Recently, AvMed agreed to pay $3 million in a data breach settlement. What sets this apart from other data breach settlements is Plaintiffs who have not suffered identity theft as a result of the breach may nevertheless collect from the Settlement Fund. Plaintiffs who did not suffer identity theft claimed they were injured by overpaying an insurance premium which was supposed to safeguard data.
AvMed’s Data Breach
AvMed offers healthcare plans to businesses and individuals in Florida and throughout the United States. On December 10, 2009, three laptops were stolen from AvMed’s corporate offices in Gainesville, Florida. Two of the three laptops contained “Sensitive Information,” including protected health information and Social Security numbers, potentially exposing 1.2 million AvMed members.
On November 16, 2010 Plaintiffs filed a putative class action in the Southern District of Florida. Plaintiffs claimed AvMed failed to encrypt and safeguard the stolen laptop computers which resulted in the exposure of members’ Sensitive Information. In its motion to dismiss, AvMed argued that Plaintiffs did not sufficiently allege the injury or damage elements of their claims. Defendants argued that courts across the country consistently have held that an allegation of data compromise, without an allegation that the lost or stolen data has been misused in a way that inflicts a compensable injury or damage of the plaintiff, fails to state a claim in tort or contract.
The Florida District Court granted AvMed’s Motion to Dismiss Plaintiff’s First Amended Complaint for failure to state a cognizable injury and failure to state a claim. However, Plaintiff’s shortly thereafter filed a Second Amended Complaint, which the Court also denied. Plaintiffs appealed.
Plaintiff’s Appeal & Mediation
On appeal, the Eleventh Circuit found Plaintiffs established a plausible causal connection between the data breach and identity theft, and therefore the injuries were not prohibitively speculative. The Eleventh Circuit remanded the case, and in December 2012 the parties entered mediation. Where Plaintiffs’ argument gained traction, was the alleged harm suffered from overpaying for insurance coverage.
Under the terms of the settlement, AvMed agreed to pay $3 million to a Settlement Fund, which pays out money to AvMed members for premium overpayments as well as to those members who suffered identity theft. Further, AvMed agreed to: (1) mandatory security training for employees; (2) mandatory training on appropriate laptop use and security; (3) updating company computers with additional security mechanisms, including GPS tracking technology; (4) new password protocols and full disk encryption technology on all company computers; (5) physical security upgrades; and (6) review and revision of written policies and procedures for information security.
Companies handling sensitive information should be aware that the AvMed settlement marks a change in the traditional view of data breach damages. Companies should carefully review their insurance policies as well as data security practices to mitigate their exposure.
Written by Claire Lucy Readhead, Associate, Privacy & Data Security | Alston & Bird LLP