Advocate Health Care – who in August reported the second largest HIPAA data breach to date after four unencrypted laptops were stolen from its facility, compromising the protected health information and Social Security numbers of more than 4 million people – has now been slapped with a class action lawsuit filed by affected patients.
Two plaintiffs, representing patients affected by the breach, assert that Advocate Health Care failed to take the necessary precautions required to safeguard patients' protected health information. The unencrypted laptops were stolen from an "unmonitored" room, one with "little or no security to prevent unauthorized access," the lawsuit read.
Patients' PHI, Social Security numbers and protected insurance information "was improperly handled and stored, was unencrypted, and not kept in accordance with applicable and appropriate cyber-security protocols, policies and procedures," the suit continued.
The plaintiffs, Erica Tierney and Andris Strautins, cite a recent Javelin Identity Fraud Report which finds that individuals who have their PHI or PII compromised in a breach are almost 10 times more likely than the general public to experience identity theft or fraud.
Additionally, they claim Advocate Health violated the Fair Credit Reporting Act by failing to safeguard and protect patient information.
Advocate Health System announced that the theft occurred at one of its Advocate Medical Group administrative buildings in Park Ridge, Ill. on July 15. Patient names, addresses, dates of birth, Social Security numbers and clinical information – including physician, medical diagnoses, medical record numbers and health insurance data — were all contained on the computers, officials say.
"We deeply regret that this incident has occurred," wrote Kevin McCune, MD, chief medical officer of Advocate Medical Group, in an Aug. 23 letter mailed to affected patients. "In order to prevent such an incident from reoccurring, we have enhanced our security measures and are conducting a thorough review of our policies and procedures."
This is the second big HIPAA breach for Advocate Health System. In 2009, company officials notified 812 patients that their protected health information had been compromised following the theft of an employee's unencrypted laptop.
This breach stands as the second biggest HIPAA breach ever reported, according to HHS
data – just behind the TRICARE Management Activity breach which impacted more than 4.9 million patients back in 2011.
Office for Civil Rights officials and the Illinois attorney general's office have said they will investigate the breach.