Lawsuit Filed in Information Breach Affecting 4 Million Patient Records

In July 2013, an administrative office for Advocate Medical Group in suburban Chicago was burglarized and four computers that contained patient information (though not medical information) were stolen.

On September 5, a class action lawsuit on behalf of over 4 million current and former Advocate patients was filed in a Cook County, IL, circuit court. The lawsuit alleges that Advocate “was negligent in protecting private data and failed to use encryption and other basic security measures on behalf of its patients.” The lawsuit claimed violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Illinois Personal Information Protection Act (815 ILCS 530), and the Consumer Fraud Act (815 ILCS 505).

According to Advocate, the computers “contained patient information used by Advocate for administrative purposes and may have included patient demographic information (for example, names, addresses, dates of birth, Social Security numbers) and limited clinical information (for example, treating physician and/or departments, diagnoses, medical record numbers, medical service codes, health insurance information).”

Breach Notification

Section 13407 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA) (P.L. 111-5) established a breach notification requirement for health information that is not secured by encryption or certain other means. In 2009, HHS issued regulations laying out the requirements for HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

Since 2009, the HHS Office of Civil Rights has maintained a list of any breaches of protected health information that affect 500 or more individuals; the Advocate breach would be the second largest breach recorded by HHS. The list—which now shows over 650 reported breaches—also includes a similar case involving Advocate from November 2009. That breach, which also involved a stolen laptop, only impacted 812 individuals.

Related Privacy Breaches

In August, Affinity Health Plan, a not-for-profit managed care plan operating in the New York metropolitan area, entered into a $1.2 million settlement agreement with HHS to address potential violations of the HIPAA Privacy and Security Rules. CBS Evening News (CBS) purchased a photocopier previously leased by Affinity and found confidential information on the hard drive. Affinity estimated that up to 344,578 individuals may have been affected by the breach.

In July, WellPoint Inc., an Indiana-based managed care company, entered into a resolution agreement of $1.7 million with HHS regarding possible HIPAA violations. According to the agreement, security weaknesses in Wellpoint’s database had left the electronic private health information of 612,402 individuals susceptible to unauthorized online access.