek:
`
`35
`
`Defendants could have prevented this Data Bi-each. by ensuri:ng tli;at Cotiviti and
`
`Visionary had the appropriate technical safeguards in .place prior to: sharing the PII arid. PHI of`
`
`Plaintiff and Class 1Vlembers with Visionar34:
`
`..
`36,; Defevdants' negligence in safeguardin~ :.t1ie..PaI atid'PHI of:Plaintiff. anrl Class
`
`Members .is 'exacci-bated by tlie rcpzated warnirigp and. alerts directed ao protectirig arid securiiig
`
`serisitive data.
`
`-
`
`37: Despite the prevalence of publ.ic annouricements of data breach ;and data sectirity,
`
`comproriiises, Defendants failed to take appropria.te steps to protect the PII and PHI` of PlaintiV
`
`and Class Ivlemliers froin. being cotripromise.d..
`
`10
`
`
`
`38.
`
`The Federal Trade Coniniission. ("FTC") defines identity theft as "a fraud
`committed or atteiupted using the identifying information of another p'ersou without author.ity:"7
`The.FTC .describes "identifying.iiiformation" as "any riame or iiumber that may be used, alone or
`in coiijuiiction with any other informatiion, to identify a specifi'c person," including, among other
`things,. "[n]ame, Social. Securi.ty iiuniber, date of birth, offieial State or goveniment issued driver's
`licetise or identification nurnber, alien registration nurnber, government passport number,
`'employer or taxpayer ideritification number."8
`
`39.
`
`The-ramifications of Defendants' failure to keep secure t}ie PII ofPlaintiff and Class
`Members are long lasting and severe. Otice "P11. and PHI is stoleii, particularly So.cial Securi"ty
`num, bers, fraudulent.use of that information and dainage to victims may continue for years.
`
`Valare of Personal Irlentifia6le.Infornrtction
`
`40.
`
`The. PII. ofindividuals remains of higli value to crrinninals; as evidenced by the prices
`they will pay thr.ough ther dark web. .Numerous sources cite dark web pricing for° stolen identity°
`credeiitials.. For exaxnple, personal information :can be sold :at a;price ra.nging frQrn .$40 to $200;
`
`and:bank details have a. pr'ice range of $.50" to $200 9 EXperian reports :that a stole. n'credit tir .debit
`
`card riumber can se.1l..for. $S .to $110 on the dark web.1° Crimiiials cari;also purchase access to-eiitire
`
`.
`
`i
`;
`,
`
`-~
`
`7 .17 C.F:R. § 248.201 (20_13).
`
`9 Yourpersonal data is for sale on the dark web. Ilere's how.~nuch::it costs; Digital Trends, O,et.:
`-
`.
`:.
`.16;
` 2019;. available at: :https://www.digitalti•euds.coin/cornputing/ncrsorial-data-sold-on tlic-..
`dark-web-how-niuch-it-costs/ (last accessed. Apr. 26,: 202,1.): .
`Io Here s How ilLluch You"r PeYsonallnformation Is Sellingfor on..the Dark Web..,. Experiari,.Dec.. `.
`6:, 2017, available; Rt: https://www-:eXperiaii:com/tilog_s%ask-experian/heres-how-iilucli-your-
`pers.onal-information :is-selling-for oii-fhe=dark-web%. (last accessed Apr: 2(; 2Q2,1),
`
`11
`
`
`
`conipany data,breaches from $900 to $4,500."
`
`4.1.
`
`Social Security numbers, forr example, are among tlie worst kind of personal,
`iiiformation to .have stolen because they may be put to a variety of fraudulerituses and_.are difficult
`for an iildividual to cl?ange. The Social Security Adm.inistration stresses that- the loss of an
`individual's So.cial Secui-ity number, as is the: case here, can lead, to ideiitity tlieft and extensive
`financial fraud:
`
`A.dishonest person who.has your`Social Security number can-use'.'it
`to get oiher personal information:about you.. ldentity thieves can use.
