Lawsuit Filed in Advocate Medical BreachIdentity Fraud Risks to Patients Cited
A class action lawsuit has been filed against Advocate Medical Group in the wake of the theft of four unencrypted computers that may have exposed information on 4 million patients. The suit alleges the breach put the patients at risk for fraud.
See Also: HIPAA Audits: A Revised Game Plan
The suit against the Chicago-area physician group practice was filed in the Cook County Circuit Court on Aug. 31 by two Advocate patients on behalf of all those potentially affected, according to court documents. Barnow and Associates P.C. in Chicago is the lead law firm representing the plaintiffs.
The legal action focuses on Advocate's alleged failure to safeguard and secure data in violation of the Fair Credit Reporting Act. It alleges that "Advocate's wrongful actions and/or inaction, and the resulting data breach, have placed plaintiffs and class members at an imminent, immediate, and continuing increased risk of identity theft and identity fraud."
Although the suit does not offer up evidence that any plaintiffs have been victims of ID fraud so far, the case alleges that the breach puts affected individuals at risk.
Concerns About Fraud
The Advocate suit alleges that "during the intervening period between the theft and the date the notification letters were sent to plaintiffs and class members on Aug. 23, 2013, their unencrypted PII/PHI could have been bought and sold several times on the robust international cyber black market while they had no chance whatsoever to take measures to protect their privacy."
The four unencrypted computers were stolen during a burglary on July 15 at a suburban Chicago office of Advocate Medical Group. Information on the computers may have included names, addresses, dates of birth, Social Security numbers and certain clinical information, such as diagnoses, medical records numbers, medical service codes and health insurance information, according to a statement posted on Advocate's website. Complete medical records were not on the computers, the statement says.
Advocate began contacting patients about the breach in late August, offering one year of free credit monitoring services.
In a statement provided to Information Security Media Group, Advocate says, "Although we are unable to comment specifically on active litigation matters, we want to reassure our patients that we do not believe the data was targeted and we have no information that leads us to believe that the information has been misused."
Additionally, Advocate says it "deeply regret[s] any inconvenience this incident has caused our patients who have entrusted us with their care. Our focus continues to be delivering the highest level of care and service. We are also committed to providing all individuals impacted by this incident with resources to answer their questions and tools to protect their personal information."
While the suit alleges that the breach involved "four laptop computers," an Advocate spokeswoman confirmed that the stolen computers were desktop devices.
The Advocate breach, if the number affected is confirmed, would be the second largest reported to the Department of Health and Human Services since September 2009, when the HIPAA breach notification rule took effect. The largest breach on the HHS 'wall of shame' website is a 2011 incident involving TRICARE, the military health program, and its business associate SAIC. The loss of unencrypted storage devices in that incident affected 4.9 million individuals. That incident resulted in several class action suits that have been consolidated into one case.
Privacy and security attorney Adam Greene of the firm Davis Wright Tremaine suspects that in the Advocate case, the plaintiffs may have brought the action under the Fair Credit Reporting Act "because there is no private right of action under HIPAA and suits under negligence or other theories often fail due to plaintiffs' inability to prove compensable damages."
Greene, who is not involved with the Advocate case, adds: "Where individuals are offered credit monitoring and there is no evidence of actual identity theft, most suits have failed because the plaintiffs cannot provide that they have been harmed in a way that can be compensated."
In the Advocate case, "the plaintiffs claim a willful violation of the FCRA," he notes.
The suit says the plaintiffs, on behalf of themselves and the class members, are seeking "actual damages, economic damages, statutory damages, nominal damages, exemplary damages, injunctive relief, attorneys' fees, litigation expenses and costs of suit."
Greene explains that based on the estimated 4 million individuals affected by the breach, total statutory damages alone could potentially range into the billions of dollars.
That's because under FCRA, statutory damages can range from not less than $100 and not more than $1,000, per individual, he says. "By asserting the damages per person, they can seek between $400 million and $4 billion without demonstrating actual damages."
Other Breach Lawsuits
While several other large class action lawsuits involving health data breaches are pending in the courts, including cases against Sutter Health and Adventist Health System, there haven't been any notable awards to plaintiffs to date, Greene says.
Meanwhile, on Sept. 3, a notice of settlement was filed in a class action suit against AvMed Health Plan related to a 2009 data breach. Details of the settlement agreement between plaintiffs and AvMed are expected to be filed in the Florida Southern District Court within 45 days.
That case involved the December 2009 theft of unencrypted laptop computers from the Gainsville, Florida corporate offices of AvMed. The laptops contained personal information on 1.2 million current and former AvMed health plan members.