Advocate Medical Group (AMG) is facing a class-action lawsuit from patients after four laptops were stolen from an administrative building, the second largest medical data breach recorded in HIPAA history. The laptops were not protected with patient data encryption, a very dangerous no-no under HIPAA.
The suit was filed in Cook County Circuit Court by two plaintiffs who charged AMG with "flagrantly disregard[ing]" the privacy of its patients (four million of them!) and failing to take necessary precautions for preventing the data breach.The loss of the four laptops, as previously noted, led to the breach of Social Security numbers, names, addresses, dates of birth, and other data classified as protected health information under federal HIPAA guidelines. The computers lacked encryption software, which is the only concrete recourse against the Breach Notification Rule and other requirements under HIPAA.(Password protection was used on all stolen computers, but as duly noted and explained on elsewhere on this blog, the use of password protection is a misnomer at best, just like there's nothing "federal" about Federal Express.)The charges that AMG didn't do enough do not ring hollow when you consider that (a) they're the biggest physician group in Chicago, and hence have professionals on staff who must have advised the group on the risk they were taking by not using encryption, (b) anytime you're dealing with 4 million PHI, it tends to trigger an alarm bell, and (c) AMG had already experienced a data breach in 2009.Plus, there is the fact that the HIPAA Final Omnibus Rule is coming up in less than a week, so finding out that you just had the second largest PHI data breach in history a month before the deadline is not doing AMG any favors.
There's a very good chance that this lawsuit will be summarily dismissed by the courts. Among other things, the courts have ruled again and again that the loss of personal data in of itself is not a crime. In the minority of situations where the courts decided to listen to a case, there were essential elements that tied harm directly to the breach (and hence the courts could "make whole" the plaintiff).Furthermore, patients do not have the right to sue for HIPAA violations, which means any legal strategies must essentially veer away from HIPAA violations as a reason, which does not strengthen your case. (Which doesn't necessarily preclude one from winning. They got Capone for tax evasion, after all.)On the other hand, the courts have been getting better at recognizing that there's a legitimate complaint – which I tend to assign to the fact that there must be a bunch of judges affected by all these medical data breaches.In the end, I wouldn't bet on this latest lawsuit amounting to much. The winning bet says, however, that the Office of Civil Rights at HHS will take exception at AMG having had a second data breach that could have easily been averted with the use of simple encryption software.My prognosis: AMG will settle with the OCR for $1.5 million. Other covered entities were fined as much for much less, and they weren't repeat offenders (to be more specific, they didn't suffer the exact same type of data breach twice, even if they may have had more than one medical data breach over the years).