`y.our nurnber and your good credit to apply for more credit.in your
`name.. Theii, they use the credit cards and don't pay tlie bills; it
`damages your credit. You. may not find out that soirieorie is using
`your number until you're turned down for, credit, or you begin ao. get
`calls from unknown creditors demanding payirient for items you
`never bought. Soixieone il7ega11y using:your Social Security numbez
`and asslYrli.ing yoUr identity.Gan Gaus:e a lot of probrems..12
`
`42: What:is more; it is no easy task to ch.ange or cancel a.stolen Social Security.number.
`
`An individual cannot obtain a new Soc,ial Security nurnber without significant papei-work and,
`
`evidence of actual misuse.. ui other, wor,ds, preventive action to,deferid agaiiist. tlie: possibility, of
`
`misuse:of'a Social. Secu.rity number is no,t permitted; an inditriduai must show evidetice of actual;
`
`o1.ngo'ing fraud :activity to obtain, a neW, number,_
`
`43.~
`Even. theit; a,:riew Social.Security number may not be'effectiV0
`-
`,Qccordiu~
`~c~
`..
`Ferguson:of the Identity Theft Resource Center, "The :c"redit bureaus and b.anks are'able to linkahe:
`;.
`new number very quickly totlie old riurribez; so all o f that. old:bad ffiformation is quickly':inherited
`
`Juiie
`
`11 In. theDark, VI'NOverview, 2019, available.a.~: http_s:/1v np oyerview.com/priyacy/anonVm4us=:
`browsiuliii-tbe-darlc/,(last accessed Apr: 26, 2021).
`12 S.ocial Security'Acirriinistration; IdentityThefi and Yctur :Social;Securit)> Num'ber•, available at:
`https://wvv.wasa gov/pubs/EN OS-10064:pdf (last accessed Apr. 26, 202.1).
`
`12
`
`~x
`
`-
`
`,.
`
`u
`
`
`
`into the new Social Secui-ity nuinber."13
`
`44.
`
`Based on tlie foregoing, the. informatio.n comprornised in the Data 'Breacli is
`significantly more valuable tlian the loss of,; for exarriple, credit car.d informatioil in. a. retailer data
`breach because, there, victims can cancel or close credit and debit card, accounts. The information
`comproi-hised ii-i tliis Data Bre.ach is impossible to "close" and difficult, if not impossible, to
`change—Social Security nuinber; name; and date ofbirtll; arid,potentially governnaent-issued ID
`iiumber, mother's maiden naine, birth certificate,, and biometric information.
`
`45.
`
`This data demands a much higher pi`ice on tlie black market. Martin: Walter; senior
`d.irector at, cybersecurity firin RedSeal, explained, "Compared to credit card information,
`personally identifiable infonnation and Social Security nurnbe"rs-are wortli.more than lOx .on the
`black market."la
`
`46.
`
`Among other forms of fraud, identity thieves .:may obtain driver's licenses,
`government benefits; inedical sei=vices, aiid housing or:even:give ,fals.e infornnatioii t"o police.
`
`47.
`
`The fraudulent activity resulting from the D.ata $reach may not c.ome to-light...for
`
`years;
`
`48:
`
`There may be a tirue 1ag between when harin o`ccurs versus, wheii it is discovezed;
`
`and also between when PII and PHI is' Stolen and when it is. us:ed: Acoording t.o the U.S.
`Goverriment;A ccountability Qffice ("GAO"), which coriducted: a sttidy regardiiig;.data.breaches;
`[L]avv eriforcement: officials told us that ,in. some cases~,~tolen data=
`
`~3 B.ryan Naylor, Vi"ctims :of Social Securi"ty NwInib'er. Theft Find Ir.'s. Hard to. Bounce.Back; NPR
`(Feb; 9, 2015,), avail..able;:at: littp:%/www:npr,org%2015L02/09/384875839/data-~tolen=by-aiithem-s--
`hackers-has-nullionswori yiiig-about=ideiitity-theft (lasti accessed Apr. 26.; 2021).
`14 Tilne C'rreeiie; Arcthein Hack: Pexsonal Data.Stolen Sells for lOx Priceiof Stolert Credit Caxd
`Wurribers;
`IT
`World,,
`(Feb.
