The recent massive data breach
at Advocate Health Care has already had legal consequences.
Downers Grove, Ill.-based Advocate and a subsidiary, Advocate Medical Group, are facing a state class-action lawsuit filed on behalf of two named plaintiffs and 4 million individuals whose personally identifiable health records were taken along with four desktop computers in a burglary in July. The computers were password protected but not encrypted, according to Advocate.
The five-count, 12-page complaint in Cook County Circuit Court in Chicago alleges negligence, deceptive business practices, invasion of privacy, intentional infliction of emotional distress and consumer fraud, all violations of Illinois law.
According to the class-action complaint, Advocate “continued its use of nonsecure, unencrypted computers and software to maintain the private and confidential patient data” it had collect, in violation of two state privacy laws.
The suit alleges Advocate violated the Illinois Personal Information Protection Act when it “permitted an unauthorized acquisition of computerized data that compromised the security, confidentiality, or integrity of personal information,” and the Illinois Medical Patients Rights Act when it “facilitated and allowed for the unlawful disclosure of patients' private and confidential health information.”
The lawsuit requests a jury trial and judgment of an unspecified dollar amount for actual damages, costs and other relief the court deems appropriate.
The named plaintiffs were former Advocate patients, Pierre Petrich, and her minor daughter, Amara Petrich, of Northbrook, Ill. The suit was filed by Chicago personal injury attorney Robert Clifford.
The suit alleges the plaintiffs' records were part of the massive July 15 data breach
at an administrative office of the 1,100-plus physician Advocate Medical Group in Park Ridge, Ill. At just over four million records, it is the largest breach by a healthcare provider since the federal government began requiring public reporting of larger healthcare records breaches in 2009.
Personally identifiable data on the compromised records varied, according to an Advocate spokeswoman, but included patients' names, addresses, dates of birth, Social Security numbers, diagnoses and medical record numbers.
Advocate previously made the federal “wall of shame”
list kept by HHS' Office for Civil Rights after the theft of an unencrypted laptop in 2009 carrying 812 patient records.
Thus far, 659 breaches involving records of 500 or more individuals have made the list, accounting for more than 22.8 million records being exposed. Of those involving electronic devices, 48% of the incident reports mentioned theft, 11% loss; and 8% hacking, all of which could have been mitigated by encryption.
The breach is being investigated by the OCR, the chief federal agency enforcing the health information privacy and security rules under the Health Insurance Portability and Accountability Act, and by the Illinois Attorney General's office, for possible HIPAA and Illinois privacy law violations, spokespersons for those agencies have said.
Advocate has faced criticism for not encrypting the data. Encryption is a technique in which software is used to scramble messages or data, rendering them unusable and unreadable to anyone who doesn't have the key, another piece of software code to unscramble the protected information.
An Advocate spokeswoman said an encryption program launched by the organization in 2009 had not reached the four computers in the Park Ridge office.
Advocate's Kelly Jo Golson, senior vice president of public affairs and marketing, in a statement, said “We deeply regret any inconvenience this incident has caused our patients who have entrusted us with their care. Our focus continues to be delivering the highest level of care and service. We are also committed to providing all individuals impacted by this incident with resources to answer their questions and tools to protect their personal information. Although we are unable to comment specifically on active litigation matters, we want to reassure our patients that we do not believe the data was targeted and we have no information that leads us to believe that the information has been misused.” Follow Joseph Conn on Twitter: @MHJConn