Posted On September 23, 2022 Consumer Privacy & Data Breaches
On September 21, 2022, Humana reported a data breach with the Office of the Maine Attorney General after the company learned through one of its vendors that certain customers’ information was leaked after an apparent ransomware attack targeting the vendor’s computer system. Based on an official filing from the company, the incident resulted in an unauthorized party gaining access to the following data types: first and last names, Social Security numbers, Medicare beneficiary identification numbers, dates of birth, addresses, contact information and health insurance information. After confirming that consumer data was leaked, Humana began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification from Humana or Choice Health, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Humana data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Humana or Choice Health.
The available information about the Humana / Choice Health data breach comes from the companies’ filings with various state attorneys general. According to these sources, on May 14, 2022, Choice Health was informed that an unauthorized party was offering data that was allegedly stolen from the Choice Health network. In response, Choice Health launched an internal investigation with the assistance of third-party cybersecurity specialists.
On May 18, 2022, this investigation confirmed that “due to a technical security configuration issue caused by a third-party service provider, a single Choice Health database was accessible through the Internet.” The company’s investigation determined that the period of unauthorized access began on or around May 7, 2022.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Choice Health then reviewed the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your first and last name, Social Security number, Medicare beneficiary identification number, date of birth, addresses, contact information and health insurance information.
On July 26, 2022, Choice Health sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. However, subsequently, Choice Health learned that additional parties were affected by the breach, including Humana customers.
Humana uses the services of Choice Health to sell certain Medicare products. As a result, Choice Health has access to certain Humana customers’ sensitive information. On August 5, 2022, Choice Health notified Humana that some of the company’s customers were among those whose information was leaked. However, it was not until August 29, 2022, that Choice Health provided Humana with a list of affected individuals.
Founded in 1961, Humana is an insurance company and managed health care company that markets and administers health insurance coverage and related services for employers and individuals. Based in Louisville, Kentucky, Humana is the third-largest health insurance provider in the United States. The company is publicly traded on the New York Stock Exchange under the ticker symbol “HUM.” Humana employs more than 95,500 people and generates approximately $83 million in annual revenue.
Choice Health Insurance is an insurance company based in Myrtle Beach, South Carolina. Choice Health is an independent broker, meaning the company offers insurance products through various providers. Some of the plans offered by Choice Health include those issued by Humana, WellCare Health Plans, Anthem BlueCross BlueShield, Mutual of Omaha, United Healthcare, Cigna and Aetna. Choice Health also offers plans through healthcare.gov. Choice Health Insurance currently employs more than 130 individuals and generates approximately $33 million in annual sales.
Most data breaches occur when a hacker steals consumer information from a company that received the information directly from the consumer. However, in a third-party data breach, the company that the consumer gave their information to was not the hacker’s target. Instead, these breaches involve a hacker targeting a company—usually a vendor—of the company that accepted the consumer’s information from or on behalf of another company. The Humana / Choice Health data breach is a good example of a third-party data breach because there is no evidence that there was any breach of Humana’s computer system.
Given the fact that companies are becoming more specialized and outsourcing a greater percentage of administrative, marketing, and accounting tasks, third-party data breaches are becoming much more common. By some estimates, more than 74 percent of all credit card breaches were linked to problems with third-party vendors. Indeed, some of the largest breaches of 2022 have been third-party data breaches.
Third-party data breaches are more complex than traditional data breaches because it isn’t always clear which party bears responsibility for the incident. Naturally, when looking for a responsible party, most consumers look to the company they entrusted with their information, in this case, Humana. However, proving a company was negligent in selecting a certain vendor is often an uphill battle. To do so, a consumer must show that the company knew or had reason to know that the third-party vendor wasn’t up to the task of safely storing data; for example, if the vendor had a long track record of data breaches.
However, data breach victims can also bring a claim against the third-party vendor whose systems were hacked, in this case, Choice Health. Regardless of a company’s relationship with a consumer, any organization that stores consumer data owes a duty to the consumer to protect their information. Thus, if a third-party vendor you’d never heard of is responsible for a breach, you may be able to pursue a claim against that company. In fact, in some cases, this may be your only means of recourse.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Humana data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Humana (the actual notice sent to consumers can be found here):
Dear [Redacted],
Humana has a contract with Choice Health to sell Medicare products on our behalf. On May 14, 2022, Choice Health learned that an unauthorized person was offering to make data available that was allegedly taken from a Choice Health database.
What Happened?
On May 18, 2022, Choice Health determined that, due to a technical security configuration issue caused by a third-party service provider, a single Choice Health database was accessible through the Internet. Based on their investigation, an unauthorized individual accessed this database and obtained certain database files on or about May 7, 2022. At the time, Choice Health believed the affected data was comprised solely of lead generation and marketing information that belonged exclusively to Choice Health and not to any of their carrier partners.
On July 26, 2022, Choice Health determined that the data included carrier partners information, including Humana. On August 5, 2022, Choice Health notified Humana that Humana member data was impacted by this incident. Choice Health provided the impacted individual data list to Humana on August 29, 2022.
What Information Was Involved?
The files obtained by the unauthorized individual contained the following types of personal information, first and last name, Social Security number, Medicare beneficiary identification number, date of birth, address and contact information, and health insurance information.
What We Are Doing.
Upon learning of the incident, Choice Health worked with their third-party service provider to reconfigure the security settings on the database. The database is no longer accessible through the Internet. Choice Health has also taken steps to enhance their data security measures to prevent the occurrence of a similar event in the future, including requiring multi-factor authentication for all access to database files.
What Individuals Can Do.
Choice Health encouraged individuals to remain vigilant against incidents of identity theft and fraud by reviewing account statements and monitoring free credit reports for suspicious activity and to detect errors. An Identity Theft Guide was included with the mailing. It provided additional details on how to take steps to protect information, should an individual feel it is necessary to do so.
Humana will promptly report to your office and appropriate law enforcement officials any information that is shared with us that indicates this information has been inappropriately used.
Please do not hesitate to contact me if you have any additional questions regarding this situation.