`5,;
`2,015),
`available
`at::
`https:I/www:networkworld:com/article/2880366/aiitliem-haek-personal-.da"ta-stoleil-sells-for-1`(Sx-,
`price-of=stolen-cre:dit-card-numbers.htiril (last accessed Apr. 25,,202'1),.
`
`13
`
`
`
`may be .held for up to a, year or more before being used to, cominit
`identity fheft. Further, once sto:.len data'have been sold oi: posted oil
`tlie Web, fraudulent use ofthat iiifoi-niation° may continue for years.
`As a. result, stiidies that attempt to measure the haim resulting from
`data breaches cannot necessarilq rule out all futur.e hann. ls
`49. At all relevant: times, Defendants knew, or.reasonably should have known, of the
`importance of safegltardirig tlie PII atid PHI of Plaintiff. and Class Menibers, including Social
`Security n.umbei•s and dates. of'birtlr; and of tlie foreseeable consequences that would occur if the
`PII and .PHI were not safeguarded, including, specifically, the significant costs that would be
`imposed on Plaintiff and Class 1bleriibers as a result of a breach.
`
`50.
`
`Pl.aintiff. arid Class .Members iiow face, ye..ars of constant surv.eillance of their
`financial and pers.onal reco.rds, inonitoriug, and.loss of rights. The Class ia incurr'ing and will
`continue to iiicur such damages in a:dditioi~~ to any fi~auduient use of their P.II and PHI:
`
`51.
`
`Deferidants were, or. should have been;. .fully awaie of °the unique type and tlie
`signi,ficarit volumei of data shared. with Visionary, amounting to tens of thousaiids. of individuals'
`detailed, personal information and; thus; the significant number of individuals whho would be
`hanned by the ,exp,osure of the.unencrypted data.
`
`52.
`
`To, date; Defendants have offered Plaintiff and C1ass Members orily two years of
`
`ideiitity theft prot.ection through asiitgle. credit bureau, Equifax. The offered-service is.inadequate
`
`to protect Plainthff:and t3lass Members..frorri tlie threats they face for years to comei particularly zn
`
``
`
`light'.of the~.PII :and PHI at issue here..
`
`53:
`
`The iiijuries to Paairitiff. and Class 1Vlembers were dizeetly and proximately. caused
`by Defendants' failure to im,plernent or. mairritain.adequate data secu.rity me.a.sures for`the PlI and.
`
`l s
`
`..
`e.
`Report
`to 'Congr~essio~lal .Reguesters, GAG; at _ 29 (June:
` 2007); available. .at:
`https://www,gao.gov/as.sets/gao:=07-737.pdf: (last accessed Apr. 26, 2021):
`
`14
`
`LE
`
`
`
`PHI of Plaiiitiff and Cla.ss'Meiiibers.
`
`Plaintiff Steven, K. Farfrrer's Experience
`
`54.:
`
`In or around January 2019, Plaintiff Steven K. Fariner becanie a Humana, member
`through his Medicare Advantage Plan provided by the Kentucky Retiremerit System. As .a,
`condition of becomiilg a Hutiiana member, Humana req.uired tliat he provide liis PII, includ'ing,
`but:not limited to, his naine; Social Se.curity number, "and date of bir:th.
`55. Mr: Farmer received the Notice of Privacy Incident, dated March 1., 2021; on or,
`abo.ut that date.
`
`56,
`
`As: a result of the Data Breacli notice; Mr. Farmer spent time" dealing with .the
`consequences of the,Data:Breach; wliich includes time spent verifying the legitimacy of the Notice
`of Privacy Incident, exploring credit monitoring and ident"ity theft insurance optiozis, sigriing up
`and. routinely moriitoring the credit monitoring offered. by Humaria; atid self-moriitoring his
`accounts. This time has been Iost foz-ever and caniiot be recaptured.
`
`57. Additionally, Mr. Farmer is very, careful "about sharing his PII" and, PHI.: He has
`never lcnowiiigly transriiitted.unencrypted PII and PHI' over the internet or.any o.thei.unsecured
`sQi:lPCe.
`
`;
`
`5.8.. Mr. Farmer stor.es any docuirients containing. his PII ;and PHI m a, safe an secure
`
`location_ or, destroys the docuinents. 1Vloreover; he di:Iigently ehooses unique usernarnes arid
`passwords for his, vartous .onl'ine acc.ounts,
`
`-
`
`..
