Mitch Smith reports:
Advocate Medical Group, already under federal and state investigation after the theft of computers containing personal information on millions of people, is now facing a class-action lawsuit from patients who say the Downers Grove-based physician group didn’t do enough to protect their private data.
The suit, filed in Cook County Circuit Court, says the health care nonprofit violated privacy regulations by failing to use encryption and other security measures on the four computers that were stolen from its Park Ridge offices in July. The computers contained information on more than 4 million patients.
Read more on Chicago Tribune.
It would be nice if the media articles would indicate the laws under which a lawsuit, such as this class action (or the Walgreens case), are filed. When I see a first sentence stating “Advocate Medical Group … is now facing a class-action lawsuit from patients who say the Downers Grove-based physician group didn’t do enough to protect their private data”, I think HIPAA. Headlines for other similar articles are also, in my opinion, misleading because I know that civil actions cannot be brought under HIPAA. It took some digging to discover that the lawsuit is based on violations of Illinois’ Personal Information Protection Act (815 ILCS 530) and Illinois’ Medical Patients Right Act (410 ILCS 50/3) – http://cliffordlaw.com/wp-content/uploads/2013/09/PetrichComplaintatLaw.pdf. An article on the class action lawsuit at http://healthitsecurity.com/2013/09/06/patients-file-class-action-suit-v-advocate-medical-group/ states “When the size of the breach and current state and federal investigations already in place are taken into account, the class-action suit decision will be worth monitoring. Private citizens suing organizations in class-action suits has an inconsistent recent history that seems to be based on individual state regulations and interpretations of the law.” At least someone is starting to get accurate information about the lawsuits into the public eye.
Thanks for that first link. I don’t have access to that court’s filings and was as frustrated as you were. Personally, though, I don’t expect any of the class action lawsuits to prevail because plaintiffs usually can’t show actual harm (future harm doesn’t count), but I usually do want to see whether a state’s AG, HHS or FTC do something. Illinois’ Attorney General has not really pursued data breaches unless there were multi-state investigations/actions as in the ChoicePoint and TJMaxx cases. Would they go after an Illinois entity? It would be nice to see, but I’m not optimistic.
And by all rights, HHS should go after Advocate if they fined BCBS of Tennessee after the theft of unencrypted backup tapes and fined other entities for thefts involved unencrypted devices.
But we’ll see…