Cotiviti Comments on Recent Data Breach Incident
Recently, Humana alerted 65,000 individuals that their personal and health information was exposed by a contractor’s subcontractor. Cotiviti, which supports Humana with medical records requests to verify data reported to the Centers for Medicare & Medicaid Services, uses a subcontractor to review collected medical records. The incident was caused by a subcontractor’s employee, who inappropriately disclosed patient data to unapproved individuals for unauthorized training purposes between October 12 and December 16, 2020.
Cotiviti has issued the following statement concerning the breach:
In December of 2020, there was a security event with Cotiviti’s subcontractor Visionary. Visionary uses Cotiviti’s coding platforms to access tools for viewing and coding medical records. Two clients were affected and were immediately notified. Cotiviti has been in regular communications with those clients as we have worked though the forensics investigation with a global cybersecurity firm.
As a result of the investigation, it was determined that an employee of Visionary misappropriated valid user credentials to access and obtain medical records and share those records with unauthorized individuals outside of Visionary.
Upon being identified, the scam was stopped and the bad actor was terminated by Visionary. Cotiviti and Visionary have both implemented comprehensive remediation and mitigation plans in response to this event. A criminal investigation is underway, and in the meantime, security processes have been reviewed for the platform, and enhanced verification processes for requesting and revoking access to the coding platform have been established.
It is important to note that this event did not occur due to any kind of deficiency in Cotiviti’s IT security procedures, processes, and systems. Instead, it was the unfortunate result of a single bad actor formerly employed by a subcontractor deliberately circumventing security policies and procedures to share data outside of the organization.
While any incident such as this is troubling, Cotiviti customers can remain assured that their data is being safeguarded to the highest standards. We are dedicated to providing the highest level of security to all our customers and recognize that nothing is more important than protecting their members’ sensitive data, as demonstrated by our achievement of HITRUST certification for our core health care solutions.