Advocate Medical Group is facing more legal issues following its recent 4 million-patient breach that occurred on July 15. Advocate was already working with the state of Illinois and federal investigators regarding the second-largest reported breach to the Department of Health and Human Services (HHS), but will now have to deal with patient class-action lawsuit as well.
The patients in the Cook County Circuit Court suit, according to the Chicago Tribune, have charged the physician group with not doing enough to safeguard their data. Because the organization failed to encrypt the data and use other safeguards to protect patient data on the four computers that were stolen from the Park Ridge offices, the suit contends that Advocate has violated patient privacy regulations.
While personally identifiable data (PII) such as patient names, addresses, dates of birth and Social Security numbers and protected health information (PHI) such as diagnoses and medical record numbers were password-protected, they were not encrypted.
Advocate told the Tribune that took issue with the lawsuit but said “we deeply regret any inconvenience,” the breach caused. “We want to reassure our patients that we do not believe the data was targeted and we have no information that leads us to believe that the information has been misused,” the statement read. “Thus, we feel confident the facts will demonstrate that the lawsuit is without merit.”
When the size of the breach and current state and federal investigations already in place are taken into account, the class-action suit decision will be worth monitoring. Private citizens suing organizations in class-action suits has an inconsistent recent history that seems to be based on individual state regulations and interpretations of the law. For example, on one hand, in Florida, a judge dismissed Richard Faircloth’s class action lawsuit against Adventist Health System/Sunbelt, Inc. because he believed that HIPAA violations didn’t belong in state courts and that the breach wasn’t enough to elevate the suit out of the Florida state courts either.
Alternatively, Walgreens recently had to pay $1.44 million to an Indiana woman after her privacy was breached by a pharmacist. Obviously since it was a civil suit, HHS was not involved, but attorney Neal F. Eggeson was able to make the case in the Indiana courts that a HIPAA violation should be actionable from a civil perspective.
These were two different types of cases, but they give us insight into how the Advocate class-action suit may be tried in Illinois. HealthITSecurity.com will continue to follow the case and update readers with developments.