A class action filed against Florida insurer AvMed Health Plans seeks redress for a data breach that occurred when two laptops, containing patient information for 1.2 million members, were stolen from the company's headquarters in December 2009.
According to AvMed the laptops were left unattended and contained members' names, home addresses, phone numbers and Social Security numbers – as well as medical history data such as diagnosis information, medical procedure and prescription information.
The insurer is being sued by Edelson McGuire, LLC, a commercial litigation and legal and political consulting firm, and Ed Normand and Diego Madrigal III of Wooten, Kimbrough and Normand, Pa.
According to McGuire, AvMed repeatedly underestimated the gravity of the theft and had to make subsequent admissions about the vast quantity of data stolen. Initially, the insurer contacted only 280,000 members to warn them of the dangers that accompanied the data loss, but then made numerous subsequent revisions. Finally the company estimated that approximately 1.2 million of its members' private health records had been breached.
"This is easily one of the largest medical record breaches in history, and the disastrous consequences may plague those affected for their lifetimes," said Plaintiff's attorney, Bill Gray of Edelson McGuire. "We believe that AvMed did not follow government-mandated HIPAA protocols. Merely taking the time to encrypt their laptops, likely would have obviated any harm done by this theft. It is mind-boggling that such simple procedures were not done to protect AvMed's customers, who placed their trust in their insurance company to protect their highly personal information."
"I cannot imagine anyone trusting their personal information to AvMed at this time," added firm partner Jay Edelson.
AvMed officials say there has been no evidence that any personal information has been misused as a result of this incident.
"AvMed understands the seriousness of this situation, and deeply regrets any inconvenience or concern this may cause," said Ed Hannum, AvMed's president and COO in a statement. "While we have no indication that any information has been misused as a result of this theft, we are notifying those who may have been affected and helping them take steps to protect their information. We are also strengthening our data security capabilities and procedures to help ensure that this type of incident does not occur again."
In June AvMed contracted with Debix, a provider of identity protection services, to assist in the notification of current and former members.