• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

AvMed’s Novel Data Breach Settlement- First Time Payment to Plaintiffs Who Have Not Suffered Identity Theft as a Result of Data Breach

November 21, 2013 By Privacy & Data Security Team

Recently, AvMed agreed to pay $3 million in a data breach settlement. What sets this apart from other data breach settlements is Plaintiffs who have not suffered identity theft as a result of the breach may nevertheless collect from the Settlement Fund. Plaintiffs who did not suffer identity theft claimed they were injured by overpaying an insurance premium which was supposed to safeguard data.

AvMed’s Data Breach

AvMed offers healthcare plans to businesses and individuals in Florida and throughout the United States. On December 10, 2009, three laptops were stolen from AvMed’s corporate offices in Gainesville, Florida. Two of the three laptops contained “Sensitive Information,” including protected health information and Social Security numbers, potentially exposing 1.2 million AvMed members.

The Litigation

On November 16, 2010 Plaintiffs filed a putative class action in the Southern District of Florida. Plaintiffs claimed AvMed failed to encrypt and safeguard the stolen laptop computers which resulted in the exposure of members’ Sensitive Information. In its motion to dismiss, AvMed argued that Plaintiffs did not sufficiently allege the injury or damage elements of their claims. Defendants argued that courts across the country consistently have held that an allegation of data compromise, without an allegation that the lost or stolen data has been misused in a way that inflicts a compensable injury or damage of the plaintiff, fails to state a claim in tort or contract.

The Florida District Court granted AvMed’s Motion to Dismiss Plaintiff’s First Amended Complaint for failure to state a cognizable injury and failure to state a claim. However, Plaintiff’s shortly thereafter filed a Second Amended Complaint, which the Court also denied. Plaintiffs appealed.

Plaintiff’s Appeal & Mediation

On appeal, the Eleventh Circuit found Plaintiffs established a plausible causal connection between the data breach and identity theft, and therefore the injuries were not prohibitively speculative. The Eleventh Circuit remanded the case, and in December 2012 the parties entered mediation. Where Plaintiffs’ argument gained traction, was the alleged harm suffered from overpaying for insurance coverage.

The Settlement

Under the terms of the settlement, AvMed agreed to pay $3 million to a Settlement Fund, which pays out money to AvMed members for premium overpayments as well as to those members who suffered identity theft. Further, AvMed agreed to: (1) mandatory security training for employees; (2) mandatory training on appropriate laptop use and security; (3) updating company computers with additional security mechanisms, including GPS tracking technology; (4) new password protocols and full disk encryption technology on all company computers; (5) physical security upgrades; and (6) review and revision of written policies and procedures for information security.

Conclusion

Companies handling sensitive information should be aware that the AvMed settlement marks a change in the traditional view of data breach damages. Companies should carefully review their insurance policies as well as data security practices to mitigate their exposure. 

Written by Claire Lucy Readhead, Associate, Privacy & Data Security | Alston & Bird LLP

Filed Under: Data Breach, Privacy, Security Breach Tagged With: Class Action, HIPAA

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
  • Virginia Ready to Pass First State Privacy Statute after CCPA
  • The EDPB-EDPS Joint Opinion on Data Processing Standard Contractual Clauses: Key Takeaways
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.