In May, a judge in Lake County, Ill., similarly dismissed a class-action suit there against Advocate, ruling that its plaintiffs could not claim injuries based on potential losses.
Last July, burglars hit the Advocate Medical Group administrative office in Park Ridge, another Chicago suburb, walking away with four unencrypted computers with the records of 4,029,530 individuals. It was the second-largest medical records breach since the Office for Civil Rights at HHS began publicly posting the larger ones to its “wall of shame” website in 2009.
In his Kane County ruling July 10, Murphy said, “Plaintiffs have not alleged that the information contained on the computers has been accessed or disseminated by the unknown third parties, or that plaintiffs have been actual victims of identity theft because of the misuses of the information.” Thus, Murphy found there were “no allegations of present injury sufficient to sustain the negligence” or claims Advocate had violated the Illinois Consumer Fraud Act.
Advocate was represented in the Kane County case by Theodore Kobus III, Daniel Warren and George Tzanetopoulos of Baker Hostetler, with offices in Cleveland and Chicago.
The Advocate system still faces several more legal challenges stemming from the breach, with Erica Tierney and Andris Strautin as named plaintiffs in a class-action complaint filed in federal court for the Northern District of Illinois, and Alex Lozada v. Advocate, a consolidation of 12 class-action cases filed in Chicago's Cook County Circuit Court.
Jay Edelson, managing partner at Edelson P.C. in Chicago, is representing the plaintiffs in the consolidated cases, along with Robert Clifford and Shannon McNulty of the Clifford Law Offices.
Of the Kane County ruling, Edelson said, “We don't think it's a terribly significant decision to our case.”
“The damage theory that the courts have started to accept, all flows from a federal court case in the 11th circuit with AvMED,” Edelson said. The Florida health insurer had two laptop computers go missing in late 2009 along with 1.2 million customers' records.
In the AvMED lawsuit, which reportedly settled for $3 million, “The theory was when you're paying money for a product or a service you expect to have part of that bargain to have the information protected. The 11th Circuit said that's right, it's what people have a right to expect.” The same logic should apply to Advocate patients, he said.
“They expected the hospital to comply with HIPAA and take reasonable steps to protect their information and they didn't get the full benefit of the bargain,” Edelson said.
Follow Joseph Conn on Twitter: @MHJConn