`
`..
`
`.
`
`'
`
`J .
`
`..
`
`..
`
`.
`
`..
`
`.
`
`59; Mi. Farmer suffered :a_etual injury in,th'e form of damages to and;diniinutiori• iri;the
`value ofhis PZI arid PHI=a foi-m: of.intarigib.le piop.er.ty that:Mr Farmer .entrust.ed to. Defendarits
`for the purpose of his.Huniana mernbersli'ip, whieh was; compromised in:and as a resttlt of the Data
`Breach.
`
`15
`
`
`
`60. Mr.. Farmer suffered lost tiiue, aniioyance, interferenc.e, and inconvenience as a
`result of the Data.Breach and lias anxiety and increased coiicenis for the loss of..his privacy.
`61. Mr. Farrner has suffered imminent aiid impending injury arising from the
`substantially increased risk of fraud, identity theft, and nvsuse restilting from his PII and PHI;
`especially his Social Security nuznber, ili coinbination with-his.iianie and date of birth, beingplaced
`in the hands of unauthorized tliird parties and possibly criininals..
`
`62. Mr. Fariher has a continuiiig interest in ensuring that h'is PII and PHI, which,.upon
`infoimation and belief, reinairi backed up in Defendants" p..o.ssession,, areprotected and safeguarded
`from fiiture breaches.
`
`V. CLASS ALLEGATi(}NS
`
`63,
`
`Plaiiitiff brings this nationwide class acti.on on behalf of himself and on: behalf of
`all others similarly situate.d pursuant to Rule 1,220(b)(2), (b)(3), and: (d)(4) of the Florida Rules of
`Civil° P.rocedure.
`
`64.
`
`The N'ationwide=Giass; that Plairitiff seeks to _repr.esent is def i~'ed.. as follows;.
`
`All individuals wh'o reside.irt the United Statcs and. whose .P1I was
`compromised-in. the data .breach that is'the subjcct of tlie Notice af
`Priv,acy Incident that .Humana :sent to Plaintiff on or around 1Vlarch
`1,. 2021 (the "Nationwide• Class").
`
`65.
`
`Pursuaiit to :Rule 1.220; and -in. the.a'l,terriative .to claims' asserted on behalf of the
`
`Natioilv~ide.Class, Plaintiff asserks claixtls on.behalf.of a.separate subclas,s; defined as follows; .
`
`All indi.viduals who° r.eside: in Florida and whose .PII wa"s
`compromised iii the rlata breacli that is the subject of ihe No:ttce of
`Privacy Incident :that Plumaria sent to Plaintrff.:on. or ai ound '1Vlarch
`1,`202Z (the "PloridaClass").
`
`66.
`
`Excluded from the Class:es, are the. follolving:iiidividuals and/or entities: Defe,ridarits
`and any Defendant.'s parents, subsi.d'iaries, affiliates; officers atid directors,. and any entity in wliicli.
`
`16
`
`
`
`f
`
`~
`
`;
`
`~
`~
`~
`~
`
`~
`~
`
`~
`,
`
`any Defendarit has :a controlling interest; all individuals who niake a timely election to be excluded
`from this proceeding using the correct protocol for opting out; aiiy aiid all federal, state or local.
`govenlments; includ'uig but not limited: to their departmeiits, agencies, divisioiis, bureaus, boards;
`sections, groups, counsels andfor subdivisions; and all, judges assigiied to hear any aspect of tliis
`litigation, as well as their immediate famil.y meinbers.
`
`67.
`
`PlaintiffIreserves tlie right .to modify or amend the definition of the proposed .classes
`
`b:efore the Court deterinines wliether certification is appropriate.
`
`6&:
`
`Nume"rositv, Fla R. Civ. P. 1.220(a)(1): The Nationwide Class is so numeious that
`joitider of all mernbers is itnpracticable. Humana has identifed thous.ands of current and. former
`
`Htunana members twhose PTI and PHl.may have been improperly accessed iii the Data Br.each;, and
`
`the Class is apparently ;identifiable wi