A judge in the United States District Court for the Southern District of Florida has approved a $3 million data breach class action settlement agreement between AvMed, Inc. and plaintiffs. The settlement arises out of a December 2009 theft of unencrypted laptops containing the personal information of individuals who received healthcare coverage through AvMed and for the first time permits plaintiffs in a data breach case who did not suffer actual damages to claim a share of the settlement funds. This settlement agreement likely will serve as a model for future data security class action claims.
Under the settlement agreement, AvMed will establish a $3 million settlement fund to pay the following:
- Those whose personal information was on the stolen laptops, but who did not suffer identity theft ("Premium Overpayment Settlement Class") may receive $10 for each year that the Premium Overpayment Class Member paid AvMed for health insurance coverage before the December 2009 incident, up to a maximum recovery of $30. This relief reimburses Class members for the portion of premiums that plaintiffs contend AvMed should have spent on adequate data protection.
- Those who suffered identity theft ("Identity Theft Settlement Class") will be reimbursed for the amount of any proven actual, monetary loss that is shown by the claimant to have occurred more likely than not as a result of the December 2009 incident. Members of the Identity Theft Settlement Class may also make a claim under the Premium Overpayment Settlement Class.
- Attorneys' fees and costs of lawyers for the plaintiffs' class, in the amount of $750,000.
- An incentive award of $10,000 to be split evenly among the class representatives for their efforts in serving as class representatives.
- The costs of sending notices to the settlement classes as well as all costs of administration of the settlement.
In addition to creating the settlement fund described above, AvMed agreed to implement the following before the settlement is approved by the court:
- Mandatory security awareness and training programs for all company employees;
- Mandatory training on appropriate laptop use and security for all company employees whose employment responsibilities include accessing information stored on company laptop computers;
- Upgrade all company laptop computers with additional security mechanisms, including GPS tracking technology;
- Implement new password protocols and full disk encryption technology on all company desktops and laptops so that electronic data stored on such devices is encrypted at rest;
- Physical security upgrades at company facilities and offices to further safeguard workstations from theft; and
- Review and revise written policies and procedures to enhance information security.
This settlement agreement demonstrates that healthcare providers, health plans, and their business associates may have increased exposure for damages in data breach lawsuits even when plaintiffs cannot establish actual damages as a result of a breach. It will now be easier for plaintiffs to claim that a portion of their health insurance premiums or their payment for medical care should have been used to improve data security. Plaintiffs have pleaded this unjust enrichment theory in other data breach cases in Florida courts without success. (See previous blog posts here and here.) Time will tell if the AvMed settlement breathes new life into unjust enrichment and other novel data breach theories. In the meantime, healthcare providers, health plans, and their business associates should implement the prospective relief steps outlined above to minimize the risk of a costly data breach.